Wireless Penetration Test

Your WLAN is still reachable far beyond the borders of your company premises and thus offers a particularly broad attack area. A single running access point, forgotten in a cabinet, runs with an obsolete, vulnerable firmware version. A poorly configured guest WLAN or a rogue access point created by a co-worker can be the incentive gateway to your intranet for attackers. Clients such as notebooks and mobile phones connect themselves in good faith with Wi-Fis deployed by attackers and reveal their secrets.

These and similar scenarios are tested and identified as part of our wireless penetration test. Both access points and client devices are examined.

The result of the WLAN penetration test is a detailed report consisting of a management summary and technically detailed explanations for all identified security gaps.
The safety gaps are assessed according to their criticality and the probability of occurrence. Mitigation measures are given for each gap as to how the gap can be closed or how the risk arising from the security gap can be minimized.

As part of a WLAN penetration test we are investigating:

  1. Access Point identification
    • Determination of all WLAN access points including APs with hidden SSID
    • Identification of rogue access points on the premises
    • Comparison of the Wi-Fi configuration of all APs within the company
    • Information gathering from public data sources such as WiGLE
  2. Physical Security
    • Are access points protected against physical interference?
    • Are (guest) WLAN passwords publicly visible?
  3. Guest Wi-Fi
    • Scan of all hosts the guest Wi-Fi
    • Outbreak attempt from the guest Wi-Fi into the Intranet
  4. Attacks against Access Points
    • For WPA2 and WPA: Record a handshake and offline Bruteforce attack on the password
    • For WPA 2 Enterprise: Collect MSCHAPv2 client hashes through Fake AP with malicious RADIUS server
    • For WPA-CCMP: Bruteforce of the hash
    • For WPA-TKIP: Packet Injection attack
    • For WEP: Calculate the WEP key
    • When the WPS is on: Automatic attack on the WPS PIN
  5. Attacks against clients
    • Determining clients connecting to Fake APs
    • Wi-Fi phishing with client-requested SSIDs (Karma attack)