CWNP CWSP-208 Certified Wireless Security Professional (CWSP) Exam Practice Test

802.11w, also known as Protected Management Frames (PMF), is designed to protect specific types of 802.11 management frames such as disassociation and deauthentication frames. These frames were previously sent unencrypted and could be spoofed by attackers to disconnect clients (DoS attacks). With 802.11w, these frames are cryptographically protected, mitigating such attacks.

PMF also includes replay protection for these management frames, preventing attackers from capturing and replaying them to disrupt network connectivity.

Aircrack-ng is a versatile toolset commonly used for WLAN penetration testing and security auditing. Its capabilities include:

A. Injecting deauth frames to simulate or test disconnection scenarios.

B. Testing WIPS responsiveness by simulating common attack frames.

D. Performing dictionary and brute-force attacks against weakly protected networks (e.g., WPA2-PSK with a weak passphrase).

Incorrect:

C. Aircrack-ng does not probe or test RADIUS shared secrets.

When using a wireless aggregator to combine packet captures from channels 1, 6, and 11 (the three non-overlapping 2.4 GHz channels), you're most likely analyzing multi-channel behavior. This is particularly relevant when troubleshooting roaming issues, such as fast secure roaming (e.g., 802.11r). These captures help determine whether authentication or association events occur smoothly across APs operating on different channels.

Incorrect:

A. Adapter failure doesn't require multi-channel capture.

B. Interference location is typically single-channel and spectrum-analysis focused.

D. Narrowband DoS attacks are also usually identified using RF spectrum analysis, not packet capture across all channels.

Clients seek connectivity when their connection is lost. If the attacker broadcasts a matching SSID on a different channel and the client is disconnected (via RF jamming or deauthentication), the client will often reassociate with the stronger signal or first-responding AP broadcasting the same SSID, even if it's rogue.

Incorrect:

A. SNR alone doesn't force reassociation—clients consider multiple factors.

B. SSID priority is not a standardized field influencing client behavior.

D. Clients won’t reassociate based purely on advertised data rates unless connectivity is disrupted and other AP parameters are more attractive.

To recreate the Pairwise Transient Key (PTK) during an offline attack on WPA2-Personal, the following components must be collected:

PMK (derived from the passphrase)

Supplicant MAC address (SA)

Authenticator MAC address (BSSID)

Supplicant Nonce (SNonce)

Authenticator Nonce (ANonce)

These values are used in the PTK derivation function:

PTK = PRF(PMK, “Pairwise key expansion”, Min(AA, SPA) || Max(AA, SPA) || Min(ANonce, SNonce) || Max(ANonce, SNonce))

Incorrect:

D. GTKSA refers to the Group Temporal Key Security Association, unrelated to PTK derivation.

E. Authentication Server nonce is used in 802.1X-based Enterprise networks, not in WPA2-Personal.

Though AES-CCMP is secure and 802.1X authentication is strong, LEAP is inherently weak because:

B. LEAP uses MS-CHAPv1, making it vulnerable to offline dictionary attacks once challenge/response exchanges are captured.

F. Layer 1 DoS attacks (such as RF jamming or interference) can be launched regardless of authentication mechanisms.

Incorrect:

A. AES-CCMP resists encryption cracking.

C. Peer-to-peer at Layer 3 is unrelated to LEAP or 802.1X vulnerabilities.

D. Application-layer eavesdropping is mitigated if encryption is properly implemented.

E. Session hijacking is more difficult with proper authentication and encryption in place.

This network uses WPA-Personal (Pre-Shared Key) and MAC filtering. While it does offer some basic protections, it is still vulnerable to several well-known attack vectors:

A. Offline dictionary attacks: An attacker can capture the 4-way handshake and perform offline dictionary or brute-force attacks to guess the PSK.

B. MAC Spoofing: Since MAC filtering is based on easily observed MAC addresses, attackers can spoof an authorized MAC address.

D. DoS: Attacks such as deauthentication floods or RF jamming can deny users access without needing to break encryption.

Incorrect:

C. ASLEAP: This is specific to LEAP (a weak EAP type), which is not used in WPA-Personal.

TKIP (Temporal Key Integrity Protocol) was introduced with WPA to enhance WEP security. One of the security mechanisms used in TKIP is a per-MPDU (MAC Protocol Data Unit) sequence counter called the TSC (TKIP Sequence Counter). The TSC acts as a form of replay protection by assigning a unique sequence number to each transmitted frame. If a packet is received with a sequence number lower than or equal to a previously received number, it is discarded. This directly prevents replay attacks, where a malicious actor resends previously captured frames in an attempt to spoof the session or extract data.

The frame sequence described shows:

802.11 Open System authentication and association

DHCP communication (for IP configuration)

ISAKMP packets, which are part of IPSec (used for key exchange and tunnel negotiation)

This indicates that link-layer authentication is not used, but instead, higher-layer encryption (IPSec VPN) secures communications.

Incorrect:

A and C. Would show EAP negotiation and 802.1X authentication frames.

