What is Included in a Wireless Penetration Test?

A wireless penetration test is a little different than most penetration tests, as it includes some elements of auditing and some elements of tactical testing. Because of that, it can be hard to discern what is included in a wireless penetration test. In this blog, we will break down a wireless penetration test into its three main elements: wireless survey, unauthenticated testing, and authenticated testing. This will give you a better idea of what wireless penetration testing includes, and what to expect when the engineer comes onsite to test your wireless networks.

Stage 1: Wireless Survey

what is included in a wireless penetration test
During a wireless survey, the engineer will identify rogue access points and wireless signals that extend beyond the perimeter of the building.

During the wireless survey, the engineer will walk through the office and surrounding areas using specialized antennas to collect information on all wireless networks available. Using this information, the engineer will work with you to determine which access points your organization owns and controls, which wireless networks belong to neighboring properties, and which wireless access points are rogue access points. Rogue access points can be intentional (an employee setting up a wireless access point to bypass proxy restrictions or perform malicious activities). But many times, they are unintentional weaknesses in your network (for example, a printer with the wireless turned on that can be used to bridge to your corporate network). For any rogue access point identified, the engineer will correlate the strength of the signal to find an approximate location of the device.

Finally, during the wireless survey the engineer will look for wireless signals leaking out of your facility. Some of this cannot be helped, it is just the nature of wireless networks and can’t be controlled. With that being said, if an attacker is able to sit in a parking lot at a building next door and attack your network, that is something you should know about. Depending on how your organization is laid out, it is usually possible to limit the strength of the signal enough that it reaches all the corners of the office, without leaking significantly out of the building. It’s alright if it leaks out of the building, but it should be close enough that someone will notice an attacker.

Step 2: Unauthenticated Testing

This is the stage of testing that most people think about when they consider what is included in a wireless penetration test. This is also where the engineer will spend the majority of their time. During this phase the engineer will attempt to gain unauthorized access to your wireless environment. There are several ways this can be done so this won’t be an all-inclusive list, but lets go through a few possibilities.

First, the engineer can attempt to gain access to the system by cracking the pre-shared key. For wireless environments that still use WEP, this works almost every time. It is still possible against WPA2 environments, but the engineer has to capture the key exchange, which can be more difficult with this type of network security. The engineer will monitor the network until a client authenticates, and then, using the captured 4-way handshake, the engineer can extract the encrypted pre-shared key. The engineer will then perform a series of password attacks to try and recover the cleartext password.

For other environments that use 802.1X or WPA-Enterprise, it is not possible to extract the key, as each individual employee has to authenticate using either a certificate or their unique authentication credentials. If authentication leverages domain accounts, the engineer can perform a password spray. To perform a password spray, the engineer will use open-source reconnaissance and social media sites to gather a large list of potential usernames, and then try a common password (Spring 2018!, Company123, etc.) for each username. A successful attack will allow the engineer to gain access to the wireless network. Additionally, the engineer can perform a Rogue Access Point (AP) attack. During a Rogue AP attack, the engineer will set-up an access point with the same name as the target corporate wireless SSID, and hopefully a stronger signal than the real wireless network. The goal is to get clients on the network to authenticate to the rogue access point rather than the real one, at which point the engineer can intercept their credentials to gain unauthorized access to the target network.

Finally, the engineer during the site-survey will look for the wireless password being written down in noticeable places. In the past, we have seen the wireless key written on a whiteboard of a conference room that was visible from outside the building, on the back of employee badges, and other dangerous locations.

Step 3: Authenticated Testing

Once the engineer gains access to the network, the test transitions to the third step, authenticated testing. If the engineer is unable to gain access from the previous step, they will request the password from the client so they can finish this portion of the test, regardless of whether previous phases were successful. This helps ensure a thorough test. In this third step, the engineer wants to verify that the network is secure even after a user authenticates. This includes things like testing the segmentation of the guest wireless network. The guest network should not be able to reach internal network resources, but rather be limited to strictly outbound traffic. Additionally, the engineer will sniff traffic on the network in an attempt to capture sensitive information (such as passwords, credit cards, etc.) that is not encrypted properly.

Following the test, the engineer will analyze the data, write up the report, and present the findings to you. Again, this was not an all-inclusive list, but hopefully it gives you a better understanding of what is included in a wireless penetration test.