EMT Practice Test

1. Question Content...


Question List

Question1: Given: In a security penetration exercise, a WLAN consultant obtains the WEP key of XYZ Corporation's wireless network. Demonstrating the vulnerabilities of using WEP, the consultant uses a laptop running a software AP in an attempt to hijack the authorized user's connections. XYZ's legacy network is using 802.11n APs with 802.11b, 11g, and 11n client devices.
With this setup, how can the consultant cause all of the authorized clients to establish Layer 2 connectivity with the software access point?

Question2: In an effort to optimize WLAN performance, ABC Company has upgraded their WLAN infrastructure from
802.11a/g to 802.11n. 802.11a/g clients are still supported and are used throughout ABC's facility. ABC has always been highly security conscious, but due to budget limitations, they have not yet updated their overlay WIPS solution to 802.11n or 802.11ac.
Given ABC's deployment strategy, what security risks would not be detected by the 802.11a/g WIPS?

Question3: Given: You are the WLAN administrator in your organization and you are required to monitor the network and ensure all active WLANs are providing RSNs. You have a laptop protocol analyzer configured.
In what frame could you see the existence or non-existence of proper RSN configuration parameters for each BSS through the RSN IE?

Question4: A single AP is configured with three separate WLAN profiles, as follows:
1. SSID: ABCData - BSSID: 00:11:22:00:1F:C3 - VLAN 10 - Security: PEAPv0/EAP-MSCHAPv2 with AES-CCMP - 3 current clients
2. SSID: ABCVoice - BSSID: 00:11:22:00:1F:C4 - VLAN 60 - Security: WPA2-Personal with AES-CCMP
- 2 current clients
3. SSID: Guest - BSSID: 00:11:22:00:1F:C5 - VLAN 90 - Security: Open with captive portal authentication -
3 current clients
Three STAs are connected to ABCData. Three STAs are connected to Guest. Two STAs are connected to ABCVoice.
How many unique GTKs and PTKs are currently in place in this scenario?

Question5: ABC Company has deployed a Single Channel Architecture (SCA) solution to help overcome some of the common problems with client roaming. In such a network, all APs are configured with the same channel and BSSID. PEAPv0/EAP-MSCHAPv2 is the only supported authentication mechanism.
As the Voice over Wi-Fi (STA-1) client moves throughout this network, what events are occurring?

Question6: What security benefits are provided by endpoint security solution software? (Choose 3)

Question7: What statement accurately describes the functionality of the IEEE 802.1X standard?

Question8: Given: John Smith uses a coffee shop's Internet hot-spot (no authentication or encryption) to transfer funds between his checking and savings accounts at his bank's website. The bank's website uses the HTTPS protocol to protect sensitive account information. While John was using the hot-spot, a hacker was able to obtain John's bank account user ID and password and exploit this information.
What likely scenario could have allowed the hacker to obtain John's bank account user ID and password?

Question9: When using the 802.1X/EAP framework for authentication in 802.11 WLANs, why is the 802.1X Controlled Port still blocked after the 802.1X/EAP framework has completed successfully?

Question10: For a WIPS system to identify the location of a rogue WLAN device using location patterning (RF fingerprinting), what must be done as part of the WIPS installation?

Question11: What statement is true regarding the nonces (ANonce and SNonce) used in the IEEE 802.11 4 Way Handshake?

Question12: Given: ABC Company has recently installed a WLAN controller and configured it to support WPA2-Enterprise security. The administrator has configured a security profile on the WLAN controller for each group within the company (Marketing, Sales, and Engineering).
How are authenticated users assigned to groups so that they receive the correct security profile within the WLAN controller?

Question13: When monitoring APs within a LAN using a Wireless Network Management System (WNMS), what secure protocol may be used by the WNMS to issue configuration changes to APs?

Question14: Which one of the following describes the correct hierarchy of 802.1X authentication key derivation?

Question15: Given: XYZ Hospital plans to improve the security and performance of their Voice over Wi-Fi implementation and will be upgrading to 802.11n phones with 802.1X/EAP authentication. XYZ would like to support fast secure roaming for the phones and will require the ability to troubleshoot reassociations that are delayed or dropped during inter-channel roaming.
What portable solution would be recommended for XYZ to troubleshoot roaming problems?