D. WPA2-Personal would include a 4-Way Handshake before DHCP.

E. EAP-MD5 does not involve ISAKMP and is used within 802.1X authentication.

In the 802.11 4-Way Handshake:

D: The ANonce (from the AP) and SNonce (from the STA) are critical entropy values used along with the PMK, MAC addresses, etc., to derive the PTK securely.

E: This process ensures both parties derive the same PTK without ever transmitting the key over the air, mitigating interception risk.

Incorrect:

A. Nonces are not padding bytes.

B. Nonces are not the MIC; MIC is a separate integrity mechanism.

C. GMK and GTK are for group keys, not derived from nonces.

LDAP (Lightweight Directory Access Protocol) is used to query and retrieve user credential information from a directory service (like Microsoft Active Directory).

It’s not an authentication protocol itself but is used by services like RADIUS to validate user credentials during the EAP authentication process.

Incorrect:

B. LDAP is not directly compliant with X.500—it uses a simplified subset.

C. LDAP is not a SQL-compliant protocol.

D. LDAP is not a role-based access control mechanism.

E. LDAP is not an Authentication Server by itself.

Comprehensive Detailed Explanation:

B. Vendor-Specific Attributes (VSAs) allow integration with WLAN vendors' controllers to assign roles, VLANs, QoS levels, etc., during user authentication.

E. Standard or vendor-specific RADIUS attributes can dynamically assign permission levels based on group membership, department, or role.

Incorrect:

A. RADIUS does not directly manage DHCP functions.

C. SSID is selected by the user’s device, not by the RADIUS server.

D. RADIUS uses ACCESS-REJECT, not “DO-NOT-AUTHORIZE,” and it is not OS-specific.

TKIP (Temporal Key Integrity Protocol) is a pairwise encryption method introduced with WPA to enhance WEP security. TKIP can protect:

D. Data frames: These are the core unicast data transmissions between clients and access points.

F. QoS Data frames: These are a subtype of data frames supporting 802.11e/WMM enhancements and are also protected under TKIP.

Incorrect:

A & B. TKIP does not support robust management frame protection. Management frame protection is handled by 802.11w with AES-CCMP and BIP.

C & E. Control frames and ACKs are never encrypted, as they need to be read by all stations regardless of encryption status.

WPA2-Enterprise relies on the IEEE 802.1X framework for authentication, which requires the use of the Extensible Authentication Protocol (EAP). The RADIUS server must support EAP to facilitate the exchange of authentication credentials and method negotiation between the client (supplicant) and the authentication server.

Incorrect:

A. LWAPP, GRE, and CAPWAP are used between APs and controllers—not for client authentication.

B. IPSec/ESP is a VPN protocol, not relevant here.

D. CCMP and TKIP are encryption protocols used between clients and APs, not within the RADIUS server.

E. LDAP may be queried by the RADIUS server, but it is not sufficient on its own—it doesn’t replace EAP.

With PEAPv0/EAP-MSCHAPv2:

The TLS tunnel is created between the supplicant and the RADIUS server.

Therefore, the RADIUS server must have the X.509 server certificate and private key to authenticate itself and establish the tunnel.

Incorrect:

A. Supplicants verify the server’s certificate, not hold it.

B. LDAP server is used for querying, not for EAP termination.

C. APs and

D. Controllers pass the authentication info but don’t require certificates for PEAP termination.

This solution meets all the requirements:

Captive portals allow simple authentication for guest users.

VLAN separation enforces network segmentation.

HTTPS ensures authentication is encrypted.

Incorrect:

A. Separate controllers are unnecessary and costly.

B. WIPS enforcement is reactive, not proactive for normal access control.

C. ACLs alone don’t enforce authentication.

E. VPN requirements would be overly complex for guests.

Spectrum analyzer observations indicate a narrow 1–2 MHz peak with a strong signal, which broadens only when significantly attenuated. This behavior matches a high-powered narrowband interferer (like a microwave ignitor or industrial radio) – not Bluetooth hopping or standard WLAN signals

An 802.11a/g-based WIPS cannot detect rogue activity that occurs in 802.11n/ac-specific modes, including Greenfield (HT-only) operation and use of 40 MHz channels, which are not part of the 802.11a/g specification. Greenfield mode disables legacy support, so a WIPS limited to 802.11a/g radios won’t even “see” these frames. This leaves a significant blind spot for detecting certain types of rogue devices or attacks using newer PHYs.

A WIPS (Wireless Intrusion Prevention System) is designed to monitor WLAN activity and provide visualization and reporting related to:

Security threats (e.g., DoS attacks, rogue devices)

Policy compliance (e.g., allowed SSIDs, encryption types)

Rogue threat classification (e.g., rogue, neighbor, ad hoc)

The dashboard displaying this type of security-centric overview is characteristic of a WIPS platform.

Before conducting a security audit of an 802.11ac WLAN, it is essential to know the current security implementations—such as the use of WPA2-Enterprise, 802.1X, or MAC filtering. This helps the auditor tailor tests to identify gaps, weaknesses, or misconfigurations in the existing system. Understanding the security solutions provides the most immediate insight into potential vulnerabilities.

