Unlock hundreds more features
Save your Quiz to the Dashboard
View and Export Results
Use AI to Create Quizzes and Analyse Results

OR
Sign inSign in with Facebook
Sign inSign in with Google
Quizzes > Computers & IT

Which Best Describes an Evil Twin? Network+ Practice Quiz

Quick evil twin quiz to test your Network+ skills. Instant results and explanations.

Editorial: Review CompletedCreated By: Abdelaziz RamadanUpdated Aug 23, 2025
Difficulty: Moderate
2-5mins
Learning OutcomesCheat Sheet
Paper art layered wifi icons symbolizing evil twin threat alongside CompTIA network quiz text on dark blue background

Use this short quiz to learn what best describes an evil twin and how to spot a fake Wi-Fi hotspot in real networks. After you finish, build on your knowledge with a computer networking quiz, review wireless network interference, or practice incident skills with a network forensics quiz.

What is an evil twin attack in wireless networking?
Jamming the wireless signal to cause denial of service
Mimicking a legitimate access point to trick users
Eavesdropping on encrypted traffic passively
Using a directional antenna to extend network range
An evil twin attack involves setting up a fraudulent wireless access point that mimics a legitimate one to lure users. Attackers use the same SSID and often a stronger signal so devices will connect to the rogue AP. Once connected, the attacker can intercept or manipulate the user's traffic. Further reading:
Which tool is commonly used to scan for available wireless networks and SSIDs?
NetStumbler
Aircrack-ng
Wireshark
Metasploit
NetStumbler is designed to scan for nearby wireless networks and display SSIDs, channel information, and encryption types. Wireshark can capture wireless frames but is not primarily a scanning tool. Aircrack-ng focuses on cracking keys, and Metasploit is a broader exploitation framework. More info:
Which encryption protocol is considered the strongest for securing a Wi-Fi network?
WEP
WPA2 with AES
WPA-TKIP
WPS
WPA2 with AES provides robust encryption and is the current standard for securing wireless networks. WEP is outdated and easily compromised, and WPA-TKIP is less secure than AES. WPS is a configuration feature, not an encryption protocol. More details:
What does SSID stand for in wireless networking?
Spatial Signal Identifier
Secure Service Interface
Service Set Identifier
System Stream ID
SSID stands for Service Set Identifier and is the human-readable name of a wireless network. Devices use the SSID to distinguish between multiple networks. Broadcasting an SSID makes network selection simpler for end users. See:
Which UDP port does RADIUS use by default for authentication?
5060
389
1812
22
RADIUS authentication traffic uses UDP port 1812 by default, while accounting uses 1813. Port 389 is LDAP, port 22 is SSH, and port 5060 is SIP. Correct port configuration is critical for integrating 802.1X authentication. Reference:
What does WEP stand for in wireless security?
Wired Equivalent Privacy
Wideband Equivalent Privacy
Wireless Encrypted Protocol
Wi-Fi Encryption Password
WEP stands for Wired Equivalent Privacy and was the original security algorithm for 802.11 networks. It proved insecure due to weak IV handling and predictable key streams. WEP has been deprecated in favor of WPA and WPA2. More info:
What does SSID broadcast enable on a wireless access point?
Announcing the network name to clients
Limiting the number of connected devices
Preventing unauthorized access
Encrypting wireless traffic
SSID broadcast allows clients to discover the network name in their list of available Wi-Fi networks. Disabling it only hides the SSID; it does not secure the network. Attackers can still detect hidden SSIDs via passive scanning. Read more:
At which OSI layer does wireless communication primarily operate?
Physical layer
Transport layer
Data Link layer
Network layer
Wireless networking operates at both the Physical and Data Link layers, but the primary framing and MAC functions occur at the Data Link layer (Layer 2). The Physical layer handles radio signals. Upper layers are abstracted above. More:
MAC address filtering on an access point blocks what?
All unencrypted traffic
Rogue DHCP servers
Devices not on the allowed MAC list
Only broadcast traffic
MAC address filtering enforces a whitelist of allowed device addresses at the MAC layer. Devices with MACs not on the list cannot associate with the AP. However, MAC addresses can be spoofed easily. See:
What authentication method does WPA2-Enterprise typically use?
WPS PIN authentication
WEP key rotation
802.1X with a RADIUS server
Pre-shared key
WPA2-Enterprise uses 802.1X authentication with a RADIUS server to provide per-user credentials. This separates encryption keys per session and user. PSK mode, by contrast, uses a shared key for all clients. Details:
What is a deauthentication attack in Wi-Fi?
Blocking DHCP assignments
Encrypting frames to prevent eavesdropping
Spoofing deauth frames to disconnect clients
Injecting false ARP responses
A deauthentication attack spoofs management frames to forcibly disconnect clients from a legitimate AP. This can be used to capture reconnection handshakes for key cracking or to perform man-in-the-middle attacks. WPA2 alone does not protect management frames by default. See:
Which type of antenna focuses signal in a specific direction to reduce signal leakage?
