Wireless Penetration Testing

There’s been a shift from wired to wireless infrastructures.

Attackers have increasing interest in compromising corporate networks to gain footholds within internal environments. NuHarbor’s engineers will find the holes in your network before someone else does.

Information Gathering Tests

Engineers find and map wireless networks with 802.11 sniffing techniques. We attempt to identify SSIDs (including cloaked), encryption protocols, and authentication methods.

Wireless Testing

NuHarbor evaluates the security of your access point deployment. Our engineers check configurations, credentials, and encryptions. We verify AP isolation and investigate the remote management of the devices. Additionally, our testing engineers validate the configurations of your captive portals, VLAN, and hardware. We attempt to discover the following backdoors:

Wireless Testing Checklist


Specific Wireless IPS Tests
Evaluate the detection and response capabilities of the Wireless IDS/IPS.



Captive Portal Testing
Bypass the Captive Portal’s authentication for the guest wireless network.



VLAN Isolation Verification
Connect or reach the Internal Corporate Network via guest wireless network.



Signal Radiation Testing
Analyze the wireless solution’s signal coverage using built-in laptop and directional antennas.



Evaluation of AP deployment
Evaluate access point configuration (and other wireless networking devices) against vulnerabilities such as weak passwords in remote management of the device.



Specific Vulnerabilities of Wireless Devices
Exploit known vulnerabilities in the wireless network’s equipment.



Verify correct protocol deployment. This protocol is immune to both cracking and brute force attacks due to Public Key Certificates at the Access Point sides, but only if deployed properly.



AP Isolation
Verify if AP isolation (or client isolation) is enabled on the access points.

Offensive Testing

Emulating real-world attacks, we attempt to evaluate your organization’s detection and response capabilities with common exploited attack vectors. Our engineers configure fake and rogue access points to trick users into passing traffic through a malicious network. We also leverage man-in-the-middle attacks by creating an evil twin network, spoofing, and deauthorizing of authorized clients.

Offensive Testing Checklist


Accidental Association
Determine if the WIPS sensor reports and/or terminates an authorized client which connects to a non-company network.



Spoofing (Client Impersonation)
Spoof an authorized client’s MAC address to verify if the IDS/IPS sensor detects the masquerading attempt.



Evil Twin / Man-in-the-Middle
Deploy an AP to mimic the real access point and verify if clients connect and if the IDS/IPS sensors detects it. This test depends, both from a feasibility and time perspective, on the availability of authorized clients connecting to the wireless infrastructure.



Open AP / Hotspots
Deploy an open AP (AP implementing no security features) within the reach of the IDS/IPS sensors to evaluate if they’re found.



Fake / Rogue AP
Deploy a rogue AP within the reach of the IDS/IPS sensors to evaluate if they’re found and reported.

Recent Blog Posts

Web App Vulnerability Basics: Insecure Direct Object Reference

​This is an article in a series on Web Application Vulnerability Basics. ​What Is Insecure Direct Object Reference? Insecure Direct Object Reference, also known as IDOR, is a reference to an internal implementation object that is exposed to a user without proper...

Web App Vulnerability Basics: Cross-Site Scripting

​This is an article in a series on Web Application Vulnerability Basics. What Is Cross-Site Scripting? Cross-Site Scripting, also known as “XSS”, is a web exploit that allows an attacker to inject malicious content (such as markup, or scripts) into a web application....

Web App Vulnerability Basics: Cross-Site Request Forgery

​This is an article in a series on Web Application Vulnerability Basics. What Is Cross-Site Request Forgery? Cross-Site Request Forgery, also known as CSRF and XSRF, is a web application attack that tricks a victim into submitting a malicious request to a web app that...

Web App Vulnerability Basics: Path Traversal

​This is an article in a series on Web Application Vulnerability Basics. What Is a Path Traversal Attack? Path traversal, also known as directory traversal and backtracking, is an exploit that allows an attacker to access files on a web server that they are not...