Question16: Given: You are installing 6 APs on the outside of your facility. They will be mounted at a height of 6 feet.
What must you do to implement these APs in a secure manner beyond the normal indoor AP implementations?
(Choose the single best answer.)

Question17: What type of WLAN attack is prevented with the use of a per-MPDU TKIP sequence counter (TSC)?

Question18: Joe's new laptop is experiencing difficulty connecting to ABC Company's 802.11 WLAN using 802.1X/EAP PEAPv0. The company's wireless network administrator assured Joe that his laptop was authorized in the WIPS management console for connectivity to ABC's network before it was given to him. The WIPS termination policy includes alarms for rogue stations, roque APs, DoS attacks and unauthorized roaming.
What is a likely reason that Joe cannot connect to the network?

Question19: When implementing a WPA2-Enterprise security solution, what protocol must the selected RADIUS server support?

Question20: What preventative measures are performed by a WIPS against intrusions?

Question21: You are using a utility that takes input and generates random output. For example, you can provide the input of a known word as a secret word and then also provide another known word as salt input. When you process the input it generates a secret code which is a combination of letters and numbers with case sensitivity. For what is the described utility used? (Choose 3)

Question22: Which one of the following is a valid reason to avoid the use of EAP-MD5 in production WLANs?

Question23: ABC Company uses the wireless network for highly sensitive network traffic. For that reason, they intend to protect their network in all possible ways. They are continually researching new network threats and new preventative measures. They are interested in the security benefits of 802.11w, but would like to know its limitations.
What types of wireless attacks are protected by 802.11w? (Choose 2)

Question24: Given: During 802.1X/LEAP authentication, the username is passed across the wireless medium in clear text.
From a security perspective, why is this significant?

Question25: What software and hardware tools are used together to hijack a wireless station from the authorized wireless network onto an unauthorized wireless network? (Choose 2)

Question26: What drawbacks initially prevented the widespread acceptance and use of Opportunistic Key Caching (OKC)?

Question27: You are configuring seven APs to prevent common security attacks. The APs are to be installed in a small business and to reduce costs, the company decided to install all consumer-grade wireless routers. The wireless routers will connect to a switch, which connects directly to the Internet connection providing 50 Mbps of Internet bandwidth that will be shared among 53 wireless clients and 17 wired clients.
To ensure the wireless network is as secure as possible from common attacks, what security measure can you implement given only the hardware referenced?

Question28: Given: XYZ Company has recently installed a controller-based WLAN and is using a RADIUS server to query authentication requests to an LDAP server. XYZ maintains user-based access policies and would like to use the RADIUS server to facilitate network authorization.
What RADIUS features could be used by XYZ to assign the proper network permissions to users during authentication? (Choose 2)

Question29: In the basic 4-way handshake used in secure 802.11 networks, what is the purpose of the ANonce and SNonce? (Choose 2)

Question30: Given: A large enterprise is designing a secure, scalable, and manageable 802.11n WLAN that will support thousands of users. The enterprise will support both 802.1X/EAP-TTLS and PEAPv0/MSCHAPv2. Currently, the company is upgrading network servers as well and willreplace their existing Microsoft IAS implementation with Microsoft NPS, querying Active Directory for user authentication.
For this organization, as they update their WLAN infrastructure, what WLAN controller feature will likely be least valuable?

Question31: Given: In XYZ's small business, two autonomous 802.11ac APs and 12 client devices are in use with WPA2-Personal.
What statement about the WLAN security of this company is true?

Question32: Given: A WLAN protocol analyzer trace reveals the following sequence of frames (excluding the ACK frames):
1) 802.11 Probe Req and 802.11 Probe Rsp
2) 802.11 Auth and then another 802.11 Auth
3) 802.11 Assoc Req and 802.11 Assoc Rsp
4) EAPOL-KEY
5) EAPOL-KEY
6) EAPOL-KEY
7) EAPOL-KEY
What security mechanism is being used on the WLAN?