Dipole antenna
Omnidirectional antenna
Patch antenna
Directional antenna
Directional antennas focus radio energy toward a specific angle, improving range in that direction and reducing spillage elsewhere. Omnidirectional antennas radiate in all directions equally. Patch antennas are flat but still directional to some extent. More:
Which 2.4 GHz channels are non-overlapping in North America?
2, 5, and 8
4, 9, and 12
3, 7, and 10
1, 6, and 11
Channels 1, 6, and 11 in the 2.4 GHz band do not overlap each other, reducing co-channel interference. Other channels partially overlap and cause adjacent-channel interference. Proper channel planning is essential for performance. More:
Which frequency band does the 802.11ac standard operate in?
60 GHz
900 MHz
2.4 GHz
5 GHz
802.11ac operates exclusively in the 5 GHz band, enabling wider channels and higher data rates. It does not support 2.4 GHz. The 60 GHz band is used by 802.11ad. Details:
What must a rogue AP emulate to perform an evil twin attack?
A hidden SSID broadcast
A different security protocol than the legit AP
A captive portal page only
The same SSID as the legitimate AP
An evil twin AP replicates the legitimate network's SSID so that clients believe they are connecting to a trusted hotspot. Matching security settings and signal strength enhances the deception. Once devices join, attackers can intercept credentials and data. More:
Which user setting helps prevent clients from automatically connecting to unauthorized networks?
Activating MAC filtering
Enabling SSID broadcast
Disabling automatic network connections
Setting static IP addresses
Disabling automatic connections forces users to manually select known networks, reducing inadvertent connections to rogue APs. SSID broadcast and MAC filtering do not control client behavior. Static IP addressing is unrelated to SSID selection. See:
Which protocol enhances wireless security by providing a 4-way handshake?
WEP
Open Authentication
WPA2
EAP-MD5
WPA2 uses a robust 4-way handshake to establish encryption keys for each session, preventing replay attacks. WEP lacked this handshake and is insecure. Open authentication provides no encryption handshake. EAP-MD5 is an authentication method, not the link-layer handshake. More:
How can a certificate mismatch help detect an evil twin access point?
SSID stops broadcasting
AP signal strength drops below threshold
DHCP server stops issuing addresses
Client receives a warning about an invalid certificate
When using certificate-based authentication (e.g., WPA2-Enterprise), clients expect a known server certificate. A rogue AP cannot present the proper certificate, triggering a client warning. This mismatch alerts users to a potential evil twin. See:
Which EAP type uses TLS to secure authentication in enterprise wireless?
EAP-PEAP
EAP-MD5
EAP-MSCHAPv2
EAP-TLS
EAP-TLS uses client-side and server-side certificates within a TLS tunnel for mutual authentication. PEAP uses a server certificate and tunnels credential exchange, but only one side is certified. MSCHAPv2 and MD5 are password-based. More:
What wireless intrusion detection system (WIDS) feature helps spot evil twin APs?
Analysis of DHCP lease time
Monitoring of USB ports
Signature analysis of SSID duplication
Inspection of ARP cache
WIDS can detect SSID duplication by matching MAC and SSID combinations against known legitimate APs. When the same SSID appears from a new MAC, it flags a potential evil twin. DHCP lease times and ARP caches are not primary WIDS signals. More:
How can Received Signal Strength Indicator (RSSI) differences help identify a rogue AP?
Constant high RSSI from legitimate AP
Only MAC addresses are useful
RSSI irrelevant in AP detection
Unexpected RSSI changes on known SSIDs
By tracking expected RSSI values for a legitimate AP, sudden changes in signal strength for the same SSID indicate a potential rogue device closer to the user. Legitimate AP signals remain relatively stable. This technique aids in detecting evil twins. See:
What is the purpose of wireless client isolation?
Force DHCP reservations
Prevent clients from communicating directly with each other
Block all internet traffic
Disable SSID broadcasting
Client isolation ensures individual wireless clients cannot see or communicate with each other on the same SSID, reducing lateral attacks such as peer-to-peer exploits. Internet traffic remains unaffected. SSID broadcasting and DHCP are unrelated. More:
What does PMF (Protected Management Frames) protect against?
Deauthentication and disassociation attacks
DHCP starvation
ARP spoofing
WEP key cracking
Protected Management Frames add cryptographic protection to management frames, preventing spoofed deauth/disassoc frames. This mitigates attacks like deauthentication. WEP cracking, DHCP starvation, and ARP spoofing occur at other layers. Details:
Which method uses a pre-shared key cache to speed up roaming between APs?
DTIM
PMK Caching
Fast BSS Transition
DNS caching
PMK Caching allows a client to reuse a previously derived Pairwise Master Key when reconnecting to a known AP, speeding up the authentication process. Fast BSS Transition (802.11r) handles fast roaming differently. DTIM is for power-saving broadcasts, and DNS caching is unrelated. See:
What is a honeypot AP in wireless security?
An AP used for VoIP prioritization
An AP with disabled encryption
