- (Topic 2)
You are a penetration tester tasked with testing the wireless network of your client Brakeme SA. You are attempting to break into the wireless network with the SSID "Brakeme-lnternal." You realize that this network uses WPA3 encryption, which of the following vulnerabilities is the promising to exploit?
Correct Answer:
A
Dragonblood allows an attacker in range of a password-protected Wi-Fi network to get the password and gain access to sensitive information like user credentials, emails and mastercard numbers. consistent with the published report:??The WPA3 certification aims to secure Wi-Fi networks, and provides several advantages over its predecessor WPA2, like protection against offline dictionary attacks and forward secrecy. Unfortunately, we show that WPA3 is suffering from several design flaws, and analyze these flaws both theoretically and practically. Most prominently, we show that WPA3??s Simultaneous Authentication of Equals (SAE) handshake, commonly referred to as Dragonfly, is suffering from password partitioning attacks.??Our Wi-Fi researchers at WatchGuard are educating businesses globally that WPA3 alone won??t stop the Wi-Fi hacks that allow attackers to steal information over the air (learn more in our recent blog post on the topic). These Dragonblood vulnerabilities impact alittle amount of devices that
were released with WPA3 support, and makers are currently making patches available. one among the most important takeaways for businesses of all sizes is to know that a long-term
fix might not be technically feasible for devices with lightweight processing capabilities like IoT and embedded systems. Businesses got to consider adding products that enable a Trusted Wireless Environment for all kinds of devices and users alike.Recognizing that vulnerabilities like KRACK and Dragonblood require attackers to initiate these attacks by bringing an ??Evil Twin?? Access Point or a Rogue Access Point into a Wi-Fi environment, we??ve been that specialize in developing Wi-Fi security solutions that neutralize these threats in order that these attacks can never occur. The Trusted Wireless Environment framework protects against the ??Evil Twin?? Access Point and Rogue Access Point. one among these hacks is required to initiate the 2 downgrade or side-channel attacks referenced in Dragonblood.What??s next? WPA3 is an improvement over WPA2 Wi-Fi encryption protocol, however, as we predicted, it still doesn??t provide protection from the six known Wi-Fi threat categories. It??s highly likely that we??ll see more WPA3 vulnerabilities announced within the near future.To help reduce Wi-Fi vulnerabilities, we??re asking all of you to hitch the Trusted Wireless Environment movement and advocate for a worldwide security standard for Wi-Fi.
- (Topic 3)
A cybersecurity analyst in an organization is using the Common Vulnerability Scoring System to assess and prioritize identified vulnerabilities in their IT infrastructure. They encountered a vulnerability with a base metric score of 7, a temporal metric score of 8, and an environmental metric score of 5. Which statement best describes this scenario?
Correct Answer:
D
The Common Vulnerability Scoring System (CVSS) is a method used to supply a qualitative measure of severity for a vulnerability. CVSS consists of three metric groups: Base, Temporal, and Environmental. The Base metrics produce a score ranging from 0 to 10, which can then be modified by scoring the Temporal and Environmental metrics. A vector string represents the values of all the metrics as a block of text1
The Base metrics measure the intrinsic characteristics of a vulnerability, such as the attack vector, the attack complexity, the required privileges, the user interaction, the scope, and the impact on confidentiality, integrity, and availability. The Base score reflects the severity of a vulnerability assuming that there is no temporal information or context available1
The Temporal metrics measure the characteristics of a vulnerability that change over time, such as the exploit code maturity, the remediation level, and the report confidence. The Temporal score reflects the current state of a vulnerability and its likelihood of being exploited1
The Environmental metrics measure the characteristics of a vulnerability that depend on a specific implementation or environment, such as the security requirements, the modified base metrics, and the collateral damage potential. The Environmental score reflects the impact of a vulnerability on a particular organization or system1
In this scenario, the vulnerability has a Base score of 7, a Temporal score of 8, and an Environmental score of 5. This means that:
✑ The vulnerability has a high severity based on its intrinsic characteristics, such as
the attack vector, the attack complexity, the required privileges, the user interaction, the scope, and the impact on confidentiality, integrity, and
availability. A Base score of 7 corresponds to a high severity rating according to the CVSS v3.0 specification1
✑ The vulnerability has an increasing likelihood of exploitability over time based on
its current state, such as the exploit code maturity, the remediation level, and the report confidence. A Temporal score of 8 is higher than the Base score of 7, which indicates that the vulnerability is more likely to be exploited as time passes1
✑ The vulnerability has a medium impact on the specific environment or
implementation based on the security requirements, the modified base metrics,
and the collateral damage potential. An Environmental score of 5 is lower than the Base score of 7, which indicates that the vulnerability is less impactful in the particular context of the organization or system1
Therefore, the statement that best describes this scenario is: The vulnerability has an overall high severity, the likelihood of exploitability is increasing over time, and it has a medium impact in their specific environment.
