CWSP-208 Certified Wireless Security Professional (CWSP) Questions and Answers

Clients seek connectivity when their connection is lost. If the attacker broadcasts a matching SSID on a different channel and the client is disconnected (via RF jamming or deauthentication), the client will often reassociate with the stronger signal or first-responding AP broadcasting the same SSID, even if it's rogue.

Incorrect:

A. SNR alone doesn't force reassociation—clients consider multiple factors.

B. SSID priority is not a standardized field influencing client behavior.

D. Clients won’t reassociate based purely on advertised data rates unless connectivity is disrupted and other AP parameters are more attractive.

Given that only consumer-grade routers are used and no RADIUS server or enterprise infrastructure is mentioned, WPA2-Personal is the most secure option available. It uses a pre-shared key (PSK) for authentication and AES-CCMP for encryption, offering strong protection for small businesses lacking enterprise equipment.

Enterprise methods such as WPA2-Enterprise, 802.1X, and EAP-PEAP require a RADIUS server or authentication backend, which isn’t supported in typical consumer-grade routers.

Aircrack-ng is a versatile toolset commonly used for WLAN penetration testing and security auditing. Its capabilities include:

A. Injecting deauth frames to simulate or test disconnection scenarios.

B. Testing WIPS responsiveness by simulating common attack frames.

D. Performing dictionary and brute-force attacks against weakly protected networks (e.g., WPA2-PSK with a weak passphrase).

Incorrect:

C. Aircrack-ng does not probe or test RADIUS shared secrets.

C. RF DoS attacks use signal jamming or interference to prevent communication.

D. Hijacking uses deauthentication and re-association to force users onto rogue APs.

E. Social engineering uses manipulation to acquire credentials or sensitive information.

Incorrect:

A. Management interface exploit attacks typically involve web or CLI interface vulnerabilities, not social engineering.

B. Zero-day attacks are based on unknown vulnerabilities, not just limited to authentication or encryption.

F. Association flood attacks occur at Layer 2, not Layer 3.

Most integrated Wi-Fi adapters in Windows laptops are not capable of entering “monitor mode” or capturing 802.11ac frames properly. Compatibility with protocol analyzers like Wireshark or Omnipeek requires special drivers or specific USB adapters. Therefore, it is recommended to use a USB adapter known to support monitor mode and frame capture on 802.11ac for accurate and complete data capture.

Incorrect:

A. Not all adapters support protocol analyzer features.

C. MU-MIMO support is irrelevant for frame capture.

D. Other analyzers besides Wireshark can decode 802.11ac (e.g., Omnipeek).

E. Remote capture is not the only method—local USB adapters are effective too.

Though AES-CCMP is secure and 802.1X authentication is strong, LEAP is inherently weak because:

B. LEAP uses MS-CHAPv1, making it vulnerable to offline dictionary attacks once challenge/response exchanges are captured.

F. Layer 1 DoS attacks (such as RF jamming or interference) can be launched regardless of authentication mechanisms.

Incorrect:

A. AES-CCMP resists encryption cracking.

C. Peer-to-peer at Layer 3 is unrelated to LEAP or 802.1X vulnerabilities.

D. Application-layer eavesdropping is mitigated if encryption is properly implemented.

E. Session hijacking is more difficult with proper authentication and encryption in place.

An 802.11a/g-based WIPS cannot detect rogue activity that occurs in 802.11n/ac-specific modes, including Greenfield (HT-only) operation and use of 40 MHz channels, which are not part of the 802.11a/g specification. Greenfield mode disables legacy support, so a WIPS limited to 802.11a/g radios won’t even “see” these frames. This leaves a significant blind spot for detecting certain types of rogue devices or attacks using newer PHYs.

In integrated WIPS systems, radios are shared between client servicing and security scanning. To maintain quality of service for latency-sensitive applications such as VoWiFi (Voice over Wi-Fi), scanning operations may be temporarily suspended or deprioritized, potentially reducing security monitoring during those periods.

PCI-DSS (Payment Card Industry Data Security Standard) applies to all entities that process, store, or transmit credit card data. Since Point-of-Sale (PoS) systems handle such transactions in retail environments, the wireless network supporting them must comply with PCI-DSS. This includes encrypting wireless transmissions, segmenting network traffic, and implementing WIPS for rogue detection and logging.

While BSSID and SSID help identify and classify rogue APs, physically locating them requires using signal strength (often displayed as RSSI or dBm). By measuring signal strength from different locations, administrators can use a method called "triangulation" or "directional analysis" to approximate the physical location of the rogue device.

When compliance reporting and forensic analysis are required and the WLAN vendor’s centralized management system does not provide it, deploying a dedicated overlay WIPS is the most effective solution. Overlay WIPS uses dedicated sensors independent of the WLAN’s operational radios, offering detailed threat detection, compliance logging, and reporting capabilities that often surpass native WLAN features.

An 802.11a/g-based WIPS cannot detect rogue activity that occurs in 802.11n/ac-specific modes, including Greenfield (HT-only) operation and use of 40 MHz channels, which are not part of the 802.11a/g specification. Greenfield mode disables legacy support, so a WIPS limited to 802.11a/g radios won’t even “see” these frames. This leaves a significant blind spot for detecting certain types of rogue devices or attacks using newer PHYs.