A fake access point designed to attract attackers
An AP that only provides guest access
A honeypot AP mimics a legitimate network to lure attackers and study their techniques without risking production systems. It often logs attacker activity and credentials. It is different from a guest network or VoIP QoS AP. More:
What is a wireless IDS (WIDS) signature for beacon flooding?
Excessive broadcast ARP messages
High UDP port scans
Large number of unique SSIDs in a short time
Continuous deauth frames
Beacon flooding attacks send numerous fake beacon frames with different SSIDs rapidly, overwhelming clients. WIDS signatures detect the spike in unique SSIDs. Deauth frames and ARP broadcasts are different attack types. More:
Which feature of WPA3 helps protect against offline dictionary attacks?
Pre-shared Key caching
TKIP fallback
WPS PIN
Simultaneous Authentication of Equals (SAE)
SAE replaces the PSK handshake with a secure password-authenticated key exchange that resists offline brute forcing. TKIP fallback and WPS PIN are vulnerable methods. PSK caching is unrelated. Details:
What role does a RADIUS server play in preventing evil twin attacks?
Encrypts the physical RF channel
Validates user credentials against a trusted database
Broadcasts SSIDs to clients
Monitors spectrum usage
A RADIUS server verifies user credentials and issues session keys via 802.1X, so only authentic APs with valid certificates can connect clients. This prevents rogue APs from successfully authenticating devices. SSID broadcasting and RF encryption occur elsewhere. See:
Which scanning method allows an AP detector to pick up SSIDs without associating?
Active probing
Ping sweep
DNS query scanning
Passive scanning
Passive scanning listens for beacon frames broadcast by APs without sending probe requests. Active probing sends probes to solicit SSIDs. DNS queries and ping sweeps operate at higher layers. More:
How does network access control (NAC) help mitigate rogue AP threats?
Enforces endpoint posture checks before network admission
Disables SSID broadcasting
Allocates more DHCP leases
Performs channel hopping
NAC solutions verify device health, compliance, and identity before granting network access, reducing the risk that unmanaged radios or rogue APs spread malware. Disabling SSID, channel hopping, and DHCP scope have no direct posture enforcement. More:
Which practice helps secure guest wireless networks from rogue APs?
Static channel assignment
Implementing a captive portal with authentication
Using WEP encryption
Broadcasting multiple SSIDs on the same channel
A captive portal requiring credentials or acceptance of terms adds a layer of control, preventing unknown APs from easily mimicking an open guest network. WEP is insecure, and channel or SSID broadcasting alone do not enforce access controls. More:
How does Fast BSS Transition (802.11r) improve roaming performance?
Performs key exchange before roaming completes
Broadcasts deauth frames to all clients
Uses pre-shared keys only
Disables encryption during transition
802.11r pre-authenticates a client with the target AP and caches keys, allowing seamless handoff without full 4-way handshakes. PSK only networks still require full re-authentication. Broadcasting deauth frames or disabling encryption would degrade security. More:
What is the primary vulnerability of WPA2-PSK in an evil twin scenario?
Enforces PMF by default
Uses a dynamic certificate infrastructure
Prevents passive scanning
Key is shared among all clients, enabling offline cracking
In WPA2-PSK, all clients share the same passphrase, so capturing the 4-way handshake allows an attacker to perform offline dictionary attacks. PSK lacks per-user credentials or certificate validation. PMF is optional, and passive scanning still works. See:
How can WPA3-SAE prevent offline dictionary attacks compared to WPA2-PSK?
By only allowing enterprise certificates
By using 1024-bit WEP keys
By performing a password-authenticated key exchange with forward secrecy
By disabling SSID broadcasting
SAE uses a secure Password Authenticated Key Exchange (PAKE) that provides forward secrecy and does not allow offline password guessing. SSID broadcasting and outdated WEP keys do not offer such protection. Enterprise certificates are not mandatory in SAE mode. More:
Which countermeasure detects a hidden evil twin that doesn't broadcast its SSID?
Monitor all probe request responses for unexpected beacons
Broadcast SSID on channel 1 only
Enable WPS
Disable DHCP server
Even hidden SSIDs respond to probe requests from clients, so monitoring for unexpected beacon responses after a probe can reveal hidden APs. Disabling DHCP or broadcasting SSID on a channel does not detect hidden APs. WPS is irrelevant. More:
What is the risk of deploying a wireless mesh network without strong mutual authentication?
Clients cannot roam between mesh nodes
Encryption is disabled network-wide
Rogue nodes can join the mesh and intercept traffic
Mesh automatically detects all evil twins
Without robust mutual authentication (e.g., certificates), unauthorized devices can join the mesh fabric and eavesdrop or route malicious traffic. Mesh networks do not inherently detect evil twins. Clients roaming and encryption depend on configuration. More:
Which attack leverages a mismatched DHCP server on a rogue AP to redirect traffic?
Rogue DHCP server attack