References:
✑ NVD - Vulnerability Metrics
- (Topic 3)
You are the lead cybersecurity analyst at a multinational corporation that uses a hybrid encryption system to secure inter-departmental communications. The system uses RSA encryption for key exchange and AES for data encryption, taking advantage of the strengths of both asymmetric and symmetric encryption. Each RSA key pair has a size of 'n' bits, with larger keys providing more security at the cost of slower performance. The
time complexity of generating an RSA key pair is O(n*2), and AES encryption has a time complexity of O(n). An attacker has developed a quantum algorithm with time complexity O((log n)*2) to crack RSA encryption. Given *n=4000' and variable ??AES key size??, which scenario is likely to provide the best balance of security and performance? which scenario would provide the best balance of security and performance?
Correct Answer:
C
Data encryption with AES-128 is likely to provide the best balance of security and performance in this scenario. This option works as follows:
✑ AES-128 is a symmetric encryption algorithm that uses a 128-bit key to encrypt
and decrypt data. AES-128 is one of the most widely used and trusted encryption algorithms, and it is considered secure against classical and quantum attacks, as long as the key is not compromised. AES-128 has a time complexity of O(n), which means that the encryption and decryption time is proportional to the size of the data. AES-128 is also fast and efficient, as it can process 16 bytes of data in each round, and it requires only 10 rounds to complete the encryption or decryption12.
✑ RSA-4000 is an asymmetric encryption algorithm that uses a 4000-bit key pair to
encrypt and decrypt data. RSA-4000 is used for key exchange, which means that it is used to securely share the AES-128 key between the sender and the receiver.
RSA-4000 has a time complexity of O(n*2), which means that the key generation, encryption, and decryption time is proportional to the square of the size of the key. RSA-4000 is also slow and resource-intensive, as it involves large number arithmetic and modular exponentiation operations. RSA-4000 is considered secure against classical attacks, but it is vulnerable to quantum attacks, especially if the attacker has access to a quantum computer with sufficient resources to run Shor??s algorithm, which can factor large numbers in polynomial time34.
✑ The attacker??s quantum algorithm has a time complexity of O((log n)*2), which
means that the cracking time is proportional to the square of the logarithm of the size of the key. This implies that the attacker can crack RSA-4000 much faster than a classical computer, as the logarithm function grows much slower than the linear or quadratic function. For example, if a classical computer takes 10^12 years to crack RSA-4000, a quantum computer with the attacker??s algorithm could do it
in about 10^4 years, which is still a long time, but not impossible5.
Therefore, data encryption with AES-128 is likely to provide the best balance of security and performance in this scenario, because:
✑ AES-128 is secure and fast, and it can encrypt large amounts of data efficiently.
✑ RSA-4000 is slow and vulnerable, but it is only used for key exchange, which involves a small amount of data and a one-time operation.
✑ The attacker??s quantum algorithm is powerful, but it is not practical, as it requires a quantum computer with a large number of qubits and a long coherence time, which are not available yet.
The other options are not as balanced as option C for the following reasons:
✑ A. Data encryption with 3DES using a 168-bit key: This option offers high security but slower performance due to 3DES??s inherent inefficiencies. 3DES is a symmetric encryption algorithm that uses a 168-bit key to encrypt and decrypt data. 3DES is a variant of DES, which is an older and weaker encryption algorithm that uses a 56-bit key. 3DES applies DES three times with different keys to increase the security, but this also increases the complexity and reduces the speed. 3DES has a time complexity of O(n), but it is much slower than AES, as it can process only 8 bytes of data in each round, and it requires 48 rounds to complete the encryption or decryption. 3DES is considered secure against classical and quantum attacks, but it is not recommended for new applications, as it is outdated and inefficient67.
