WiFi Penetration Testing

Many organizations provide an unencrypted “guest” WiFi network for BYOD (Bring Your Own Device) and corporate guest Internet access. While the majority of these types of network are considered low risk by their very nature, they can introduce a number of potential attack vectors.

While flaws in older encryption technologies such as WEP (Wire Equivalency Protocol) are well understood, some legacy hardware devices such as barcode scanners do not support newer, more secure alternatives. This can necessitate the use of legacy encryption protocols, sometimes with additional compensatory controls masking the issue. These compensatory controls, such as MAC address filtering, can often be trivially bypassed by changing the attacker’s device to match the MAC address of an authorised device.

Encryption is only as effective as the encryption key used. It is often assumed that newer WPA/WPA2 PSK (Pre-shared Key) encryption algorithms are immune from attack. This is simply not the case. Without any knowledge of the encryption key, tools such as aircrack-ng (link is external) can force legitimate WiFi clients to deauthenticate and reconnect to the network. By capturing the four-way reconnection handshake, a dictionary attack can be attempted, rendering weak and predictable encryption keys retrievable.

Evil twin attacks involve introducing a malicious access point advertising a legitimate network name in order to fool devices into connecting to it. Once connected, a number of potential attacks can be attempted, for example:
Users can be presented with a fake web portal in an attempt to obtain their domain credentials or other authentication tokens. Fake SharePoint or OWA login pages are particularly effective in this type of attack.

WiFi protected setup (WPS) is a mechanism to simplify the adding of new devices to an existing WiFi network. Various different modes of WPS exist, some involve pressing a button on the WiFi access point, others require the entry of a PIN number. WPS implementations that require a PIN number are often vulnerable to a trivial brute-force attack, which can allow anyone access to the WPA PSK within a timeframe of approximately 24 hours.