Wireless Penetration Test

  • Home
  • Wireless Penetration Test
Wireless Penetration Test

Wireless Penetration Test

 

Wireless networks are a convenient and easy method for your staff to access your organisation’s network, but since they can often be accessed from outside of your physical premises, wireless networks can introduce a significant risk if not configured correctly.

Wireless networks are widely used by laptops, printers, smartphones, tablets and IoT devices within organisations and can often be installed to cover general office space, meeting rooms, secure areas, reception spaces and even reach outside of your building into public spaces.  Incorrectly configured WiFi networks can put sensitive data at risk, as the data can sometimes be exposed to unauthorised devices or eavesdroppers.

Unsecured wireless access points present a significant security risk to an organisation’s data, due to the potential for data leakage and attackers gaining access to corporate networks from outside of the physical office space. Targeted attacks against corporate wireless users are also on the rise, whereby attackers set up a rogue access point in an adjacent office or car park, in an attempt to coerce users into connecting to their malicious access point instead of the legitimate access point in their office space.

Typical vulnerabilities that are often found in wireless networks include:

  • Easily-guessable user credentials or Pre-Shared Keys (PSK) meaning attackers can guess login details and connect to your network from the car park
  • Poor segregation between wireless clients potentially allowing visitors to connect to your employees’ wireless devices
  • Lack of network segregation between different wireless networks (SSIDs) allowing less secure guest networks to connect to internal networks that you thought were protected
  • Sensitive information exposure resulting in data theft or the failure of a compliance audit
  • Weak network traffic encryption allowing attackers to read network traffic remotely
  • Wireless clients susceptible to rogue wireless access points controlled by an attacker resulting in credential theft or data loss
  • Unexpected or undocumented wireless devices connected to the network

Our Wireless Network Penetration Test will assist you in identifying the level of access that a malicious user could achieve if they have been able to position themselves within range of you organisation’s wireless access points.

Methodology

Depending on the types of wireless networks in use, our consultants will use a combination of automated and manual testing, with the goal of achieving network connectivity to your organisation’s network through vulnerabilities that may be present. Our typical methodology for a Wireless Network Penetration Test includes the following:
  1. Identifying weak encryption protocols
  2. Capturing authentication handshakes
  3. Cracking Pre-Shared Keys (PSK) to allow remote access
  4. Identifying rouge access points that may have been planted inside the organisation’s building(s)
  5. Authentication attacks against wireless devices and the organisation’s Access Points (APs)
  6. Identifying information disclosure when wireless clients connect to your network
  7. Certificate spoofing attacks

During the assessment, our consultancy team can deploy rogue wireless access points throughout your organisation, which will be used to try and coerce employees into connecting to them. These may be configured with SSIDs such as “Free Wireless Hotspot” in an attempt to get users to connect to these instead of the corporate network. In the event of a user connecting to one of these rogue access points, we can attempt to further the attack on the workstation and then potentially onto the corporate domain.

For wireless networks that use WPA-Enterprise authentication, a configuration review will be performed on a sample wireless client (such as a laptop), as weaknesses in WPA-Enterprise authentication are not always apparent from passive information gathering.

Prerequisites

  1. List of wireless SSIDs to be tested.
  2. An office location which is in range of the wireless networks to be tested.
  3. If a WPA-Enterprise network is in scope of testing, we will need a corporate laptop or device that we can access with administrative rights in order to check the configuration.
  4. If a wireless controller is in scope of testing, we will need the IP address of the controller and credentials that we can access it with. This can be a read-only account, providing the account will allow us to inspect all areas of the controller.
  5. If network segregation testing is to be performed, we will need the IP address ranges that you would like us to ensure are segregated from the wireless network.
  6. A signed and completed testing consent form.
  7. An up-to-date network diagram showing both the wireless and wired networks.