Wi-fi penetration tests
Wireless networks provide new attack vectors for a potential attacker to compromise employees or a company's internal network.
Penetration testing will help expose potential weaknesses or configuration flaws in these networks, which can then be remediated as recommended, making it impossible for attackers to exploit these vectors and increasing the security and resilience of the network to a real cyber-attack.
Due to the fact that an attacker does not have to be immediately inside the company building but only within range of the network to access the wireless network, this is a critical part for security. Penetration testing of Wi-Fi technologies simulates an attack to access an organization's internal network through a Wi-Fi wireless signal. Once access is gained, the quality of traffic filtering between the Wi-Fi client network segment and the rest of the internal networks will be examined.
The tests also include an analysis of the client-side wireless network connection configuration. The output of the test will be an overview and mapping of the Wi-Fi networks in operation and a list of security findings with subsequent impact on the organization's internal network.
Due to the fact that an attacker does not have to be immediately inside the company building but only within range of the network to access the wireless network, this is a critical part for security. Penetration testing of Wi-Fi technologies simulates an attack to access an organization's internal network through a Wi-Fi wireless signal. Once access is gained, the quality of traffic filtering between the Wi-Fi client network segment and the rest of the internal networks will be examined.
The tests also include an analysis of the client-side wireless network connection configuration. The output of the test will be an overview and mapping of the Wi-Fi networks in operation and a list of security findings with subsequent impact on the organization's internal network.
Methodology
The implementation of penetration tests mainly includes the following categories:
Mapping and analysis of available Wi-Fi networks in the company premises
The aim is to map and analyse the available Wi-Fi networks within the company premises. The analysis focuses on mapping individual Access Points and the use of technological and cryptographic mechanisms used to secure authentication and transmitted data.
Detection of possible Rogue Access Point (AP)
A Rogue Access Point (AP) is defined as an unauthorized Access Point deployed on the premises and in the immediate vicinity of a company. Rogue APs are most often deployed by an attacker to attack the security of an existing wireless network, in which case the attacker duplicates the target network settings. The other common option is to deploy an open wireless network with the goal of a follow-up attack against connected stations or to eavesdrop on access credentials.
Scanning visitor Wi-Fi networks
This phase aims to analyse the security of visitor Wi-Fi networks. These networks are typically configured with open access and authentication using a captive portal or with Personal type security (WEP, WPA-PSK with TKIP, WPA2-PSK with CCMP).
Screening of employee Wi-Fi networks
This phase aims to analyse the security of employee Wi-Fi networks. These networks are usually configured as WPA Enterprise with 802.1X authentication, and rarely with Personal security (WEP, WPA-PSK with TKIP, WPA2-PSK with CCMP).
Attempt to gain access
The attack procedure to gain unauthorised access varies according to the network security used. There are various known attacks on WEP, WPA-PSK, WPA2-PSK or WPA-Enterprise security that are tested during this phase. There are many documented attacks for WEP security such as KoreK chop-chop attack, Fragmentation Attack, ARP-request replay attack and others. For WPA2-PSK, it can be for example offline cracking of a shared password or misuse of the enabled WPS authentication method. In the case of WPA-Enterprise using IEEE 802.1X authentication, the network is scanned for weak authentication methods (EAP-MD5, Cisco LEAP). Proper configuration and hardening of the network and client devices are verified. Furthermore, the possibilities of capturing sensitive data such as usernames or passwords are fully investigated.
Analysis of filtering between Wi-Fi and LAN network segments
In this phase, authorized logins to all tested Wi-Fi networks of the company are performed under the provided user accounts. Subsequently, the consistency of the separation of the Wi-Fi client network segment from other sensitive network segments (DMZ, production, ...) is checked. In the presence of different VLANs, the above is also checked.
- Monitoring and analysis of available Wi-Fi networks in the company's premises.
- Detection of possible Rogue APs.
- Screening of employee Wi-Fi networks.
- Attempt to gain access.
- Analysis of filtering between Wi-Fi and LAN network segments.
Mapping and analysis of available Wi-Fi networks in the company premises
The aim is to map and analyse the available Wi-Fi networks within the company premises. The analysis focuses on mapping individual Access Points and the use of technological and cryptographic mechanisms used to secure authentication and transmitted data.
Detection of possible Rogue Access Point (AP)
A Rogue Access Point (AP) is defined as an unauthorized Access Point deployed on the premises and in the immediate vicinity of a company. Rogue APs are most often deployed by an attacker to attack the security of an existing wireless network, in which case the attacker duplicates the target network settings. The other common option is to deploy an open wireless network with the goal of a follow-up attack against connected stations or to eavesdrop on access credentials.
Scanning visitor Wi-Fi networks
This phase aims to analyse the security of visitor Wi-Fi networks. These networks are typically configured with open access and authentication using a captive portal or with Personal type security (WEP, WPA-PSK with TKIP, WPA2-PSK with CCMP).
Screening of employee Wi-Fi networks
This phase aims to analyse the security of employee Wi-Fi networks. These networks are usually configured as WPA Enterprise with 802.1X authentication, and rarely with Personal security (WEP, WPA-PSK with TKIP, WPA2-PSK with CCMP).
Attempt to gain access
The attack procedure to gain unauthorised access varies according to the network security used. There are various known attacks on WEP, WPA-PSK, WPA2-PSK or WPA-Enterprise security that are tested during this phase. There are many documented attacks for WEP security such as KoreK chop-chop attack, Fragmentation Attack, ARP-request replay attack and others. For WPA2-PSK, it can be for example offline cracking of a shared password or misuse of the enabled WPS authentication method. In the case of WPA-Enterprise using IEEE 802.1X authentication, the network is scanned for weak authentication methods (EAP-MD5, Cisco LEAP). Proper configuration and hardening of the network and client devices are verified. Furthermore, the possibilities of capturing sensitive data such as usernames or passwords are fully investigated.
Analysis of filtering between Wi-Fi and LAN network segments
In this phase, authorized logins to all tested Wi-Fi networks of the company are performed under the provided user accounts. Subsequently, the consistency of the separation of the Wi-Fi client network segment from other sensitive network segments (DMZ, production, ...) is checked. In the presence of different VLANs, the above is also checked.
References
If you want to see for yourself the quality of the outputs we provide, we can provide a sample audit report for your immediate review.
If you would like to find out more about how we work, please do not hesitate to ask about us at any of the following companies. These are only selected and approved current references.
If you would like to find out more about how we work, please do not hesitate to ask about us at any of the following companies. These are only selected and approved current references.
- Kooperativa pojišťovna, a.s.
- Československá obchodná banka, a.s.
- Česká zbrojovka a.s.
- ING Bank N.V.
- NN Životní pojišťovna N.V.
Print into PDF
-
Our penetration tests identified and remediated vulnerabilities within the company Konica Minolta -
Raising cybersecurity awareness at Broker Consulting -
Security of clients and employees of ČSOB has been improved not only through penetration tests -
Audits and sophisticated penetration tests for vulnerability identification for Škoda Auto -
At T-Mobile, we performed security tests and audits -
At Deutsche Telekom (T-Systems), we cover the areas of cyber security. -
Cyber security training services for dozens of OTE employees -
Implementation of penetration tests to improve the security of ING -
Implementation of security audits and penetration tests for ČEZ -
Increasing cyber security at the Hradec Králové University Hospital
DO NOT HESITATE TO
CONTACT US
Are you interested in more information or an offer for your specific situation?