SY0-501 Question #93: Real Exam Question with Answer & Explanation

Question

A user suspects someone has been accessing a home network without permission by spoofing the MAC address of an authorized system While attempting to determine if an unauthorized user is togged into the home network, the user reviews the wireless router, which shows the following table for systems that are currently on the home network. Which of the following should be the NEXT step to determine if there is an unauthorized user on the network?

Options

• AApply MAC filtering and see if the router drops any of the systems.
• BPhysically check each of the authorized systems to determine if they are togged onto the
• CDeny the "unknown" host because the hostname is not known and MAC filtering is not applied
• DConduct a ping sweep of each of the authorized systems and see if an echo response is

Explanation

When MAC spoofing is suspected, physically verifying which authorized devices are actually connected helps identify any unauthorized user mimicking a legitimate MAC address.

Common mistakes.

• A. Applying MAC filtering would not help detect a spoofed MAC address because the attacker is already using an authorized MAC address, so the filter would allow the spoofed device to remain connected.
• C. Denying the 'unknown' host based solely on its hostname is premature and inconclusive, as legitimate devices can appear with unknown hostnames depending on DHCP and DNS configuration, and this action does not confirm whether MAC spoofing is occurring.
• D. Conducting a ping sweep only confirms whether an IP address is responding on the network, but does not differentiate between an authorized device and an attacker who has spoofed a legitimate MAC address and obtained an IP via DHCP.

Concept tested. Detecting MAC address spoofing on home networks

Reference. https://learn.microsoft.com/en-us/windows-server/networking/technologies/nps/nps-top

No community discussion yet for this question.