When compliance reporting and forensic analysis are required and the WLAN vendor’s centralized management system does not provide it, deploying a dedicated overlay WIPS is the most effective solution. Overlay WIPS uses dedicated sensors independent of the WLAN’s operational radios, offering detailed threat detection, compliance logging, and reporting capabilities that often surpass native WLAN features.

In a security context, outdated firmware is one of the most critical vulnerabilities. Firmware updates typically patch known security issues, fix bugs, and provide new features or improved encryption support. If the APs have not been updated or checked in over 18 months, they could be running firmware with known exploits or lacking critical security patches, making firmware review a top priority.

An 802.11a/g-based WIPS cannot detect rogue activity that occurs in 802.11n/ac-specific modes, including Greenfield (HT-only) operation and use of 40 MHz channels, which are not part of the 802.11a/g specification. Greenfield mode disables legacy support, so a WIPS limited to 802.11a/g radios won’t even “see” these frames. This leaves a significant blind spot for detecting certain types of rogue devices or attacks using newer PHYs.

WIPS systems often enforce policies based on MAC addresses and associated hardware fingerprints. If Joe uses a different wireless adapter than the one authorized, it may trigger a rogue device or unauthorized client alarm—even if it’s the same laptop. This behavior is common in environments with strict WIPS enforcement policies.

A. WPA2-Enterprise authentication: The multiple EAP Request/Response exchanges followed by an EAP Success and a 4-Way Handshake (EAPOL-Key frames) indicate 802.1X authentication, characteristic of WPA2-Enterprise.

C. 802.11 Open System authentication: Two Auth frames (request and response) without encryption negotiation signify Open System Authentication — a default in RSN setups.

F. Active Scanning: Begins with Probe Request and Probe Response — part of an active scan process.

G. 4-Way Handshake: Identified by four sequential EAPOL-Key frames, completing the authentication process in WPA2.

WIPS platforms with multiple sensors can locate rogue devices using:

A. TDoA: Measures the time difference a signal takes to reach multiple sensors; requires synchronized clocks.

C. Trilateration using RSSI: Estimates distance based on signal strength from three or more known sensor positions.

E. RF Fingerprinting: Matches received signals to known RF patterns in the environment for device positioning.

AoA requires directional antennas (not typical with dipoles), and GPS is used for locating mobile sensors or vehicles, not indoor rogues.

In environments where PSK-based authentication (like WPA2-Personal) is still in use due to legacy device constraints:

C. Regularly changing static passwords helps limit exposure from credential leaks or previous employees retaining access.

Incorrect:

A. MSCHAPv2 is vulnerable to offline attacks; recommending strong passwords is good, but that alone isn’t sufficient.

B. WEP is insecure regardless of password strength due to IV reuse.

D. Certificates are stronger, but not always feasible for legacy systems.

E. EAP-TLS is ideal but not always compatible with all devices; policies should be flexible to device capabilities.

Developing a robust WLAN security policy requires buy-in from executive or senior management. Without management support, it’s difficult to enforce compliance, allocate resources, or prioritize security among other organizational objectives. This foundational step ensures that policy creation and enforcement are feasible and aligned with organizational goals.

Incorrect:

A. Device/vendor specifics are addressed later during implementation.

C. End-user training materials are created after the policy is finalized.

D. Security policy software can assist, but is not essential compared to management support.

A strong WLAN security policy should encompass both technical controls and user education.

C. Educating users about secure password creation and acceptable use policies helps reduce risks due to weak authentication and misuse.

E. Social engineering is a common attack vector, and educating users to recognize and report such attempts is critical.

Incorrect:

A. MAC addresses are always transmitted in the clear, even with encryption.

B. Policies should be shared with users to promote compliance and awareness.

D. Passwords for administrative systems should not be disclosed in public documentation or policy documents.

Peer-to-peer blocking (also called client isolation) is useful in open or public WLANs to prevent devices from communicating directly with each other.

B. In public hot-spots, isolating users helps protect against malware spread, snooping, and attacks from nearby devices.

Incorrect:

A. In home networks, peer-to-peer communication is often desired for file sharing.

C. Voice over Wi-Fi may rely on peer communication (e.g., multicast).

D. In university setups using multicast, peer-to-peer restrictions could hinder functionality.

EAP-TLS requires both server and client-side digital certificates, which adds complexity in client certificate management.

EAP-TTLS uses a server certificate to establish a secure TLS tunnel, after which user credentials (e.g., username/password) are sent inside the encrypted tunnel. No client certificate is needed.

Incorrect:

A. EAP-TLS also encrypts credentials using TLS.

B. EAP-TLS supports client certificates (it’s the core requirement).

C. Both EAP methods require an authentication server.

Rogue APs pose a significant risk and should be detected and mitigated automatically.

D. A properly configured Wireless Intrusion Prevention System (WIPS) can detect unauthorized APs and prevent client associations to them in real time.

Incorrect:

A. While WPA2-Enterprise adds client-level protection, it does not detect rogue APs.

B. Hiding SSIDs is ineffective—SSIDs are still discoverable in management frames.

C. Manual scans are labor-intensive and impractical for ongoing monitoring.

E. Port security controls wired threats but cannot detect rogue APs using wireless signals.