Free CWNP CWSP-208 Practice Exam with Questions & Answers

When using a wireless aggregator to combine packet captures from channels 1, 6, and 11 (the three non-overlapping 2.4 GHz channels), you're most likely analyzing multi-channel behavior. This is particularly relevant when troubleshooting roaming issues, such as fast secure roaming (e.g., 802.11r). These captures help determine whether authentication or association events occur smoothly across APs operating on different channels.

Incorrect:

A. Adapter failure doesn't require multi-channel capture.

B. Interference location is typically single-channel and spectrum-analysis focused.

D. Narrowband DoS attacks are also usually identified using RF spectrum analysis, not packet capture across all channels.

Though AES-CCMP is secure and 802.1X authentication is strong, LEAP is inherently weak because:

B. LEAP uses MS-CHAPv1, making it vulnerable to offline dictionary attacks once challenge/response exchanges are captured.

F. Layer 1 DoS attacks (such as RF jamming or interference) can be launched regardless of authentication mechanisms.

Incorrect:

A. AES-CCMP resists encryption cracking.

C. Peer-to-peer at Layer 3 is unrelated to LEAP or 802.1X vulnerabilities.

D. Application-layer eavesdropping is mitigated if encryption is properly implemented.

E. Session hijacking is more difficult with proper authentication and encryption in place.

The frame sequence described shows:

802.11 Open System authentication and association

DHCP communication (for IP configuration)

ISAKMP packets, which are part of IPSec (used for key exchange and tunnel negotiation)

This indicates that link-layer authentication is not used, but instead, higher-layer encryption (IPSec VPN) secures communications.

Incorrect:

A and C. Would show EAP negotiation and 802.1X authentication frames.

D. WPA2-Personal would include a 4-Way Handshake before DHCP.

E. EAP-MD5 does not involve ISAKMP and is used within 802.1X authentication.

In this scenario, although the bank’s website uses HTTPS (which encrypts communications between John’s browser and the bank’s server), the compromise did not occur during the banking session itself. Instead, the attacker exploited a common security mistake: credential reuse.

John reused his email credentials for his bank login, and he accessed his email using a POP3 client without encryption at a public hotspot. This means his username and password were sent in cleartext, which is trivially easy to sniff on an open wireless network. Once an attacker obtained those credentials, they could use them to log into his bank account if the same credentials were used there.

Here's how this aligns with CWSP knowledge domains:

CWSP Security Threats & Attacks: This is a classic example of credential harvesting via cleartext protocols (POP3), and password reuse, both of which are significant risks in WLAN environments.

CWSP Secure Network Design: Recommends use of encrypted protocols (e.g., POP3S or IMAPS) and user education against password reuse.

CWSP WLAN Security Fundamentals: Emphasizes that open Wi-Fi networks offer no encryption by default, leaving unprotected protocols vulnerable to sniffing and interception.

Other answer options and why they are incorrect:

A & D are invalid because an expired or unsigned certificate may cause browser warnings but won’t result in sending credentials unencrypted unless the user bypasses HTTPS (which wasn’t stated).

C is incorrect: IPSec VPNs encrypt all data between the client and VPN endpoint—including credentials.

E is technically incorrect and misleading: intercepting the public key of an HTTPS session doesn't allow decryption of the credentials due to asymmetric encryption and session key security. Real-time decryption of HTTPS traffic without endpoint compromise is not feasible.

Wireless Intrusion Prevention Systems (WIPS) are excellent for detecting on-air threats such as rogue APs, DoS attacks, spoofing, and misconfigured devices. However, WIPS cannot detect:

C. Eavesdropping — Passive listening on wireless transmissions cannot be detected because no signal is transmitted by the attacker.

D. Social engineering — Human-based attacks like phishing or pretexting fall outside the scope of wireless monitoring.

Incorrect:

A. Rogue APs can be detected via MAC address comparison, frame analysis, and signal triangulation.

B. DoS attacks, such as deauth floods or RF jamming, can be detected with appropriate WIPS sensors.

To recreate the Pairwise Transient Key (PTK) during an offline attack on WPA2-Personal, the following components must be collected:

PMK (derived from the passphrase)

Supplicant MAC address (SA)

Authenticator MAC address (BSSID)

Supplicant Nonce (SNonce)

Authenticator Nonce (ANonce)

These values are used in the PTK derivation function:

PTK = PRF(PMK, “Pairwise key expansion”, Min(AA, SPA) || Max(AA, SPA) || Min(ANonce, SNonce) || Max(ANonce, SNonce))

Incorrect:

D. GTKSA refers to the Group Temporal Key Security Association, unrelated to PTK derivation.

E. Authentication Server nonce is used in 802.1X-based Enterprise networks, not in WPA2-Personal.

In Cisco LEAP (Lightweight EAP), the username is sent in clear text as part of the 802.1X authentication process. LEAP uses a challenge/response authentication mechanism that is susceptible to offline dictionary attacks because the attacker only needs to know the username and capture the challenge/response exchange to perform brute-force guessing of passwords. The username is used in generating the hash for the authentication exchange, making its disclosure critical for an attacker.

Incorrect:

A. PACs are used in EAP-FAST, not LEAP.

C. The 4-Way Handshake nonces are unrelated to the username.

D. While dictionary files may include username/password combos, the cryptographic significance in LEAP is due to the challenge/response mechanism.

TKIP (Temporal Key Integrity Protocol) was introduced with WPA to enhance WEP security. One of the security mechanisms used in TKIP is a per-MPDU (MAC Protocol Data Unit) sequence counter called the TSC (TKIP Sequence Counter). The TSC acts as a form of replay protection by assigning a unique sequence number to each transmitted frame. If a packet is received with a sequence number lower than or equal to a previously received number, it is discarded. This directly prevents replay attacks, where a malicious actor resends previously captured frames in an attempt to spoof the session or extract data.

Mutual authentication involves both the client and the authentication server verifying each other’s identity before network access is granted. This prevents attackers from spoofing an access point (AP) and luring clients to connect to rogue APs (often used in wireless hijacking or evil twin attacks). When mutual authentication (typically via 802.1X with EAP-TLS) is used, clients will not connect unless they can verify the server certificate, which thwarts hijacking attempts.

TKIP (Temporal Key Integrity Protocol) is a pairwise encryption method introduced with WPA to enhance WEP security. TKIP can protect:

D. Data frames: These are the core unicast data transmissions between clients and access points.

F. QoS Data frames: These are a subtype of data frames supporting 802.11e/WMM enhancements and are also protected under TKIP.

Incorrect:

A & B. TKIP does not support robust management frame protection. Management frame protection is handled by 802.11w with AES-CCMP and BIP.

C & E. Control frames and ACKs are never encrypted, as they need to be read by all stations regardless of encryption status.