Exam SY0-601 topic 1 question 227 discussion

coffee shop = public wifi, a deauthentication attack to the target client, disconnecting it from its current network, thus allowing the client to automatically connect to the evil twin access point.

took exam recently, this question was on the test

Deauthentication Attack and Reconnection: attackers can perform a deauthentication attack to force users to disconnect from a legitimate network. When users’ devices reconnect, they might automatically connect to an evil twin network with a stronger signal, assuming it’s the genuine network.

Evil Twin. Deaunthenticate the user to force them over to the evil twin access point.

evil twin 100%

B- Image result for define deauthentification cybersecurity A deauth or deauthentication attack disrupts connections between users and Wi-Fi access points. The attackers force devices to lose access and then reconnect to a network they control. Then, perpetrators can track connections, capture login details, or trick users into installing rogue programs. Attackers can set up rogue networks or evil twins mimicking legitimate access points so they can monitor victims’ traffic.

Deauthentication Description This attack sends disassocate packets to one or more clients which are currently associated with a particular access point. Disassociating clients can be done for a number of reasons: Recovering a hidden ESSID. This is an ESSID which is not being broadcast. Another term for this is “cloaked”. Capturing WPA/WPA2 handshakes by forcing clients to reauthenticate Generate ARP requests (Windows clients sometimes flush their ARP cache when disconnected) Of course, this attack is totally useless if there are no associated wireless client or on fake authentications.

https://surfshark.com/blog/what-is-evil-twin-attack

I don't think it's Evil Twin because it doesn't state anything about "two wifi SSIDs with the same name". It just says they are at a coffee shop. What it does state however is that there is lag and etc...which a Session Replay does. Session replay attacks, also known as replay or replay attacks, are network attacks that maliciously “retry” or “delay” valid data transmissions. Hackers can do this by intercepting the session and stealing the user’s unique session ID (stored as either a cookie, URL, or form field). The hacker can now impersonate the authorized user and have full access to do everything the authorized user can do on the website. A replay attack occurs when a cybercriminal intercepts a secure network communication, intercepts it, and fraudulently delays or transmits it to trick the recipient into doing what the attacker is looking for.

Agreed with B - Evil Twin here.

Only session reply makes sense to me. Evil twin is copy of legimitate SSID (access point). No deauthentication is needed here.

Deauthentication: Seems Evil Twin to me