CWAP-404 Online Practice Questions and Answers

Correct Answer: B

Explanation: Two frames are exchanged for 802.11 authentication in the 6 GHz band when WPA3-Enterprise is not used, and a passphrase is used instead. Authentication is a process that establishes an identity relationship between a STA (station) and an AP (access point) before joining a BSS (Basic Service Set). There are two types of authentication methods defined by 802.11: Open System Authentication and Shared Key Authentication. Open System Authentication does not require any credentials or security information from a STA to join a BSS, and it consists of two frames: an Authentication Request frame sent by the STA to the AP, and an Authentication Response frame sent by the AP to the STA. Shared Key Authentication requires a shared secret key from a STA to join a BSS, and it consists of four frames: two challenge-response frames in addition to the request-response frames. However, Shared Key Authentication uses WEP (Wired Equivalent Privacy) as its encryption algorithm, which is insecure and deprecated. In the 6 GHz band, which is a newly available frequency band for WLANs, Shared Key Authentication is prohibited by the 802.11 standard, as it poses security and interference risks for other users and services in the band. The 6 GHz band requires all WLANs to use WPA3-Personal or WPA3-Enterprise encryption methods, which are more secure and robust than previous encryption methods such as WPA2 or WEP. WPA3-Personal uses a passphrase to derive a PMK (Pairwise Master Key), while WPA3-Enterprise uses an authentication server to obtain a PMK. Both methods use SAE (Simultaneous Authentication of Equals) as their authentication protocol, which replaces PSK (Pre-Shared Key) or EAP (Extensible Authentication Protocol). SAE consists of two frames: an SAE Commit frame sent by both parties to exchange elliptic curve parameters and nonces, and an SAE Confirm frame sent by both parties to verify each other's identities and generate a PMK. Therefore, when WPA3-Enterprise is not used, and a passphrase is used instead in the 6 GHz band, only two frames are exchanged for 802.11 authentication: an SAECommit frame and an SAE Confirm frame. References: [Wireless Analysis Professional Study Guide CWAP-404], Chapter 8: Security Analysis, page 220-221

Correct Answer: C

Explanation: The data rate at which the PHY preamble was transmitted is 6 Mbps. The PHY preamble is a part of the PPDU that is transmitted before the PHY header and the PSDU. The PHY preamble consists of a series of training fields that help the receiver to detect and synchronize with the signal. The PHY preamble is always transmitted at a fixed data rate that depends on the type of PPDU (e.g., OFDM, HT, VHT, HE). For an 802.1 lac data frame on channel 52, which uses VHT PPDUs, the data rate for the PHY preamble is 6 Mbps. This data rate does not depend on MCS (Modulation and Coding Scheme), which only affects the data rate for the PSDU. References: [Wireless Analysis Professional Study Guide CWAP-404], Chapter 4: 802.11 Physical Layer, page 99-100

Correct Answer: D

Explanation: The length of an AIFS (Arbitration Interframe Space) is calculated by multiplying the AIFSN (Arbitration Interframe Space Number) by the Slot Time and adding the SIFS (Short Interframe Space). An AIFS is a variable interframe space introduced by 802.11e to help prioritize medium access for different Access Categories (ACs). An AC is a logical queue that corresponds to a QoS (Quality of Service) level for different types of traffic. Each AC has a different AIFSN value, which determines how long it has to wait before attempting to access the medium. A lower AIFSN value means a higher priority and a shorter waiting time. The Slot Time is a fixed value that depends on the PHY type and channel width. The SIFS is the shortest interframe space that is used for high-priority transmissions, such as ACKs or CTSs. The formula for calculating the AIFS length is: AIFS = AIFSN * Slot Time + SIFS. References: [Wireless Analysis Professional Study Guide CWAP-404], Chapter 7: QoS Analysis, page 194-195

Correct Answer: B

Explanation: The Group Key Handshake consists of two frames excluding any Ack frames that may be required. The Group Key Handshake is used to distribute and update the Group Temporal Key (GTK) for encrypting broadcast and multicast traffic. The AP initiates the Group Key Handshake by sending a Group Key Message 1 frame to a STA, which contains the new GTK and other information. The STA responds with a Group Key Message 2 frame to the AP, which confirms the receipt of the GTK and other information. After this, both the AP and the STA can use the new GTK for encryption and decryption of broadcast and multicast traffic . References: CWAP-404 Certified Wireless Analysis Professional Study and Reference Guide, Chapter 7: 802.11 Security, page 246; CWAP- 404 Certified Wireless Analysis Professional Study and Reference Guide, Chapter 7:

802.11 Security, page 247.

Correct Answer: D

Explanation: Every Beacon frame must contain a DTIM is not a true statement concerning DTIMs. DTIM stands for Delivery Traffic Indication Message, and it is a subfield within the TIM (Traffic Indication Map) element in a Beacon frame. The DTIM indicates how many Beacon frames (including the current one) will appear before the next DTIM. For example, if the DTIM interval is set to 3, it means that every third Beacon frame will contain a DTIM. Buffered broadcast and multicast traffic will be transmitted following a DTIM, so that STAs in power save mode can wake up and receive them. The DTIM interval can also dictate when an STA will wake up to listen to Beacon frames, as some STAs may choose to only listen to Beacon frames that contain a DTIM . References: CWAP-404 Certified Wireless Analysis Professional Study and Reference Guide, Chapter 6: MAC Sublayer Frame Exchanges, page 200; CWAP-404 CertifiedWireless Analysis Professional Study and Reference Guide, Chapter 6: MAC Sublayer Frame Exchanges, page 201.