ARP poisoning on the wired network
SSID overlap attack
Beacon replay attack
A rogue DHCP server can reply faster than the legitimate server, assigning malicious gateway addresses to clients and capturing their traffic. Beacon replay does not involve DHCP, and ARP poisoning and SSID overlap are different attack vectors. More:
In a site survey to detect an evil twin, what does RF fingerprinting analyze?
SSID spelling variations
Unique radio characteristics of an AP transmitter
DHCP lease durations
Number of connected clients
RF fingerprinting analyzes transmitter-specific parameters like clock skew and modulation imperfections to uniquely identify an AP, even if SSID and MAC are cloned. SSID spelling and DHCP leases are not RF traits. Client counts vary dynamically. More:
Which advanced monitoring technique uses time-of-flight measurements to locate rogue APs?
ARP scanning
Radio direction finding with TDOA
Beacon interval scanning
SSID enumeration
Time Difference of Arrival (TDOA) combined with directional antennas helps pinpoint the physical location of a transmitting AP. Beacon interval scanning and SSID enumeration identify networks but not exact locations. ARP scanning is a LAN technique. More:
What vulnerability arises when using WPS in push-button mode?
Anyone within range can join during the PIN window
It disables AES encryption
It forces SSID to be hidden
It opens a management portal
Push-button WPS mode temporarily allows any device to join without credentials, making it easy for attackers nearby to gain access. It does not disable encryption or hide SSIDs. No management portal is opened. Details:
Which attack bypasses WPA2 encryption by exploiting a specific group key handshake vulnerability?
KRACK group key attack
WEP fragmentation attack
Beacon frame injection
Channel hopping attack
The KRACK group key attack exploits weaknesses in the group key handshake to replay and decrypt broadcast/multicast frames in WPA2. WEP fragmentation is for WEP, beacon injection is spoofing, and channel hopping is a scanning technique. More:
How can you use DHCP snooping as a defense against rogue APs?
Encrypt DHCP packets
Disable SSID broadcasting on uplink ports
Force all clients to static IP
Permit only trusted ports to assign DHCP addresses
DHCP snooping classifies switch ports as trusted or untrusted, only allowing DHCP offers from trusted ports. This blocks rogue DHCP servers often running on rogue APs. SSID, encryption, and static IPs are separate strategies. More:
In a WPA2-Enterprise deployment, which certificate property should you validate to avoid evil twin attacks?
CRL distribution point URL
Certificate serial number
Key usage flags allowing digital signatures
Common Name (CN) matching the RADIUS server hostname
Validating the Common Name (CN) or Subject Alternative Name (SAN) against the expected RADIUS server hostname prevents connecting to a rogue server with a mismatched certificate. Key usage and serial numbers are secondary, and CRL distribution points are for revocation. Proper CN checks are critical. See:
Which advanced protocol extension allows secure discovery of peering APs in a mesh and prevents rogue mesh nodes?
IEEE 802.11s with authenticated peering management frames
802.11w with TKIP fallback
802.11k with passive scanning
802.11v with network-assisted roaming
IEEE 802.11s defines secure mesh peering management frames that authenticate neighbor APs before joining the mesh, preventing rogue nodes from integrating. 802.11k and v relate to scanning and roaming, and 11w protects management frames but not mesh peering. More:
Which post-quantum key exchange mechanism is being considered for future WPA security?
Elliptic Curve DSA
RSA-2048
Quantum-resistant lattice-based cryptography
Diffie-Hellman 1024
Lattice-based cryptographic algorithms are leading candidates for post-quantum key exchanges that resist quantum computer attacks, under consideration for future WPA standards. Traditional RSA and ECDSA are vulnerable to quantum adversaries. More:
In 802.11aa, what feature improves service availability during dense management frame attacks?
Group addressed service access points with admission control
Dynamic frequency selection
Enhanced Open (OWE) encryption
Fast BSS Transition
802.11aa introduces group addressed service access points (GA - APs) and admission control to maintain QoS even when management frames flood the network. FT is for roaming, OWE secures open networks, and DFS avoids radar. More:
Which diagnostic tool uses supervised machine learning to distinguish legitimate and rogue AP behavior?
Wireless Intrusion Prevention with anomaly-based ML
NetFlow traffic analysis
Simple echo ping tests
DNS sinkholing
Modern WIPS solutions incorporate anomaly-based machine learning to model normal AP behavior and detect deviations indicative of rogue or evil twin APs. NetFlow is traffic-level, pings are basic reachability tests, and DNS sinkholes target resolution attacks. More:
0
{"name":"What is an evil twin attack in wireless networking?", "url":"https://www.quiz-maker.com/QPREVIEW","txt":"What is an evil twin attack in wireless networking?, Which tool is commonly used to scan for available wireless networks and SSIDs?, Which encryption protocol is considered the strongest for securing a Wi-Fi network?","img":"https://www.quiz-maker.com/3012/images/ogquiz.png"}

