Because an attacker does not need to be directly in the company building to access a wireless network, simply within range of the network, this is a crucial matter for security. Penetration testing for Wi-Fi technologies simulate an attack on access to an organization's internal network via a Wi-Fi signal. After gaining access, there will be a check of the quality of traffic filtering between the Wi-Fi client network segment and the rest of the internal networks.
The tests also include an analysis of the client’s configuration of the connection to the wireless network. The test results in an overview and a mapping of the Wi-Fi networks in operation and a list of security findings with their subsequent impact on the organization's internal network. Penetration testing mainly includes the following categories:
- Mapping and analysis of the Wi-Fi networks available in the company’s premises.
- Detecting possible Rogue APs.
- Testing the employee Wi-Fi networks.
- An attempt to gain access.
- An analysis of the filtering between the Wi-Fi and LAN network segments
Mapping and analysis of the Wi-Fi networks available in the company’s premises
The aim is to map and analyse the Wi-Fi networks available in the company’s premises. The analysis focuses on mapping individual Access Points and the use of technological and cryptographic mechanisms used to secure authentication and transmitted data.
Detecting possible Rogue Access Points (AP)
A Rogue Access Point (AP) is an unauthorized Access Point deployed on the premises and in the immediate vicinity of the company. An attacker usually uses a Rogue AP to attack the security of an existing wireless network - here the attacker duplicates the settings of the target network. The second commonly used option is to use an open wireless network with the aim to subsequently attack any connected stations or to intercept access data.
Verification of visitor Wi-Fi networks
This phase aims to analyse the security of visitor Wi-Fi networks. These networks are usually configured with open access and captive portal authentication or with Personal security (WEP, WPA-PSK with TKIP, WPA2-PSK with CCMP).
Testing the employee Wi-Fi networks
This phase aims to analyse the security of employee Wi-Fi networks. These networks are usually configured as a WPA Enterprise with 802.1X authentication, and sometimes with Personal security (WEP, WPA-PSK with TKIP, WPA2-PSK with CCMP).
An attempt to gain access
The attack procedure to gain unauthorized access varies depending on the network security used. There are various known attacks on WEP, WPA-PSK, WPA2-PSK or WPA-Enterprise security that are tested during this phase. There are many documented attacks for WEP security such as the KoreK chopchop attack, Fragmentation Attack, ARP-request replay attack and others.
For WPA2-PSK, this could be, for instance, cracking a shared password offline or misusing an enabled WPS authentication method. In the case of WPA-Enterprise using standard IEEE 802.1X authentication, the network is checked for weak authentication methods (EAP-MD5, Cisco LEAP). There is a verification of the correct configuration and hardening of the network and client devices. The possibilities of capturing sensitive data such as usernames or passwords are also tested.
An analysis of the filtering between the Wi-Fi and LAN network segments
In this stage, there is an authorized login to all the company’s Wi-Fi networks under the provided user accounts. Subsequently, there is a test of how thoroughly the Wi-Fi client network segment is separated from other sensitive network segments (DMZ, production, ...). If different VLANs are present, the above is also checked.