Wireless Penetration Testing
There’s been a shift from wired to wireless infrastructures.
Attackers have increasing interest in compromising corporate networks and gaining footholds within internal environments. NuHarbor’s wireless network penetration testing engineers find the holes in your network before someone else does.
Information Gathering Tests
Engineers find and map wireless networks with 802.11 sniffing techniques. We attempt to identify SSIDs (including cloaked), encryption protocols, and authentication methods.
NuHarbor evaluates the security of your access point deployment. Our engineers check configurations, credentials, and encryptions. We verify AP isolation and investigate the remote management of the devices. Additionally, our testing engineers validate the configurations of your captive portals, VLAN, and hardware. We attempt to discover the following “backdoors”
Wireless Testing Checklist
Specific Wireless IPS Tests
Evaluate the detection and response capabilities of the Wireless IDS/IPS.
Captive Portal Testing
Bypass the Captive Portal’s authentication for the guest wireless network
VLAN Isolation Verification
Connect or reach the Internal Corporate Network via guest wireless network
Signal Radiation Testing
Analyze the wireless solution’s signal coverage using built-in laptop and directional antennas
Evaluation of AP deployment
Evaluate access point configuration (and other wireless networking devices) against vulnerabilities such as weak passwords in remote management of the device
Specific Vulnerabilities of Wireless Devices
Exploit known vulnerabilities in the wireless network’s equipment
PEAP/EAP-MS CHAP Testing
Verify correct protocol deployment. This protocol is immune to both cracking and brute force attacks due to Public Key Certificates at the Access Point sides, but only if deployed properly.
Verify if AP isolation (or client isolation, as it is also referred to) is enabled on the access points
Emulating real-world attacks, we attempt to evaluate your organization’s detection and response capabilities with common exploited attack vectors. Our engineers configure fake and rouge access points to trick users into passing traffic through a malicious network. We also leverage man-in-the-middle attacks by creating an evil twin network, spoofing, and deauthorizing of authorized clients.
Offensive Testing Checklist
Determine if the WIPS sensor reports and/or terminates an authorized client which connects to a non-company network
Spoofing (Client Impersonation)
Spoof an authorized client’s MAC address to verify if the IDS/IPS sensor detects the masquerading attempt
Evil Twin / Man-in-the-Middle
Deploy an AP to mimic the real access point and verify if clients connect and if the IDS/IPS sensors detects it. This test depends, both from a feasibility and time perspective, on the availability of authorized clients connecting to the wireless infrastructure
Open AP / Hotspots
Deploy an open AP (AP implementing no security features) within the reach of the IDS/IPS sensors to evaluate if they are found
Fake / Rogue AP
Deploy a rogue AP within the reach of the IDS/IPS sensors to evaluate if they are found and reported
Recent Blog Posts
By: Justin Fimlaid What is an Exim server? An Exim server is a mail transfer agent used on Linux like operating systems. Exim is a free software and used by as much as 57% of the Internet email servers. Over the past couple weeks it has been noted that a heavy amount...
By: Justin Fimlaid What is SHA-1 and what is the history of SHA-1? Originally SHA-1 was developed as part of a U.S. government capstone project. The first version of SHA was SHA-0 and that was developed in 1993 as the Secure Hash Standard. SHA-0 was originally...
By: Justin Fimlaid If you haven't heard of it there is a new banking directive in the U.K. called the Open Banking Directive. This directive went into effect on January 13, 2018. It's significant for U.S. based banks, because this Directive could apply pressure...
By: Justin Fimlaid Authentication is a critical piece of any application. It’s also always the piece of security architecture that is commonly attacked, so it’s important to get it right. When we talk about authentication it’s the act of establishing that someone or...