The following blog will provide an overview of our wireless penetration testing methodology. A wireless penetration test emulates an attacker trying to gain access to the internal network through the wireless network, but also includes some elements of an audit, ensuring your wireless network is in-line with industry standards. This document outlines the standards, tools, and processes that Triaxiom Security’s engineers use during this type of assessment.
Triaxiom Security’s wireless penetration testing methodology is based on the following industry standards:
Sample of Tools Used
The following is a sample set of tools that may be used during a wireless penetration test:
- Custom Scripts
- Hashcat/John the Ripper
Our wireless penetration testing methodology can be broken into 3 primary stages, each with several steps.
- Gather Scoping Information
After initiating the project, scoping/target information will be collected from the client. In the case of wireless penetration testing, this information will include a list of all MAC Addresses and SSIDs in scope. This will assist the engineer in determining which access points are accounted for, and which access points are actually rogue access points. Additionally, during this stage a list of all buildings and locations are collected, and the project is scheduled.
- Review Rules of Engagement
This process will involve a brief meeting with the client to review and acknowledge the penetration testing rules of engagement, confirm project scope and testing timeline, identify specific testing objectives, document any testing limitations or restrictions, and answer any questions related to the project.
- Site Survey
Once the test has officially begun, a start notification will be sent to the client. The first phase consists of a site survey. Using several high-gain antennas, the engineer will walk the perimeter of the network and track the various wireless signals throughout your organization. Additionally, the engineer will walk outside of the facility or campus and continue to collect signals. This allows the engineer to correlate whether a particular access point is within your facility, or at a nearby facility. The engineer will then determine whether the wireless signal is significantly leaking outside your organization and if that may allow an attacker to target your wireless network from nearby locations. In addition to taking an inventory of available SSIDs and measuring signal strength, the engineer will also be searching for rogue access points within the building.
Tools may include: Acrylic, Kismet, Airodump, Airomon, NetStumbler
- Unauthorized Access Attempts
During the next step, the engineer will attempt to gain unauthorized access to the wireless networks in scope. Depending on how the wireless network is setup, this may include WEP/WPA-PreShared Key cracking, various password attacks, evil twin attacks, disassociation attacks, or other means. The goal of this step is to determine the organization’s susceptibility to an attacker gaining unauthorized access to your wireless networks.
Tools may include: Aircrack, WifiPhisher, coWPAtty, WepAttack, Reaver, Hashcat/John the Ripper
Once authenticated to in-scope wireless networks, the engineer will proceed to test several aspects of the wireless network as a regular connected user. If unsuccessful in gaining access through the means described in Step 2 of the Execution phase, the engineer will request credentials to the in-scope networks from the client in order to provide a holistic assessment. The testing at this point includes ensuring the guest network is properly segmented from the internal network, ensuring that laptops on the network are not dual-homed (bridging your wireless networks and wired networks), and checking for availability and security of access point administrative logins. Additionally, the engineer will attempt to identify corporate devices on “Guest” networks that are evading company policies and network restrictions.
Tools may include: Wireshark, Airomon, nmap, custom scripts
After completing the active potion of the assessment, Triaxiom will formally document the findings. The output provided will generally include an executive-level report and a technical findings report. The executive-level report is written for management consumption and includes a high-level overview of assessment activities, scope, most critical/thematic issues discovered, overall risk scoring, organizational security strengths, and applicable screenshots. The technical findings report, on the other hand, will include all vulnerabilities listed individually, with details as to how to recreate the issue, understand the risk, recommended remediation actions, and helpful reference links.
- Quality Assurance
All assessments go through a rigorous technical and editorial quality assurance phase. This may also include follow-ups with the client to confirm or deny environment details, as appropriate.
The final activity in any assessment will be a presentation of all documentation to the client. Triaxiom will walk the client through the information provided, make any updates needed, and address questions regarding the assessment output. Following this activity, we’ll provide new revisions of documentation and schedule any formal retesting, if applicable.