GIAC
GPEN · Question #7
GPEN Question #7: Real Exam Question with Answer & Explanation
The correct answer is D. NetStumbler. NetStumbler embeds a distinctive LLC OUI and PID in its active probe frames and includes the payload string 'All your 802.11b are belong to us', which uniquely identifies it in wireless packet captures.
Question
You work as a Network Administrator for Infosec Inc. Nowadays, you are facing an unauthorized access in your Wi-Fi network. Therefore, you analyze a log that has been recorded by your favorite sniffer, Ethereal. You are able to discover the cause of the unauthorized access after noticing the following string in the log file: (Wlan.fc.type_subtype eq 32 and llc.oui eq 0x00601d and llc.pid eq 0x0001) When you find All your 802.11b are belong to us as the payload string, you are convinced about which tool is being used for the unauthorized access. Which of the following tools have you ascertained?
Options
- AAirSnort
- BKismet
- CAiroPeek
- DNetStumbler
Explanation
NetStumbler embeds a distinctive LLC OUI and PID in its active probe frames and includes the payload string 'All your 802.11b are belong to us', which uniquely identifies it in wireless packet captures.
Common mistakes.
- A. AirSnort is a passive WEP key recovery tool that only listens to existing traffic and does not transmit probe frames, so it would never produce the active frame signature or payload string found in the log.
- B. Kismet operates entirely in passive monitor mode, capturing existing wireless frames without injecting any probe requests, and therefore cannot generate the LLC OUI/PID pattern or the NetStumbler payload string.
- C. AiroPeek is a commercial wireless packet capture and analysis tool used for monitoring 802.11 traffic - it does not inject probe frames into the network and would not produce the NetStumbler-specific signatures visible in the log.
Concept tested. NetStumbler wireless probe frame fingerprint identification
Community Discussion
No community discussion yet for this question.