Wireless Penetration Testing
WiFi networks are just another weak point in networks that can be targeted by attackers. With some companies focusing on internet based threats, it can be an overlooked security weakness.
If an attacker is able to compromise a wireless network they may be able to launch further attacks against company devices or pivot to sensitive resources.
Our wireless penetration testing methodology covers a range of wireless network security issues, for example:
Not all available encryption options offer the same level of protection. For example, so called “Wired Equivalent Privacy” (WEP) encryption is effectively completely broken and can be trivial to access. The encryption level of the network will be assessed for known cryptographic weaknesses.
Wireless clients configured with enterprise security may disclose the username when connecting to an access point, these usernames can be gathered to allow for a later password bruteforce attack.
Rogue Access Point Protection
For protocols such as EAP-MSCHAPv2 and EAP-TTLS it may be possible to set up a malicious access point which accepts EAP authentication, and if the device or user enters their credentials they can be captured.
These networks should be protected by a trusted X.509 certificate, although an attacker may be able to use an illegitimate certificate (such as a self-signed one) and the user may ignore any security warnings, connecting to the malicious network.
Wireless networks should be configured to prevent wireless clients from communicating with each other, instead only allowing devices to connect to the network to access resources. This protection significantly reduces the attack surface of the target network and may prevent network propagation and privilege escalation attacks.
Network Access Control
Wireless networks may utilise “Enterprise” wireless security. These networks are protected with an Extensible Authentication Protocol (EAP) for example EAP-TLS, EAP-TTLS, PEAP (EAP-MSCHAPv2).
These protocols allow integration of the wireless network with other authentication systems such as Active Directory, which may mitigate the difficulty of revoking a user’s access to the wireless network but introduces the additional risk of making the wireless network only as secure as the weakest account password.
Due to the increased risk of wireless connection, it is recommended that wireless networks are segmented from other areas of the corporate network and that strict network filters are in place to prevent network propagation in the event that a wireless network or client is compromised.
Interested in Wireless Penetration Testing?
If you'd like to talk to the team about cybersecurity testing, get in touch below: