Exam PT0-002 topic 1 question 186 discussion

"unable to pivot because of restrictive ACLs on the wireless subnet." = GET OFF WIFI "all laptop users have a hard-wired connection available at their desks." = GET ON WIRED A. INCORRECT. Implies continued WIFI use B. INCORRECT. Implies continued WIFI use C. CORRECT. Span (typo = spam) deauth packets. Implies users will view WIFI as unreliable and compromised target laptop will failover to wired connection (away from restrictive ACLs on the wireless subnet). Pentester can then use shell on compromised target laptop to pivot. D. INCORRECT. Implies continued WIFI use

I love how CompTIA questions are so trash that not even chatGPT has any idea what they are talking about.

C. Span deauthentication packets to the wireless clients is the best method to pivot by forcing clients to switch from the wireless network to the wired network. Not D. Set up another access point and perform an evil twin attack: An evil twin attack involves setting up a fake access point to trick users into connecting, but this doesn't help the tester pivot from the shell on the machine or leverage the wired network.

For everyone saying D, you are on a wireless network already and can't do anything due to restrictive ACLs, how Would you get users to connect to Evil Twin, once connected what additional information you can get that can help you in this situation ? Also for ones saying they are connected to hardwired, the question clearly state they have hardwire available at desk but not necessarily connected, so figure out a way to force users to use that so you can use a less restrictive subnet.

C. If you SPAM (not span) deauthentication packets to wireless users, they will just connect via hardline. You can pivot over hardline because it wont (based on the question) have the same restrictive ACLs that the wireless subnet does

I would go with option A here. I think the question is implying "how do you get to the hard-wired network" to bypass the restrictive ACLs on wireless subnet. I don't see any other options other than a reverse shell which can be through by options A.

setting up an evil twin is of no use if u don't de-authenticate the user and force him to use the new network. so de-authen comes first.

C. Spam deauthentication packets to the wireless clients. By doing this, the tester can push users off the wireless network, forcing them to use the wired connections. If these wired-connected systems have less restrictive ACLs or vulnerabilities, the tester may then be able to pivot to additional systems or parts of the network using the compromised laptop.

I choose C - Span deauthentication packets to the wireless clients. Here's my thought process: the pen tester cannot pivot due to the restrictive ACLs in the wireless subnet. His idea is to have everyone use the available hard-wired connection where he may have more freedom to obtain info and gain more access. To do that, he'd need to deauthenticate everyone's wireless connection to force them to use the ethernet connection. The biggest problem I had with the Evil Twin attack option was how could the pen tester set this up if the wireless subnet was full of restrictive ACLs? And in the off-chance he was able to set it up, wouldn't this "Twin" also have restrictive ACLs because it's still in the same wireless subnet?

They have a wired connection. How is setting up an evil twin going to help, when they won't connect to that evil twin?

D. Set up another access point and perform an evil twin attack. An evil twin attack could be used to mimic the legitimate wireless network and lure users to connect to it, potentially allowing the tester to gain more information or access. However, it should be noted that this approach might not be the most direct or efficient way to pivot from the current position, and the scenario doesn't provide all the details necessary to fully assess the effectiveness of this approach in the given context. But based on the provided options, option D is the most relevant to the situation described.

Conducting a deauthentication attack would force the users to connect to the wired connection which don´t have restrictive ACLs. Also evil twin would help, because a attacker could set up a fake wireless connection and “make” the targets to connect to it, avoiding the ACLs protections, but if he does this, the targets would be no longer on the network and the attacker wouldn’t be able to pivot thought the network.

Since the penetration tester is unable to pivot because of restrictive ACLs on the wireless subnet, the best method to gain additional access to the network would be to set up another access point and perform an evil twin attack. This involves creating a fake wireless access point with the same name and security settings as the legitimate one, then tricking the clients to connect to the fake one instead. Once connected, the penetration tester can intercept and manipulate the traffic passing through the fake access point to gain access to additional systems on the network. Option A, setting up a captive portal with embedded malicious code, would require the wireless clients to connect to the fake captive portal, which is unlikely if there are restrictive ACLs on the wireless subnet. Option B, capturing handshakes from wireless clients to crack, is only applicable to wireless networks and cannot be used on hard-wired connections. Option C, spanning deauthentication packets to the wireless clients, may disrupt the wireless network, but it will not provide access to hard-wired connections.

How does evil twin help if they have wired connection too?

D. Set up another access point and perform an evil twin attack is the best method available to pivot and gain additional access to the network. An evil twin attack involves setting up a rogue wireless access point that appears to be legitimate. Users who connect to this access point will be unknowingly giving their credentials, thereby allowing the tester to gain access to restricted portions of the network.

Given the restrictive ACLs on the wireless subnet, option D, setting up another access point and performing an evil twin attack, would be the best method available to pivot and gain additional access to the network. By setting up an evil twin access point with a stronger signal than the legitimate one, the penetration tester can trick the laptop users into connecting to the fake access point, which would give the tester access to the wired subnet and potentially allow for further exploitation.

All ready connected to the laptop through the wireless can't pivot