Correct Answer: C

Explanation: An HE TB PPDU (High Efficiency Trigger-Based Packet Data Unit) is used to respond with an uplink transmission to an MU-RTS trigger frame in the 802.11ax PHY (Physical Layer). An MU-RTS trigger frame is a frame that initiates a multi-user transmission opportunity (MU-TXOP) by requesting multiple stations (STAs) to send clear- to-send (CTS) frames on different spatial streams or resource units (RUs). An HE TB PPDU is a frame that contains data from multiple STAs that have been allocated RUs by an MU-RTS trigger frame or another type of trigger frame. An HE SU PPDU (High Efficiency Single User Packet Data Unit) is a frame that contains data from a single STA using all available spatial streams or RUs. An HE MU PPDU (High Efficiency Multi User Packet Data Unit) is a frame that contains data from multiple STAs using different spatial streams or RUs without being triggered by another frame. A VHT PPDU (Very High Throughput Packet Data Unit) is a frame that uses the 802.11ac PHY and does not support multi-user transmissions.References: CWAP-404 Study Guide, Chapter 3: 802.11 MAC Layer Frame Formats and Technologies, page 101 CWAP-404 Objectives, Section 3.4: Analyze multi-user transmissions CWAP-404 Study Guide, Chapter 3: 802.11 MAC Layer Frame Formats and Technologies, page 99

Correct Answer: B

Explanation: In the 2.4 GHz band, probe requests are usually sent at the minimum basic rate from an unassociated STA. A probe request is a type of management frame that is transmitted by a STA to discover available BSSs in its vicinity. A probe request can be sent on one or more channels in either passive or active scanning mode. In passive scanning mode, a STA listens for beacon frames from APs on each channel. In active scanning mode, a STA sends probe requests on each channel and waits for probe responses from APs. A probe request is usually sent at the minimum basic rate, which is the lowest data rate among the supported rates that is required for all STAs to join and communicate with a BSS. The minimum basic rate can vary depending on the configuration of each BSS, but it is typically one of these values: 1 Mbps, 2 Mbps, 5.5 Mbps, or 11 Mbps in the 2.4 GHz band. The other options are not correct, as they do not reflect how probe requests are usually sent in the 2.4 GHz band. MCS 0 is a modulation and coding scheme used by 802.11n/ac devices in either band, but it is not a data rate per se. 6 Mbps is a data rate used by OFDM devices in either band, but it is not usually configured as a minimum basic rate in the 2.4 GHz band. References: [Wireless Analysis Professional Study Guide CWAP- 404], Chapter 5: 802.11 MAC Sublayer, page 123-124

Correct Answer: B

Explanation: The users on floor 5 are being subjected to a denial of service attack, as this is happening across the entire floor it is likely to be a misconfigured WIPS solution belonging to the tenants on the floor below. This is because the

Deauthentication frames have a source address that matches the BSSIDs of the customer's APs and a destination address that is a broadcast address (FF:FF:FF:FF:FF:FF). This indicates that someone is sending spoofed Deauthentication

frames to all STAs associated with the customer's APs, causing them to disconnect from the wireless network. This is a common type of DoS attack on wireless networks, and it could be caused by a rogue device or a WIPS solution that is

configured to protect the wireless network of another tenant on the floor below12. References: CWAP-404 Certified Wireless Analysis Professional Study and Reference Guide, Chapter 13: Troubleshooting Common Wi-Fi Issues, page 4961;

CWAP-404 Certified Wireless Analysis Professional Study and Reference Guide, Chapter 14:

Troubleshooting Tools, page 5272.

Correct Answer: A

Explanation: A hexadecimal value is a value that uses base 16 notation, which means it can have digits from 0 to 9 and letters from A to F. A hexadecimal value is usually preceded by 0x to indicate that it is hexadecimal and not decimal or binary. For example, 0x0A is hexadecimal for 10 in decimal or 00001010 in binary. The other options are not valid prefixes for hexadecimal values.References: CWAP-404 Study Guide, Chapter 2: Protocol Analysis, page 35 CWAP-404 Objectives, Section 2.2: Analyze field values

Correct Answer: D

Explanation: The difference between a Data frame and a QoS-Data frame is that QoS Data frames include a QoS control field. A Data frame is a type of data frame that is used to carry user data or upper layer protocol data between STAs and APs. A QoS Data frame is a type of data frame that is used to carry user data or upper layer protocol data between STAs and APs that support QoS (Quality of Service) features. QoS features allow different types of traffic to be prioritized and handled differently according to their QoS requirements, such as delay, jitter, throughput, etc. QoS Data frames include a QoS control field in their MAC header, which contains information such as traffic identifier (TID), queue size (TXOP), acknowledgment policy (ACK), etc., that are used for QoS purposes. The other options are not correct, as they do not describe the difference between Data and QoS Data frames. QoS Data frames do not include a DSCP (Differentiated Services Code Point) control field, which is part of the IP header in the network layer, not the MAC header in the data link layer. QoS Data frames do not include a QoS information element (IE), which is part of some management frames that indicate QoS capabilities or parameters, not data frames. QoS Data frames do not include an 802.1Q VLAN tag, which is part of some Ethernet frames that indicate VLAN membership or priority, not wireless frames. References: [Wireless Analysis Professional Study Guide CWAP-404], Chapter 5:

802.11 MAC Sublayer, page 118-119