A WIPS (Wireless Intrusion Prevention System) is designed to monitor WLAN activity and provide visualization and reporting related to:

Security threats (e.g., DoS attacks, rogue devices)

Policy compliance (e.g., allowed SSIDs, encryption types)

Rogue threat classification (e.g., rogue, neighbor, ad hoc)

The dashboard displaying this type of security-centric overview is characteristic of a WIPS platform.

The key clue in this sequence is the four EAPOL-Key frames, which indicate a 4-way handshake — a hallmark of WPA and WPA2 authentication processes. There is no EAP exchange preceding the 4-way handshake, which eliminates WPA/WPA2-Enterprise and 802.1X/EAP methods. This points directly to WPA2-Personal, where PSK (Pre-Shared Key) is used and there is no EAP exchange before key generation.

Also, the second "Auth" frame suggests Open System Authentication was used, which is typical for RSN-based networks (not Shared Key as in WEP).

The PTK (Pairwise Transient Key) is derived during the 4-Way Handshake using:

PMK (from PSK or EAP authentication)

ANonce and SNonce (nonces from authenticator and supplicant)

MAC addresses of client and AP

The PTK is then split into keys used for encryption and integrity protection.

Incorrect:

A. PSK can derive the PMK, but not the PTK directly.

B. GMK is used to derive the GTK, not PTK.

D. GTK is for group traffic encryption.

E & F. PK and KCK are components of PTK or alternate key usage—not used to derive PTK.

The RSN (Robust Security Network) Information Element (IE) is used to advertise the security capabilities of a wireless network, particularly for WPA2 and WPA3 networks. This RSN IE is contained in Beacon and Probe Response management frames, not in Probe Request, RTS, CTS, or Data frames. The Beacon frame is sent periodically by an AP to announce its presence and includes critical information about the BSS, including security settings like the RSN IE.

You would use a protocol analyzer to capture Beacon frames and inspect the RSN IE field to confirm if a BSS is properly configured to use RSN protections such as WPA2-Enterprise or WPA2-Personal.

A Transitional Security Network (TSN) allows legacy stations to interoperate by using older encryption methods. If AES (CCMP) is unsupported by older equipment, the network can fall back to TKIP, which uses RC4 as its encryption algorithm. TKIP enables AES encryption on newer devices while accommodating legacy clients.

Options A, C, D are current or deprecated standards with AES; only RC4 matches the transitional need.

RSNA (Robust Security Network Association), as defined by 802.11i, requires:

TKIP (WPA) or CCMP (WPA2) for encryption.

WEP is deprecated and not supported for RSNA since it does not meet RSN standards.

Incorrect:

B & C. BIP is not required for RSNA formation—it is used for management frame protection (802.11w).

D. VLANs are orthogonal to RSNA—network segmentation does not interfere with RSNA formation.

Rogue APs pose a significant risk and should be detected and mitigated automatically.

D. A properly configured Wireless Intrusion Prevention System (WIPS) can detect unauthorized APs and prevent client associations to them in real time.

Incorrect:

A. While WPA2-Enterprise adds client-level protection, it does not detect rogue APs.

B. Hiding SSIDs is ineffective—SSIDs are still discoverable in management frames.

C. Manual scans are labor-intensive and impractical for ongoing monitoring.

E. Port security controls wired threats but cannot detect rogue APs using wireless signals.

Peer-to-peer blocking (also called client isolation) is useful in open or public WLANs to prevent devices from communicating directly with each other.

B. In public hot-spots, isolating users helps protect against malware spread, snooping, and attacks from nearby devices.

Incorrect:

A. In home networks, peer-to-peer communication is often desired for file sharing.

C. Voice over Wi-Fi may rely on peer communication (e.g., multicast).

D. In university setups using multicast, peer-to-peer restrictions could hinder functionality.

EAP-TLS requires both server and client-side digital certificates, which adds complexity in client certificate management.

EAP-TTLS uses a server certificate to establish a secure TLS tunnel, after which user credentials (e.g., username/password) are sent inside the encrypted tunnel. No client certificate is needed.

Incorrect:

A. EAP-TLS also encrypts credentials using TLS.

B. EAP-TLS supports client certificates (it’s the core requirement).

C. Both EAP methods require an authentication server.

A strong WLAN security policy should encompass both technical controls and user education.

C. Educating users about secure password creation and acceptable use policies helps reduce risks due to weak authentication and misuse.

E. Social engineering is a common attack vector, and educating users to recognize and report such attempts is critical.

Incorrect:

A. MAC addresses are always transmitted in the clear, even with encryption.

B. Policies should be shared with users to promote compliance and awareness.

D. Passwords for administrative systems should not be disclosed in public documentation or policy documents.

Developing a robust WLAN security policy requires buy-in from executive or senior management. Without management support, it’s difficult to enforce compliance, allocate resources, or prioritize security among other organizational objectives. This foundational step ensures that policy creation and enforcement are feasible and aligned with organizational goals.

Incorrect:

A. Device/vendor specifics are addressed later during implementation.

C. End-user training materials are created after the policy is finalized.

D. Security policy software can assist, but is not essential compared to management support.

In environments where PSK-based authentication (like WPA2-Personal) is still in use due to legacy device constraints:

C. Regularly changing static passwords helps limit exposure from credential leaks or previous employees retaining access.

Incorrect:

A. MSCHAPv2 is vulnerable to offline attacks; recommending strong passwords is good, but that alone isn’t sufficient.

B. WEP is insecure regardless of password strength due to IV reuse.

D. Certificates are stronger, but not always feasible for legacy systems.

E. EAP-TLS is ideal but not always compatible with all devices; policies should be flexible to device capabilities.