Question33: The following numbered items show some of the contents of each of the four frames exchanged during the
4-way handshake:
1. Encrypted GTK sent
2. Confirmation of temporal key installation
3. Anonce sent from authenticator to supplicant
4. Snonce sent from supplicant to authenticator, MIC included
Arrange the frames in the correct sequence beginning with the start of the 4-way handshake.

Question34: Given: You must implement 7 APs for a branch office location in your organization. All APs will be autonomous and provide the same two SSIDs (CORP1879 and Guest).
Because each AP is managed directly through a web-based interface, what must be changed on every AP before enabling the WLANs to ensure proper staging procedures are followed?

Question35: Given: ABC Company has a WLAN controller using WPA2-Enterprise with PEAPv0/MS-CHAPv2 and AES-CCMP to secure their corporate wireless data. They wish to implement a guest WLAN for guest users to have Internet access, but want to implement some security controls. The security requirements for the hot-spot include:
* Cannot access corporate network resources
* Network permissions are limited to Internet access
* All stations must be authenticated
What security controls would you suggest? (Choose the single best answer.)

Question36: You have been recently hired as the wireless network administrator for an organization spread across seven locations. They have deployed more than 100 APs, but they have not been managedin either an automated or manual process for more than 18 months. Given this length of time, what is one of the first things you should evaluate from a security perspective?

Question37: Given: You have a Windows laptop computer with an integrated, dual-band, Wi-Fi compliant adapter. Your laptop computer has protocol analyzer software installed that is capable of capturing and decoding 802.11ac data.
What statement best describes the likely ability to capture 802.11ac frames for security testing purposes?

Question38: As the primary security engineer for a large corporate network, you have been asked to author a new security policy for the wireless network. While most client devices support 802.1X authentication, some legacy devices still only support passphrase/PSK-based security methods.
When writing the 802.11 security policy, what password-related items should be addressed?

Question39: What security vulnerabilities may result from a lack of staging, change management, and installation procedures for WLAN infrastructure equipment? (Choose 2)

Question40: Given: Your network includes a controller-based WLAN architecture with centralized data forwarding. The AP builds an encrypted tunnel to the WLAN controller. The WLAN controller is uplinked to the network via a trunked 1 Gbps Ethernet port supporting all necessary VLANs for management, control, and client traffic.
What processes can be used to force an authenticated WLAN client's data traffic into a specific VLAN as it exits the WLAN controller interface onto the wired uplink? (Choose 3)

Question41: Given: ABC Company is an Internet Service Provider with thousands of customers. ABC's customers are given login credentials for network access when they become a customer. ABC uses an LDAP server as the central user credential database. ABC is extending their service toexisting customers in some public access areas and would like to use their existing database for authentication.
How can ABC Company use their existing user database for wireless user authentication as they implement a large-scale WPA2-Enterprise WLAN security solution?

Question42: Which of the following security attacks cannot be detected by a WIPS solution of any kind? (Choose 2)

Question43: When used as part of a WLAN authentication solution, what is the role of LDAP?

Question44: You are implementing an 802.11ac WLAN and a WIPS at the same time. You must choose between integrated and overlay WIPS solutions. Which of the following statements is true regarding integrated WIPS solutions?

Question45: What is a primary criteria for a network to qualify as a Robust Security Network (RSN)?

Question46: Given: A WLAN consultant has just finished installing a WLAN controller with 15 controller-based APs. Two SSIDs with separate VLANs are configured for this network, and both VLANs are configured to use the same RADIUS server. The SSIDs are configured as follows:
SSID Blue - VLAN 10 - Lightweight EAP (LEAP) authentication - CCMP cipher suite SSID Red - VLAN 20 - PEAPv0/EAP-TLS authentication - TKIP cipher suite The consultant's computer can successfully authenticate and browse the Internet when using the Blue SSID.
The same computer cannot authenticate when using the Red SSID.
What is a possible cause of the problem?

Question47: You must locate non-compliant 802.11 devices. Which one of the following tools will you use and why?

Question48: Given: Many computer users connect to the Internet at airports, which often have 802.11n access points with a captive portal for authentication.
While using an airport hot-spot with this security solution, to what type of wireless attack is a user susceptible? (Choose 2)