Wireless Penetration Test

Your W-LAN is still reachable far beyond the borders of your company premises and thus offers a particularly broad attack area. A single running access point, forgotten in a cabinet, runs with an obsolete, vulnerable firmware version. A poorly configured guest W-LAN or a rogue access point created by a co-worker can be the incentive gateway to your intranet for attackers. Clients such as notebooks and mobile phones connect themselves in good faith with WIFIs deployed by attackers and reveal their secrets.

These and similar scenarios are tested and identified as part of our wireless penetration test. Both access points and client devices are examined.

The result of the WLAN penetration test is a detailed report consisting of a management summary and technically detailed explanations for all identified security gaps.
The safety gaps are assessed according to their criticality and the probability of occurrence. Mitigation measures are given for each gap as to how the gap can be closed or how the risk arising from the security gap can be minimized.

As part of a WLAN penetration test we are investigating:

  1. Access Point identification
    • Determination of all WLAN access points including APs with hidden SSID
    • Identification of rogue access points on the premises
    • Comparision of the WIFI configuration of all APs within the company
    • Information gathering from public data sources such as WiGLE
  2. Physical Security
    • Are access points protected against physical interference?
    • Are (guest) WLAN passwords publicly visible?
  3. Guest WIFI
    • Scan of all hosts the guest WIFI
    • Outbreak attempt from the guest WIFI into the Intranet
  4. Attacks against Access Points
    • For WPA2 and WPA: Record a handshake and offline Bruteforce attack on the password
    • For WPA 2 Enterprise: Collect MSCHAPv2 client hashes through Fake AP with malicious RADIUS server
    • For WPA-CCMP: Bruteforce of the hash
    • For WPA-TKIP: Packet Injection attack
    • For WEP: Calculate the WEP key
    • When the WPS is on: Automatic attack on the WPS PIN
  5. Attacks against clients
    • Determining clients connecting to Fake APs
    • WiFi phishing with client-requested SSIDs (Karma attack)