This module tests your knowledge of wireless network assessment tools. You will identify a specific utility used by defenders to detect rogue access points, monitor signal strength, and evaluate the security posture of an 802.11 environment.

CND (312-38) Network Defense Simulation

Network Scenario

You are a Network Security Analyst performing a routine wireless security audit of the corporate headquarters. Management suspects an employee may have plugged an unauthorized wireless router into a wall jack to bypass corporate proxy restrictions. You boot up your Windows-based audit laptop to perform an active sweep of the 802.11a/b/g bands to identify any foreign BSSIDs broadcasting within the physical perimeter.

Traffic & Logs

[WLAN Discovery Scan Results] Timestamp: 10/24 09:14:22 Device: Windows Audit Laptop ------------------------------------------------------------------------- MAC Address SSID Chan Speed Sig/Noise Type ------------------------------------------------------------------------- 00:11:22:33:44:55 Corp_Secure 6 54Mbps -45/-90 AP 00:11:22:33:44:56 Corp_Guest 6 54Mbps -48/-90 AP 14:CC:20:5A:1B:2C Netgear_Home_Admin 11 54Mbps -75/-92 AP <-- POTENTIAL ROGUE ------------------------------------------------------------------------- Scan Mode: Active Probe Requests

The log indicates an unauthorized AP operating on Channel 11. You must document the tool used to discover this.

Question

This is a Windows-based tool that is used for the detection of wireless LANs using the IEEE 802.11a, 802.11b, and 802.11g standards. The main features of these tools are as follows:

It displays the signal strength of a wireless network, MAC address, SSID, channel details, etc.

It is commonly used for the following purposes:
a.War driving
b.Detecting unauthorized access points
c.Detecting causes of interference on a WLAN
d.WEP ICV error tracking
e.Making Graphs and Alarms on 802.11 Data, including Signal Strength

This tool is known as __________.

A. Kismet B. Absinthe C. THC-Scan D. NetStumbler

Analyst Hint: Pay close attention to the operating system mentioned in the prompt. While Kismet is a famous wireless tool, it primarily runs on Linux and performs passive sniffing. Which tool is famously known for its active Windows-based scanning?

Expert Analysis

1. What is happening in the network

The defender is conducting an active physical site survey to detect "Rogue Access Points." A rogue AP is an unauthorized wireless router plugged into the corporate LAN, creating a severe backdoor that completely bypasses perimeter firewalls and IDS sensors.

2. Identify attack or behavior

The behavior being mapped out is the active broadcasting of 802.11 beacon frames and the tool's transmission of probe requests to map the RF (Radio Frequency) environment. This maps directly to "wardriving" when done offensively, or "site surveying" when done defensively.

3. Why correct answer is correct (D)

NetStumbler is a well-known, legacy Windows-based tool specifically designed to detect 802.11a/b/g wireless LANs. It actively sends probe requests to elicit responses from APs, allowing it to graph signal strength, detect SSIDs, and identify unauthorized MAC addresses on the network.

4. Why others are wrong

A. Kismet: Incorrect because Kismet is primarily a Linux/Unix-based tool and functions as a passive network detector, sniffer, and IDS (it does not actively broadcast probe requests like NetStumbler).
B. Absinthe: Incorrect. Absinthe is an automated blind SQL injection tool, entirely unrelated to wireless networking.
C. THC-Scan: Incorrect. THC-Scan is a wardialing tool used to dial sequential telephone numbers to locate modems, not 802.11 wireless networks.

5. Defensive action

Relying on manual sweeps with NetStumbler is reactive and inefficient for modern enterprises. Network defenders should implement a Wireless Intrusion Prevention System (WIPS) to continuously monitor the airspace. Additionally, wired network defenses like 802.1X (Port-Based Network Access Control) and Port Security (MAC limiting) should be enforced at the switch level to prevent rogue APs from acquiring an IP address or passing traffic even if physically plugged in.

6. MINI LESSON: Active vs Passive Wireless Recon

Active Scanning (NetStumbler): The client sends out a Probe Request. The AP replies with a Probe Response. Pros: Fast. Cons: Easily detected; cannot see "hidden" SSIDs unless a client connects.
Passive Sniffing (Kismet): The wireless card is placed in monitor mode and silently captures beacon frames and data packets in the air. Pros: Stealthy; can capture handshakes and reveal hidden SSIDs. Cons: Requires specific hardware/drivers.

Explore more CND simulations

Sharpen your network defense skills with realistic, interactive scenarios.

View Practice Tests