Wi-Fi Penetration Test

Do you use WPA Enterprise with client certificates? If you need to rely on a shared password, do you require WPA3 Personal and change the password regularly? Do you use network equipment from reputable vendors and keep the firmware updated? Do you have documented and correctly configured network segmentation rules for each Wi-Fi network? If you answered yes to all these questions, your wireless network is likely well secured.

However, in real environments it is often necessary to relax some requirements. You may need to allow login with a username and password. You may also need to support older devices, which often requires enabling WPA2, for example in a WPA2/WPA3 mixed mode. This leads to many configuration options. Some of them are insecure, while others are too strict and may prevent legitimate users from connecting.

Benefits

A Wi-Fi test helps you understand the configuration of your wireless networks and adjust it to achieve the highest possible security within your operational limits.

We will describe the configuration of your Wi-Fi networks in detail and suggest improvements. We will also outline possible attack methods and, if you request it, demonstrate them in practice.

Testing Process

The testing itself can usually be completed in one day. If there are many networks or physical sites, it may take longer.

The process can be adapted to your needs. It always includes an analysis of the broadcast Wi-Fi configuration focusing on:

• Authentication methods: Open/OWE/WEP/WPA/WPA2/WPA3, Personal and Enterprise (IEEE 802.1X) authentication, EAP variants used in WPA Enterprise (EAP-TLS, EAP-TTLS, EAP-PEAP, EAP-GTC, etc.) including phase-2 methods (MSCHAPv2, PAP, etc.), captive portal security.
• Management frame settings (SSID visibility, PMF),
• Vulnerabilities caused by incorrect access point configuration (PMKID, WPS, etc.).

If you provide a typical client workstation that connects to the Wi-Fi (for example a domain-joined laptop), we can analyse the connection configuration on the client side as well.

We can also test attacks against clients using our rogue access point (fake AP, evil twin), which is configured to closely imitate your real access points.

If we are allowed to connect to your Wi-Fi network, we can examine network visibility, including:

• communication between clients,
• access to selected internal systems,
• access to external internet services (including proxy enforcement).

We can also prepare a survey of all nearby Wi-Fi networks or perform signal-strength measurements both inside and outside the building (wardriving).

Other Types of Tests

This test can be effectively combined with an Insider Threat Penetration Test. It can also be extended to include a test of wired network security.

In addition to the tests described above, we also provide our clients with many other types of penetration tests. For a full list, see Penetration Testing – Overview.

Final Report

The results of the penetration test are documented in a final report, which contains details of the testing process, a description and classification of all the vulnerabilities found, and recommendations for mitigating the risks. We deliver the report securely in MS Word and PDF formats. The results can also be presented in a management presentation or a technical workshop.