Wi-Fi is a preferred way for attackers to infiltrate into an organization’s internal network and gain control to your most invaluable assets. Penetration testing can help identify weaknesses in the wireless infrastructure.

Our penetration tests specific to Wi-Fi networks identifies those components related to the wireless infrastructure, whether they are hidden or not, as well as the security mechanisms that are applied and all the vulnerabilities and misconfigurations.
Our approach is to perform an analysis of the radio spectrum allocated to Wi-Fi networks, using special, high-gain equipment to locate AccessPoints. Following this analysis, we identify all the active wireless networks along with their configuration particularities, especially especially hunting the vulnerabilities and the insecure configuration that can allow the attackers to obtain remote access.
The next step is to exploit the identified vulnerabilities and probe their real impact on the organization’s assets.

Wireless penetration testing generally includes:

• Identifying Wi-Fi networks, including wireless fingerprinting, signal coverage
• Identifying configuration weaknesses, such as encryption misconfiguration, weak passwords, traffic sniffing
• Determining the efficiency of Wi-Fi networks isolation from the internal business network
• Execute specific attacks like deploying fake access points (evil-twin) and steal credentials from unsuspecting legitimate users

The wireless infrastructure testing will be done in several phases:

Pre-engagement – we will work with the client to establish the rules of engagement as well as the scope and exchange contact information for both parties.

Information Gathering – Our approach first maps the accessible networks by finding responsive or alive access points by the usage of directional antennas. Once this list has been determined and approved by the client, targets (AP) are selected for attack. Clear-text transmissions can be sniffed and reassembled to discover useful information.

Attack Execution – During this process, we will execute several attacks, either bypassing or cracking security mechanisms in order to gain full access to the wireless access point. Some of these attacks can include:

• Man in the Middle – Perform an attack that routes all communications through our machine and then to the access point without user knowledge.
• Brute Force – Attack passwords utilizing a rainbow table database.
• Session Hijacking – Performing a Denial of Service attack on a client and steal his session allows access to the network and bypasses encryption standards.
• Mass De-Authentication – Performing a mass de-authentication of all associated clients forces re-association and transmission of usernames and passwords.

As wireless infrastructures become more secure, attackers now are focusing their attention to wireless clients. To test if these attacks will be successful against your organization, SafeByte attempts a number of client-side attacks against the wireless configuration service used by your organization. If your network is using WPA or WPA2 Enterprise authentication, we will perform tests against the 802.1X supplicant. These tests will determine if the supplicant is properly configured. During the supplicant attacks, our team members will attempt to capture and crack the credentials used to access networks using Enterprise Authentication. Once unrestricted access has been gained, an assessment is performed on what networks the access point is connected through and explore the expoitation opportunities for a hacker.
Another aspect in securing wireless networks is related to separating the traffic allowed through these networks from the rest of the network traffic inside the company and limiting access to most internal IT resources.
Depending on the purpose of the penetration test and the specifics of the beneficiary’s infrastructure, our experts can test how your Wi-Fi network is separated from the business IT network, in accordance with the internal security policy.

Reporting – As part of the deliverable, we provide a report which contains a short, graphical summary aimed at senior management, a narrative body which details major findings, and a detailed findings section aimed at technical staff. Additionally, SafeByte will provide a report presentation call and a high-level executive presentation to summarize the penetration test; as well as provide an opportunity to ask questions about the engagement.