✑ B. Data encryption with Blowfish using a 448-bit key: This option offers high security but potential compatibility issues due to Blowfish??s less widespread use. Blowfish is a symmetric encryption algorithm that uses a variable key size, up to 448 bits, to encrypt and decrypt data. Blowfish is fast and secure, and it has a time complexity of O(n), as it can process 8 bytes of data in each round, and it requires 16 rounds to complete the encryption or decryption. Blowfish is considered secure against classical and quantum attacks, but it is not as popular or standardized as AES, and it may have compatibility issues with some applications or platforms89.
✑ D. Data encryption with AES-256: This option provides high security with better performance than 3DES, but not as fast as other AES key sizes. AES-256 is a symmetric encryption algorithm that uses a 256-bit key to encrypt and decrypt data. AES-256 is a variant of AES, which is the most widely used and trusted encryption algorithm. AES-256 has a time complexity of O(n), and it can process 16 bytes of data in each round, but it requires 14 rounds to complete the encryption or decryption, which is more than AES-128 or AES-192. AES-256 is considered secure against classical and quantum attacks, but it is not as fast as other AES key sizes, and it may not be necessary for most applications, as AES- 128 or AES-192 are already secure enough12.
References:
✑ 1: Advanced Encryption Standard - Wikipedia
✑ 2: AES Encryption: What It Is and How It Works | Kaspersky
✑ 3: RSA (cryptosystem) - Wikipedia
✑ 4: RSA Encryption: What It Is and How It Works | Kaspersky
✑ 5: Shor??s algorithm - Wikipedia
✑ 6: Triple DES - Wikipedia
✑ 7: 3DES Encryption: What It Is and How It Works | Kaspersky
✑ 8: Blowfish (cipher) - Wikipedia
✑ 9: Blowfish Encryption: What It Is and How It Works | Kaspersky
- (Topic 1)
Email is transmitted across the Internet using the Simple Mail Transport Protocol. SMTP does not encrypt email, leaving the information in the message vulnerable to being read by an unauthorized person. SMTP can upgrade a connection between two mail servers to use TLS. Email transmitted by SMTP over TLS is encrypted. What is the name of the command used by SMTP to transmit email over TLS?
Correct Answer:
D
- (Topic 3)
During a penetration testing assignment, a Certified Ethical Hacker (CEH) used a set of scanning tools to create a profile of the target organization. The CEH wanted to scan for live hosts, open ports, and services on a target network. He used Nmap for network inventory and Hping3 for network security auditing. However, he wanted to spoof IP addresses for anonymity during probing. Which command should the CEH use to perform this task?
Correct Answer:
C
The command C. Hping3 -S 192.168.1.1 -a 192.168.1.254 -p 22 -flood is the correct one to spoof IP addresses for anonymity during probing. This command sends SYN packets (-S) to the target IP 192.168.1.1 with a spoofed source IP (-a) 192.168.1.254 on port 22 (-p) and floods the target with packets (-flood). This way, the CEH can hide his real IP address and avoid detection by the target??s firewall or IDS12.
The other commands are incorrect for the following reasons:
✑ A. Hping3 -110.0.0.25 --ICMP: This command sends ICMP packets (–ICMP) to the target IP 10.0.0.25, but does not spoof the source IP. Therefore, the CEH??s real IP address will be exposed to the target.
✑ B. Nmap -sS -Pn -n -vw --packet-trace -p- --script discovery -T4: This command performs a stealthy SYN scan (-sS) on all ports (-p-) of the target without pinging it (-Pn) or resolving DNS names (-n). It also enables verbose output (-v), packet tracing (–packet-trace), and discovery scripts (–script discovery) with an aggressive timing (-T4). However, this command does not spoof the source IP, and in fact, reveals more information about the scan to the target by using packet tracing and discovery scripts.
✑ D. Hping3-210.0.0.25-p 80: This command sends TCP packets (default) to the target IP 10.0.0.25 on port 80 (-p), but does not spoof the source IP. Therefore, the CEH??s real IP address will be exposed to the target.
References:
✑ 1: Master hping3 and Enhance Your Network Strength | GoLinuxCloud
✑ 2: Spoofing Packets with Hping3 - YouTube