CompTIA
PT0-001 · Question #43
PT0-001 Question #43: Real Exam Question with Answer & Explanation
The correct answer is A: Perform an HTTP downgrade attack.. An HTTP downgrade attack (SSL stripping) intercepts TLS upgrade responses and forces victim connections to remain on plaintext HTTP, making all web traffic readable to the attacker already positioned via the evil twin.
Question
A penetration tester has successfully deployed an evil twin and is starting to see some victim traffic. The next step the penetration tester wants to take is to capture all the victim web traffic unencrypted. Which of the following would BEST meet this goal?
Options
- APerform an HTTP downgrade attack.
- BHarvest the user credentials to decrypt traffic.
- CPerform an MITM attack.
- DImplement a CA attack by impersonating trusted CAs.
Explanation
An HTTP downgrade attack (SSL stripping) intercepts TLS upgrade responses and forces victim connections to remain on plaintext HTTP, making all web traffic readable to the attacker already positioned via the evil twin.
Common mistakes.
- B. Harvested user credentials cannot decrypt concurrent or previously captured TLS session traffic because TLS session keys are derived from the cryptographic handshake exchange, not from the user's password.
- C. The evil twin access point already establishes a man-in-the-middle position for all victim traffic - labeling the action as an MITM attack does not itself strip TLS encryption or render traffic readable.
- D. Impersonating a CA to issue a fraudulent certificate can enable TLS interception but requires the victim device to trust the rogue certificate authority, making it a more complex and unreliable approach than SSL stripping for obtaining plaintext web traffic.
Concept tested. SSL stripping HTTP downgrade attack via rogue access point
Reference. https://owasp.org/www-community/attacks/SSL_Stripping
Community Discussion
No community discussion yet for this question.