Wireless Penetration Testing Services

Find Hidden Risks Against Your Wireless Network

Artifice Security is the leading penetration testing company for wireless penetration testing. We have the skills and experience to show you vulnerabilities in your wireless setup and the knowledge to help you configure your devices to best practices.

What to Expect From

Our Wireless Penetration Testing Service

A wireless penetration test by Artifice Security will detect and exploit security controls employed by various wireless technologies and standards, weak security protocols, and misconfigured access points.

Gathering and cracking Pre-Shared Keys (PSKs), exploiting vulnerable technologies like WEP and WPA/WPA2, and building rogue access points to attack misconfigured WPA2/Enterprise settings are all utilized techniques. Artifice Security engineers will also map out your wireless network and notify you of any existing rogue access points.

Additionally, Artifice Security will test your guest wireless network for proper segmentation and guest isolation.


Wireless Penetration Test Methodology

After years of performing penetration testing, Artifice Security has created a proven, repeatable methodology that will meet your organizational needs. Each finding in the report has verifications with no possible false positives. We operate as a manual penetration testing company that offers you proofs-of-concept that you can verify. To achieve this, we use the following steps:


Define the Scope

Before starting the wireless penetration test, Artifice Security will communicate with your team to determine the exact scope of your wireless network. We will communicate with your team to understand the size of your wireless network, the amount of SSIDs, and the time needed to complete the penetration test.
  • Determine the location(s) for wireless testing
  • Determine which SSIDs are in scope for testing
  • Outline which systems, if any, are excluded from testing
  • Determine testing dates and times for the penetration test
  • Exchange key personnel and emergency contact information for any critical findings found

Information Gathering / Recon Phase

During the information-gathering phase of the assessment, Artifice Security will perform passive information gathering against your organization using Open-Source Intelligence (OSINT) tools and techniques. This public data can help us determine undiscovered risks to your company and show you what information is out there that you may not know exists. This targeted intelligence includes the following checks:

  • Gather any potentially sensitive information about your organization
  • Searches for publicly exposed documents such as PDFs, DOCXs, XLSXs, and PowerPoint documents that may contain sensitive or customer data without your knowledge
  • Searches on the Internet and Darkweb for leaked credentials within password breach databases
  • Checks to find similar domain names as yours to determine your risk to phishing (risks to domain spoofing)

Enumeration and Vulnerability Scanning Phase

Artifice Security will use active information-gathering tools and techniques to determine all possible attack vectors during the enumeration phase. We will assemble data gathered from this phase and the information gathering phase as the foundation for our attack and exploitation phase.
  • Scan wireless access points to determine which encryption type is in use
  • Determine each access point location and range for providing wireless connectivity
  • Enumerate systems on the guest wireless network and check for proper segmentation from the internal production network
  • Correlate public and proprietary vulnerabilities against systems on your network

Attack and Exploitation Phase

During the attack and exploitation phase, Artifice Security will use manual penetration testing techniques to exploit vulnerabilities found in your wireless network. We perform this exploitation using professional tools and techniques while being cautious about protecting your data and not interrupting normal business functions. At this phase, we will perform the following tasks against your wireless network:
  • Use breached credentials gathered in the information gathering phase or use brute force techniques to access sensitive data
  • Combine attack vectors to gain access to wireless access points and internal systems connected to them
  • Move laterally on the network
  • Escalate privileges and access sensitive data
  • Show proofs-of-concept for exfiltrating data (if approved by your organization)

Reporting Phase

Artifice Security will put together all the information about your organization and vulnerabilities discovered for your wireless network during the reporting phase. We guarantee that each discovered vulnerability will be present with no false positives in the report as we use manual penetration testing.

Reporting begins with an executive summary which gives a layman’s explanation of the vulnerabilities and conveys the overall risk to your wireless network and organization. In addition to a summary of results, we also provide a list of positive findings found during testing. Next, the report explains how we determine criticality and risk for each vulnerability so you can better understand what to prioritize for remediation and how we rate severity for each finding.

Further in the report, we break down each vulnerability in technical detail, including a summary of the finding, affected location(s), proofs-of-concept, and remediation steps. Each detailed proof-of-concept has easy-to-follow steps for your team to recreate the process of how we exploited the vulnerability.
In addition to the report, Artifice Security also provides you with a customer-facing report and attestation letter if needed.

  • Executive Summary that easily conveys risk
  • Vulnerabilities rated by criticality
  • Detailed walkthrough showing how we chain together attacks
  • Detailed repeatable proofs-of-concept for each vulnerability
  • Best practice remediation steps that are customized and realistic based on your current environment

Remediation Testing

As part of your penetration test, Artifice Security includes performing remediation testing (retesting) against your wireless network after your team remediates all findings. This retesting helps ensure your organization has adequately implemented changes to fix all vulnerabilities. Remediation and retesting also give compliance auditors and customers proof of your lowered or eliminated risk. After remediation testing completes, we will provide you with an updated report that reflects the current state of your wireless network.


Frequently Asked Questions

What are the most common vulnerabilities found in a wireless network?

One of the most common vulnerabilities with wireless networks is misconfigurations or incomplete configurations. These misconfigured or incomplete configurations include weak WPA2 passphrases, default SSID setups, and WPA2-Enterprise setups that allow for evil twin attacks by having legitimate users connect to a malicious access point using the same SSID name.

Another common issue we find is access point (AP) signals extending beyond the organization’s boundaries. This excessive signal range allows a malicious actor close to the organization (e.g., parking lot) to perform attacks without being inside it.

Artifice Security also regularly finds organizations that lack controls to discover rogue access points. These access points can be employees who brought in a personal access point connecting to the production network, printers with unsecured wireless setups, or a malicious access point that mimics the SSID of real access points. By not having tools to detect these rogue access points, an organization leaves itself open for attack without alerts to the attack.

Lastly, we commonly find guest networks that are misconfigured. These guest networks are usually configured to be segmented from the production network. However, we typically find guest networks that still allow full or partial access to the production network.

Additionally, we find guest networks that do not have guest isolation turned on. Guest isolation (a.k.a Wireless Client Isolation) is a security feature that stops wireless clients from connecting with other wireless clients. This feature adds a layer of protection to guest networks, limiting assaults and risks between devices connected to wireless networks.

Do you provide a heat map of our wireless network?

We provide heat maps for all wireless penetration tests. The heat map visualizes the wireless signal coverage and strength with information about each access point’s range, interference, dead zones, channels, and mapping possible rogue access points in the area.

Can you perform wireless penetration testing remotely?

It is possible to perform a remote wireless penetration test, but we prefer to do it onsite. The reason is that sometimes the wireless adapter used for testing needs to be reset, and having an employee perform this would cause interruptions. Additionally, we require our consultant to conduct a wireless heat map onsite as it is not possible to complete it remotely.

Do you test wireless guest networks?

We always test wireless guest networks to determine if they are genuinely segmented from the rest of the network and ensure that a malicious actor could not attack other devices on the guest network from a lack of guest isolation controls.

Leading-Edge Cybersecurity