Study Outcomes

  1. Identify Evil Twin Access Points -

    Pinpoint characteristics of an evil twin WiFi network and accurately answer "which of the following best describes an evil twin" to distinguish malicious access points from legitimate ones.

  2. Describe Wireless Security Threats -

    Explain common wireless security threats covered in the CompTIA Network+ security quiz, including rogue APs, man-in-the-middle attacks, and evil twin vulnerabilities.

  3. Analyze Authentication Risks -

    Assess how improper or weak authentication methods can be exploited by attackers using evil twin techniques to intercept user credentials.

  4. Evaluate Defense Strategies -

    Critically examine network defense mechanisms such as mutual authentication, certificate validation, and secure configuration to guard against evil twin WiFi threats.

  5. Apply Mitigation Techniques -

    Implement best practices like monitoring SSID anomalies, deploying WPA2/WPA3, and using VPNs to reduce exposure to rogue access points.

  6. Boost Exam Confidence -

    Build test-taking skills for the Network+ practice test environment by reviewing scored questions and reinforcing knowledge through immediate feedback.

Cheat Sheet

  1. Defining the Evil Twin Attack -

    An evil twin WiFi is a malicious access point that mimics a legitimate SSID to trick users into connecting. Understanding which of the following best describes an evil twin helps you recognize that it's essentially a rogue AP impersonation attack, exposing clients to eavesdropping or credential theft. (Source: CompTIA Network+ Exam Objectives, NIST SP 800-153)

  2. WPA2 Encryption and Authentication Risks -

    WPA2-PSK networks are vulnerable to dictionary and brute-force attacks if passphrases are weak or reused across sites. In enterprise deployments, 802.1X/EAP methods (e.g., PEAP, EAP-TLS) offer mutual authentication, ensuring both client and server verify each other's certificates. (Source: IEEE 802.11i Standard, SANS Institute Wireless Security)

  3. Rogue AP Detection Techniques -

    Regular network scans using tools like Kismet, AirMagnet, or open-source solutions can pinpoint unauthorized APs broadcasting your SSID. Implementing wireless intrusion prevention systems monitors for signature patterns typical of evil twin setups and triggers alerts in real time. (Source: University of Maryland Wireless Security Lab)

  4. Implementing Certificate-Based EAP -

    Deploying EAP-TLS requires clients to present unique certificates, eliminating shared-key weaknesses and drastically reducing the risk of evil twin phishing. Remember the 3-tier trust chain: client certificate, RADIUS server certificate, and CA certificate - each layer adds verification confidence. (Source: Cisco Secure Wireless Design Guide)

  5. Mnemonic for Wireless Threats -

    Use "PEARL" to recall key wireless risks: Phishing via evil twin, Eavesdropping, AP spoofing, Rogue clients, and Link jamming. This memorable phrase helps you ace your Network+ practice test by linking each letter to a defense strategy. (Source: Official CompTIA Study Materials)

Make a Quiz (FREE) Copy & Edit This Quiz Create a Quiz with AI

Computers & IT Quizzes

Powered by: Quiz Maker