A security analyst captures network traffic and sees the following: Client sends a SYN, server responds with SYN-ACK, then client sends ACK. Immediately after, the client sends an encrypted payload. This traffic is consistent with which phase of a WPA2 attack?
The sequence matches the 4-way handshake: first two messages (nonces) then third (encrypted GTK) and fourth (ACK).
Why this answer
The TCP handshake shown is for the 4-way handshake messages: first two messages (AP nonce and supplicant nonce) are exchanged, then the third message is the encrypted GTK, followed by ACK. The encrypted payload indicates the handshake is complete.