Wireless Security Assessment

Nicholas Diley
Network Defense and Countermeasures
After utilizing Aircrack-ng alongside Reaver, there are quite a few revelations to be
had about the service. Given the nature of the attack, the main source of attack
would be comparing these 8 digit keys against the one within the Access Point,
which would eventually spit out the WPA key given enough time. This could lead to
severe vulnerabilities for the Access Points, and was one that was ran into
throughout the course of experimentation.
Getting the interface to work was easy enough, running Airmon-ng wlan0 with the
standard interface within the test environment device, details as follows:
Acer Aspire One Laptop
Intel Atom Processor
1.6 GHz Processor
Single Core
1GB Memory
160 GB HDD
Atheros 802.11 b/g WLAN
The Atheros chipset in particular within this device was capable of
promiscuous/monitoring mode where it would be able to sniff and inject packets into
the device throughout the course of the experiment.
When working with the interface, the first step was to put the device into monitoring
mode. This would allow usage of airodump to list the devices along with their BSSID
to further look into establishing connection to the devices at hand.
Within the interface, we are able to see them completely, along different channels,
showing off their encryption method, the ESSID with their name, however the item
we are to familiarize ourselves with would be the BSSID.

Wireless Security Assessment

Nicholas Diley
Network Defense and Countermeasures

When setting up the Access Point, one of the first things that should be marked
down would be the BSSID value. Through configuration, one of the first things to
notice would be that this id is unique and would be associated with it unless it is
manually changed. To make sure that no device would be trying to associate itself
by using the same ESSID, it could be one step to verify that the id is assigned to the
correct device.
With that aside, utilizing airdump has its perks because it would list all of the
devices located around the investigative device, where we could easily see which
devices are broadcasting a signal to connect to. These all also have BSSIDs
assigned to them as well, so we can identify if any devices should be out of scope of
our network, or if they should be there in the first place.
Within the interface of the Access Point, there would be options on whether or not to
utilize WPA encryption, where you can see an example below of the test
environment with WPA enabled.

Wireless Security Assessment

Nicholas Diley
Network Defense and Countermeasures
The WPA PSK (Pre-Shared Key) was generated as well, which would be produced
after running the device in question through Reaver. The Device used in particular
was ChocoNoPico (ESSID), with BSSID F8:35:DD:EC:0A:BF.
Running the device through airodump will produce the BSSID, of which we will be
able to utilize the Reaver environment to further run tests against it.

We are using the command:

reaver i wlan0mon b F8:35:DD:EC:0A:BF
Where i sets the interface, and b sets the BSSID.
Reaver will continuously compare the pins on the potentially WPA enabled device,
which would be the first step to see if the device could be broken into in this
method. It is but one way to check as you would be running a test against the
device, where if we were to know the WPA Pin associated with the device, we would
most likely be supplied with the WPA PSK for entering the AP.
Assuming that WPA would be disabled, we would be prompted with an error,
however for the sake of the experiment, it was enabled and the key was supplied.

Wireless Security Assessment

Nicholas Diley
Network Defense and Countermeasures

With all of this in mind, the AP was quickly broken into after spending 3 minutes and
22 seconds comparing the Pin and receiving the PSK as a result. Seeing that WPA is
indeed enabled on the device, it would be safe to assume that it would be best to
disable it within the AP, for if anyone were to obtain the 8 digit pin, they could
potentially break into the device. Without supplying the pin, it is worth noting that
the estimated time of completion was 4+ days, regardless it is still an issue within
the system.
Detecting the AP could be as easy as comparing the BSSID versus the ESSID, or just
seeing which devices would be able to be distinguished within the airodump screen.
Using Reaver could be a worthwhile way to pentest your devices to ensure that they
are not capable of being broken into in this matter, where we can see where
changes are to be made so that it would not happen in the future. Assuming that
the vulnerability has been mitigated, Reaver would most likely throw an error, and
the device would not be able to be broken into in this manner.