• Choose a category
• All
• Classic-Fiction

D. Blah';exec cmdshell "dir c:\*.* "--

11. What are two types of buffer overflow attacks?

A. Heap and stack

B. Heap and overflow

C. Stack and memory allocation

D. Injection and heap

Answers to Review Questions

1. D. Use of a single quote indicates a SQL injection attack.

2. A. The purpose of mutating a buffer overflow by replacing NOPs is to bypass an IDS.

3. C. A heap is using to store dynamic variables.

4. B. The first step in a SQL injection attack is to locate a user input field on a web page using a web browser.

5. D. The command to retrieve information from a SQL database is SELECT.

6. C. Performing bounds checking is a countermeasure for buffer overflow attacks.

7. A. NOP is an acronym for No Operation.

8. B, False. A hacker can run a prewritten exploit to launch a buffer overflow.

9. A. Programs can be exploited because they're written quickly and poorly.

10. C.Blah';exec master. .xp_cmdshel1 "dir c:\*.* Is >c:\di rectory. txt"-- is the command to obtain a directory listing utilizing SQL injection.

11. A. Heap and stack are the two types of buffer overflows.

0

CEH EXAM OBJECTIVES COVERED IN THIS CHAPTER:

✓ Overview of WEP, WPA Authentication Mechanisms, and Cracking Techniques

✓ Overview of Wireless Sniffers and Locating SSIDs, MAC Spoofing

✓ Understand Rogue Access Points

✓ Understand Wireless Hacking Techniques

✓ Describe the Methods Used to Secure Wireless Networks

Wireless networks add another entry point into a network for hackers. Much has been written about wireless security and hacking because wireless is a relatively new technology and ripe with security holes. Because of the broadcast nature of Radio Frequency (RF) wireless networks and the rapid adoption of wireless technologies for home and business networks, many vulnerabilities and exploits exist.

Most wireless LANs (WLANs) are based on the IEEE 802.11 standards and amendments, such as 802.11a, 802.11b, 802.11g, and 802.11n. The 802.11 standard included only rudimentary security features and was fraught with vulnerabilities. The 802.111 amendment is the latest security solution that addresses the 802.11 weaknesses. The Wi-Fi Alliance created additional security certifications known as Wi-Fi Protected Access (WPA) and WPA2 to fill the gap between the original 802.11 standard and the latest 802.111 amendment. The security vulnerabilities and security solutions discussed in this chapter are all based on these IEEE and Wi-Fi Alliance standards.

Overview of WEP, WPA Authentication

Mechanisms, and Cracking Techniques

Two methods exist for authenticating wireless LAN clients to an access point: open system or shared key authentication. Open system does not provide any security mechanisms but is simply a request to make a connection to the network. Shared key authentication has the wireless client hash a string of challenge text with the WEP key to authenticate to the network. The details of WEP will be discussed further in the following section.

Wired Equivalent Privacy (WEP) was the first security option for 802.11 WLANs. WEP is used to encrypt data on the WLAN and can optionally be paired with shared key authentication to authenticate WLAN clients. WEP uses an RC4 64-bit or 128-bit encryption key to encrypt the layer 2 data payload. This WEP key comprises a 40-bit or 104-bit user-defined key combined with a 24-bit Initialization Vector (IV), making the WEP key either 64- or 128-bit.

The process by which RC4 uses IVs is the real weakness of WEP: It allows a hacker to crack the WEP key. The method, knows as the FMS attack, uses encrypted output bytes to determine the most probable key bytes. It was incorporated into products like AirSnort, WEPCrack, and aircrack to exploit the WEP vulnerability. Although a hacker can attempt to crack WEP by brute force, the most common technique is the FMS attack.

WPA employs the Temporal Key Integrity Protocol (TKIP)-which is a safer RC4 implementation-for data encryption and either WPA Personal or WPA Enterprise for authentication. WPA