Wireless Penetration Testing Services
Find Hidden Risks Against Your Wireless Network
What to Expect From
Our Wireless Penetration Testing Service
Gathering and cracking Pre-Shared Keys (PSKs), exploiting vulnerable technologies like WEP and WPA/WPA2, and building rogue access points to attack misconfigured WPA2/Enterprise settings are all utilized techniques. Artifice Security engineers will also map out your wireless network and notify you of any existing rogue access points.
Additionally, Artifice Security will test your guest wireless network for proper segmentation and guest isolation.
Wireless Penetration Test Methodology
After years of performing penetration testing, Artifice Security has created a proven, repeatable methodology that will meet your organizational needs. Each finding in the report has verifications with no possible false positives. We operate as a manual penetration testing company that offers you proofs-of-concept that you can verify. To achieve this, we use the following steps:
Define the Scope
- Determine the location(s) for wireless testing
- Determine which SSIDs are in scope for testing
- Outline which systems, if any, are excluded from testing
- Determine testing dates and times for the penetration test
- Exchange key personnel and emergency contact information for any critical findings found
Information Gathering / Recon Phase
During the information-gathering phase of the assessment, Artifice Security will perform passive information gathering against your organization using Open-Source Intelligence (OSINT) tools and techniques. This public data can help us determine undiscovered risks to your company and show you what information is out there that you may not know exists. This targeted intelligence includes the following checks:
- Gather any potentially sensitive information about your organization
- Searches for publicly exposed documents such as PDFs, DOCXs, XLSXs, and PowerPoint documents that may contain sensitive or customer data without your knowledge
- Searches on the Internet and Darkweb for leaked credentials within password breach databases
- Checks to find similar domain names as yours to determine your risk to phishing (risks to domain spoofing)
Enumeration and Vulnerability Scanning Phase
- Scan wireless access points to determine which encryption type is in use
- Determine each access point location and range for providing wireless connectivity
- Enumerate systems on the guest wireless network and check for proper segmentation from the internal production network
- Correlate public and proprietary vulnerabilities against systems on your network
Attack and Exploitation Phase
- Use breached credentials gathered in the information gathering phase or use brute force techniques to access sensitive data
- Combine attack vectors to gain access to wireless access points and internal systems connected to them
- Move laterally on the network
- Escalate privileges and access sensitive data
- Show proofs-of-concept for exfiltrating data (if approved by your organization)
Reporting begins with an executive summary which gives a layman’s explanation of the vulnerabilities and conveys the overall risk to your wireless network and organization. In addition to a summary of results, we also provide a list of positive findings found during testing. Next, the report explains how we determine criticality and risk for each vulnerability so you can better understand what to prioritize for remediation and how we rate severity for each finding.
Further in the report, we break down each vulnerability in technical detail, including a summary of the finding, affected location(s), proofs-of-concept, and remediation steps. Each detailed proof-of-concept has easy-to-follow steps for your team to recreate the process of how we exploited the vulnerability.
In addition to the report, Artifice Security also provides you with a customer-facing report and attestation letter if needed.
- Executive Summary that easily conveys risk
- Vulnerabilities rated by criticality
- Detailed walkthrough showing how we chain together attacks
- Detailed repeatable proofs-of-concept for each vulnerability
- Best practice remediation steps that are customized and realistic based on your current environment
As part of your penetration test, Artifice Security includes performing remediation testing (retesting) against your wireless network after your team remediates all findings. This retesting helps ensure your organization has adequately implemented changes to fix all vulnerabilities. Remediation and retesting also give compliance auditors and customers proof of your lowered or eliminated risk. After remediation testing completes, we will provide you with an updated report that reflects the current state of your wireless network.
Frequently Asked Questions
What are the most common vulnerabilities found in a wireless network?
One of the most common vulnerabilities with wireless networks is misconfigurations or incomplete configurations. These misconfigured or incomplete configurations include weak WPA2 passphrases, default SSID setups, and WPA2-Enterprise setups that allow for evil twin attacks by having legitimate users connect to a malicious access point using the same SSID name.
Another common issue we find is access point (AP) signals extending beyond the organization’s boundaries. This excessive signal range allows a malicious actor close to the organization (e.g., parking lot) to perform attacks without being inside it.
Artifice Security also regularly finds organizations that lack controls to discover rogue access points. These access points can be employees who brought in a personal access point connecting to the production network, printers with unsecured wireless setups, or a malicious access point that mimics the SSID of real access points. By not having tools to detect these rogue access points, an organization leaves itself open for attack without alerts to the attack.
Lastly, we commonly find guest networks that are misconfigured. These guest networks are usually configured to be segmented from the production network. However, we typically find guest networks that still allow full or partial access to the production network.
Additionally, we find guest networks that do not have guest isolation turned on. Guest isolation (a.k.a Wireless Client Isolation) is a security feature that stops wireless clients from connecting with other wireless clients. This feature adds a layer of protection to guest networks, limiting assaults and risks between devices connected to wireless networks.
Do you provide a heat map of our wireless network?
Can you perform wireless penetration testing remotely?
Do you test wireless guest networks?
We always test wireless guest networks to determine if they are genuinely segmented from the rest of the network and ensure that a malicious actor could not attack other devices on the guest network from a lack of guest isolation controls.