Wireless Penetration Test
The objective of the Wireless Penetration Test is to attempt to gain access to the organization’s corporate network by abusing wireless networks hosted by the organization. Reconnaissance is performed on the organization with the goal of identifying the organization’s facilities and any attributable wireless networks prior to arrival onsite. If wireless networks can be identified and any of those networks employs Pre-Shared Key authentication, password cracking dictionaries are pre-computed for those networks in preparation for attack. Upon arrival onsite, the tester surveys the organization’s wireless networks and confirms the in-scope SSIDs with the customer.
Once the scope of the engagement is confirmed, the tester assesses the networks for susceptibility to a number of different wireless attacks including, but not limited to:
title: Reconnaissance
In the context of a wireless penetration test, reconnaissance includes some additional elements. Since the test will occur at an organization’s physical facility, visual knowledge of the facility can be useful in pre-engagement planning. Images of the facility can aid in identifying areas where out of band credential capture may be possible. In addition, identification of potentially valid SSIDs can be useful in precomputing dictionaries where pre-shared key authentication is suspected or known to be employed.title: Wireless Access Point Impersonation Attacks
An evil twin wireless access point can be used to capture credentials from an organization’s employees. Evil twin wireless access points should be used to impersonate any applicable in-scope wireless network. Credential capture may result in disclosure of a user’s clear text password or their password hash. After a successful capture and/or crack, the tester should evaluate whether the credentials can be used to connect to the protected wireless network. Credential capture can typically occur in the following scenarios:
+ In-Range (Test Wireless IPS Features, If Present) – The evil twin wireless access point is in-range of the legitimate network. This is advantageous because the access point is deployed among the users of the wireless network. As a result, there are more targets for capture. However, protections like wireless intrusion prevention may prevent the rogue access point from being effective. Wireless IPS features should be tested for every in-scope SSID. Some SSIDs may be unprotected despite being hosted on the same hardware.
+ Out-of-Band (Test Client Protections and BYOD Device Policy) – The evil twin wireless access point is deployed out of range of the legitimate network in this scenario. Deployment in a parking structure or in close proximity to the organization’s facility will test the wireless client configuration in the absence of protections afforded by the infrastructure. If the client is not configured to validate the certificate of the access point or is not doing mutual certificate-based authentication, then credential capture may be possible.title: Client and Infrastructure Handshake Capture
In networks that utilize a Pre-Shared Key (PSK) or passphrase for authentication, the wireless handshake or Pairwise Master Key Identifier (PMKID) can be captured, and cracking can be attempted to reveal the clear text key used for authentication.title: Pre-Shared Key (PSK) or Passphrase Cracking
Password cracking can be employed to attempt recovery of a captured PSK or passphrase. If the target SSID is known in advance, dictionaries can be pre-computed for faster recovery.title: Client-Side (PSK) or Passphrase Disclosure
Where PSK or passphrase is used for authentication to the wireless network, the clear text value can typically be obtained from the client by inspecting its configuration. An attacker with access to an unlocked computer is likely to investigate the system configuration in this manner. Loss of a PSK or passphrase typically requires the organization to change the value and re-distribute it to all wireless users, which can be cumbersome.title: PSK or Passphrase Observation
Wireless penetration tests typically take place in close proximity to or within the facility where the wireless network is deployed. As a result, the tester should check for clear text network keys posted easily observed areas. Loss of a PSK or passphrase typically requires the organization to change the value and re-distribute it to all wireless users, which can be cumbersome.title: Wireless PIN Attacks
Wireless access points that support WiFi Protected Setup (WPS) may be susceptible to brute force of the registrar PIN to recover the wireless PSK or passphrase.title: Pre-Authentication Access Attacks
Where captive portal is used, typically the wireless client is able to connect to the network prior to authentication. Access in this manner should be isolated from any network services until authentication is completed. Pre-authentication access attacks validate that this is the case.title: Captive Portal Bypass Attacks
On networks where they are present, the captive portal serves as the gatekeeper to network resources. Captive portal bypass may be possible through network analysis and cloning of device characteristics or more advanced techniques.title: Guest Network Client Isolation Checks
Clients on guest network segments should not be allowed to communicate with one another for privacy and security purposes. Since guest systems are not owned and operated by the organization running the wireless network, their security posture is unknown.title: Segmentation Checks (Guest to Corporate/BYOD, BYOD to Corporate, etc)
Organizations may attempt to deploy guest and BYOD segments on their own network infrastructure without considering the need to isolate these clients from the corporate network. In this scenario, the tester typically scans the internal network segment from the wireless network being tested and checks DNS for potential to enumerate internal hostnames and IP addresses.title: Wirless Network Protocol Analysis/Abuse
After connecting to a wireless network (pre or post authentication), a packet capture should be recorded and analyzed. Network protocols present on the network may provide an opportunity for abuse (corporate only) or disclose information that might aid in vulnerability discovery (CDP and LLDP packets typically include infrastructure device names, firmware version, and other useful details).title: Wirless Infrastructure Scanning
After connecting to a wireless network (pre or post authentication), cans of the wireless infrastructure may reveal missing patches, exploitation opportunities, or other conditions that the organization should address.title: Wirless Client Scanning (Corporate Only)
Where access to the corporate wireless network is successfully obtained, scanning and post-compromise enumeration can help demonstrate impact. If an attacker can get to areas of the network not normally accessible from the workstation segment (data center components, domain controllers, etc), this may represent elevated risk to the organization.During testing, the authentication mechanisms used by each network and the relationships of those networks should be considered. For instance, in many organizations the corporate wireless network is well protected, employing strong authentication, proper certificate validation, and certificate-based authentication in addition to Active Directory credential use. However, those same organizations might deploy a BYOD segment that also uses Active Directory credentials but lacks strong protection features of the corporate network because the organization does not own the BYOD devices. As a result, Active Directory credential capture might be more easily attained against the BYOD network.
Demonstration of other non-802.11 techniques may be possible depending on observations of the tester. Examples include insecure RFID badging technologies, insecure wireless keyboard and mouse combinations, insecure automation platforms, etc. These can be tested with permission, proper targeting, and based on the time remaining in the engagement.
Optionally, the customer may request that BHIS perform wireless heatmapping of the facility and detection of rogue wireless access points.