A security technician is attempting to access a wireless network protected with WEP. The technician does not know any information about the network. Which of
the following should the technician do to gather information about the configuration of the wireless network?

A.
Spoof the MAC address of an observed wireless network client

B.
Ping the access point to discover the SSID of the network

C.
Perform a dictionary attack on the access point to enumerate the WEP key

D.
Capture client to access point disassociation packets to replay on the local PC’s loopback

Explanation:
With ARP spoofing (also known as ARP poisoning), the MAC (Media Access Control) address of the data is faked. By faking this value, it is possible to make it look
as if the data came from a network that it did not. This can be used to gain access to the network, to fool the router into sending data here that was intended for
another host, or to launch a DoS attack. In all cases, the address being faked is an address of a legitimate user, and that makes it possible to get around such
measures as allow/deny lists.
Note: As an example, the initialization vector (IV) that WEP uses for encryption is 24-bit, which is quite weak and means that IVs are reused with the same key. By
examining the repeating result, it was easy for attackers to crack the WEP secret key. This is known as an IV attack.
Incorrect Answers:
B: An SSID would not provide much information about the network.
C: A dictionary attack uses a dictionary of common words to attempt to find the user’s password. It is not of particular use to gain access to WEP networks.
D: In order to do a forged dissociation attack the attacker sends a spoofed Disassociation frame where the source MAC address is set to that of the AP.

Dulaney, Emmett and Chuck Eastton, CompTIA Security+ Study Guide, Sixth Edition, Sybex, Indianapolis, 2014, pp 171, 258, 321-322