day 3

Question 1

important parts of an 802.11 frame

Answer 1

..

Question 2

address 1-4

Answer 2

1 MAC: Acknowledgement (destination)
2 MAC: Rare
3 MAC: Source MAC, Destination MAC, BSSID **most common!!!!!!
4 MAC: sending bridge, receiving bridge, source MAC, destination MAC

Question 3

frame body

Answer 3

the maximum amount of data in a legacy 802.11 frame is 2304 bytes

Question 4

802.11 frame types

Answer 4

….

Question 5

management frames

Answer 5

connect and disconnect from a network

all management and control frames are sent in plaintext, even in a network protected by encryption.

ie. beacon frame (management frame)
probe response frame (contains client and AP MAC’s)

Question 6

802.11w

Answer 6

ratified to increase the security of management frames

Question 7

control frames

Answer 7

help deliver data frames

i.e. acknowledgement (ACK) frame–type of control frame

Question 8

data frames

Answer 8

can be encrypted (the only type of the 3 frames)

Question 9

wireless CO methodology

Answer 9

…

Question 10

cyberspace ISR

Answer 10

focuses on tactical/operational intelligence and mapping adversary cyberspace to support military planning.

Made up of intel gathering and analysis/reporting
most time consuming!

Question 11

survey

Answer 11

the focus of surveys is to get as much information about every available wireless network as possible.
(gather intel about networks)
use omnidirectional antennas.
the focus is on management frames (beacons)

Question 12

collection

Answer 12

the goal of collection is to record specific intelligence from targets.
(gather intel on specific target using semidirectional antenna)
use of appropriate directional antennas and amplifiers increases the minimum distance needed from a target

Question 13

a good fixed collection site has these three attributes:

Answer 13

• strong receive signal
• stealth
• safety

Question 14

analysis and reporting…

at a minimum, analysts should ask themselves:

Answer 14

• what do i know
• what else do i need to know
• who do i tell

Question 15

target nomination and intel gain/loss assessment

Answer 15

phase where a decision will be made to perform cyberspace OPE or OCO against a target

Question 16

cyberspace OPE

Answer 16

this could be a variety of active exploitation efforts in the adversary’s network and devices to gain footholds, weaken defenses, and/or implant tools

Question 17

offensive cyberspace operations

Answer 17

OCO are CO intended to project power by the application of force in and through cyberspace. OCO will be authorized like offensive operations in the physical domains, via an execute order (EXORD)

OCO=EXORD!!!!

Question 18

wireless cyberspace attacks

Answer 18

within the IC, attacks that do not degrade the target’s ability to use the WLAN are commonly referred to as CNE. Attacks that degrade, disrupt, or destroy are referred to as CNA

Question 19

CNE

Answer 19

active and passive operations to gain access to target information systems

Question 20

ARP cache poisoning

Answer 20

this technique is used to insert a wireless attacker between two wired devices on the same layer 3 network supported by an AP
(attacker must be on the network!)

Question 21

DNS spoofing

Answer 21

an attack that returns an incorrect IP address to a client who submitted a DNS query.

Question 22

these exploitations provide unauthorized access to a network by bypassing the captive portal restrictions

Answer 22

• MAC address spoofing
• IP address spoofing
• covert tunneling

Question 23

CTS attack

Answer 23

an attacker can DOS every station within its RF range by sending out spoofed CTS frames or prompt an AP to send the CTS frame by sending repeated RTS frames.

This AFFECTS ALL DEVICES operating on a specific channel, even those on different networks

most effective against an entire network!!!

Question 24

deauthentication attack

Answer 24

best to use against a single device

Question 25

heat maps

Answer 25

a heat map is a software-generated picture that correlates the signal strength of emitters at each GPS location

Question 26

direction finding (DF)

Answer 26

equipment identifes the direction from which it is receiving the most RF energy (i.e. highest signal strength) from a given signal on a particular frequency.

taking multiple LOB’s from different directions - called triangulating - reduces the uncertainty of an emitter

reflection, scattering, diffraction, and refraction may cause DF equipment to think an emitter is in a different location

Question 27

geolocation

Answer 27

often needs hundreds or thousands of measurements.

geolocation tends to be more accurate than DF systems