Five Steps to Pentesting Wireless

Wireless access points can be easy targets for a cybercriminal to breach your system. Whether installed by stealth or just innocently by shadow IT, rogue access points are a significant security threat to the entire network. Legitimate access points are often misconfigured or contain vulnerabilities. Vulnerable wireless access points can give criminals a backdoor into the LAN to install malware, steal money and data, or alter systems on your network. 

PCI DSS on Wireless  

Wireless threats are so significant that the new PCI DSS 4.0 requires rogue wireless detection even if wireless is not used in the cardholder data environment and even if the entity has a policy that prohibits its use. This is because of the ease with which a wireless access point can be attached to a network, the difficulty in detecting its presence, and the increased risk of unauthorized wireless devices.

Rogue Access Points 

A Rogue Access Point is an Access Point that has either been installed on a secure company network without explicit planning, permission or authorization from a network administrator or has been installed by a hacker to conduct a man-in-the-middle attack.  

The rogue access points are typically installed by employees who need additional freedom to move about at work. These types of rogue access points can be very dangerous since most users are unaware of the security issues associated with wireless devices. 

Too often, we find the security team does not have an effective method of dynamically detecting rogue devices on its network. Enabling real-time rogue device detection and isolation techniques can significantly improve network security. 

Securing Enterprise Wi-Fi Networks – Best Practices 

According to the Cybersecurity & Infrastructure Security Agency (CISA), Wireless networks (also called Wi-Fi) lack robust security tools such as firewalls, intrusion prevention systems, content filters, antivirus, and anti-malware detection programs—common to wired networks. Wi-Fi networks also provide wireless access points, which can be susceptible to infiltration. CISA published a list of best practices for hardening enterprise wireless networks, including: 

  • Use multi-factor authentication for access to the network 
  • Use TLS to secure authentication and data transmission 
  • Implement a guest Wi-Fi network separate from the main network 
  • Keep equipment configuration and security patches up to date 
  • Enforce a "no Wi-Fi" policy per subnet and across multiple subnets 
  • Deploy a wireless intrusion detection and wireless intrusion prevention systems (WIDS/WIPS) 

Source: Securing Enterprise Wireless Networks

Wireless Intrusion Detection System (WIDS) & Wireless Intrusion Prevention Systems (WIPS) 

Active WIDS/WIPS enables network administrators to create and enforce wireless security by monitoring, detecting, and mitigating potential risks. Both WIDS and WIPS will detect and automatically disconnect unauthorized devices. WIDS provides the ability to automatically monitor and detect the presence of any unauthorized, rogue access points, while WIPS deploys countermeasures to identified threats. Some common threats mitigated by WIPS are rogue access points, misconfigured access points, client mis-association, unauthorized association, man-in-the-middle attacks, ad-hoc networks, Media Access Control spoofing, honeypot/evil twin attacks, and denial-of-service attacks. 

Wireless Penetration Testing Highlights: 

  • Data collection and analysis 
  • Deploy Wi-Fi Testing Tools  
  • Man-in-the-middle Attacks 
  • Exploit Wireless IEEE 802.11 and MAC layer information 

Five-step Wireless Penetration Testing Process 

A wireless pen test will examine your network using a methodology that focuses on wireless as the gateway to exploiting your vulnerabilities. The Truvantis approach may vary based on the size and complexity of the system, but the simplified steps of a wireless penetration test typically include: 

  1. Gather wireless security information, including an attack surface analysis 
  2. Collect data on the wireless network 
  3. Analyze internal wireless security procedures 
  4. Install rogue wireless devices on the network  
  5. Attempt to break wireless passwords, elevate unauthorized access, elevate permissions, and capture sensitive data 

Call to Action 

Our accredited penetration testers are highly skilled specialists who have mastered the same skills used by cybercriminals. The Truvantis team of senior-level security engineers use wireless penetration testing to help your company achieve compliance, understand the real threats to your system, and create a realistic, actionable plan to mitigate risk. Whether wireless penetration testing is all you need or just a small piece of the puzzle, we'll help you shape the solutions that fit your business, budget, and goals. 

Truvantis® is a cybersecurity consulting organization providing best-in-class cybersecurity services to secure your organization's infrastructure, data, operations and products. We specialize in helping our customers improve their cybersecurity posture by implementing testing, auditing and operating information security programs. 

Contact Us
Speak to an expert to help scope your next pen test.
Schedule a call
Contact Us
Attack Surface Analysis
Purchase your initial attack surface analysis now. Find out how the attackers will be targeting you before they break in.