Penetration testing

When is Wireless Penetration Testing Appropriate?

Graeme Messina
July 31, 2018 by
Graeme Messina

Introduction

Wireless communications are an invisible, ubiquitous service that allows data to flow in and out of businesses and homes via mobile devices and wireless infrastructure. Almost all modern organizations have at least some level of wireless networking (or Wi-Fi) at their disposal, but the proper implementation of such a service doesn’t always get the attention that it deserves. Network segmentation, VLAN routing and SSID controls all need to be clearly defined and set up, allowing for users to connect and use the service easily while keeping would-be intruders and freeloaders off the network.

Regardless of how much or how little consideration has been given to the setup of your wireless network, businesses need to proactively search out any weaknesses in security if they are to avoid unauthorized access to network resources and data leakage.

FREE role-guided training plans

FREE role-guided training plans

Get 12 cybersecurity training plans — one for each of the most common roles requested by employers.

What Steps Are Taken During a Wireless Pentest?

This will depend on the standard that is being followed by the person performing the tests, as well as what the methods are that the company has agreed to, as well as the scope and the areas tested. Generally speaking, the pentester will begin with an intelligence- and information-gathering exercise. They will create a heat map of the area that is being tested, which tracks the size and footprint of the wireless signal that is being broadcasted. A great source of pentesting methodologies and standards can be found here.

Other information about the network (such as the hardware installed, the number of SSIDs being broadcast and the network configuration relating to the Wi-Fi equipment) needs to be documented and labelled. Creating a site map is also a good place to start.

The next step is to gauge what kind of threats the company that is being tested could be vulnerable to, based on the hardware installed on site, the distance that the Wi-Fi signal is detectable outside of the business property, and the visibility of networked equipment behind the Wi-Fi infrastructure. Are any workstations, servers or printers detectable? Are any file shares open and accessible over the Wi-Fi? These are basic questions that the pentester should start with, and then work through a set checklist to establish compliance.

These vulnerability analysis tests are performed with specialized tools that the pentester has at his or her disposal, and which will quickly let the tester know which exploits the organization is vulnerable to. If any vulnerabilities are identified, then they must be exploited and used to a point that establishes a breach in security. This way the pentester can show the client the extent of the vulnerabilities, as well as the methods that were used to successfully attack the network.

Once the exploits have been proven to work, the pentester might continue to scan the network and establish how far they can get in via lapses in user permissions and insecure accounts. Once the full extent of the penetration test has been established, a report should be generated and provided to the client. The report must be as detailed as possible and show how each step was successfully carried out. Details about possible fixes should be relayed to the client, who in turn would instruct their IT resources to oversee the vulnerability fixes.

The report should not read like a technical manual from start to finish, as management may not possess the required technical ability to understand all of the findings. Rather, non-technical write-ups should accompany the details of the exercise, so that an overview can be easily read and understood by management.

Once the fixes have been applied as per the remedial action report, the pentester should return to the site and conduct the same tests again, as well as any additional tests that might be successful now that the environment has changed.

What Benefits Can Be Had Through Wireless Pentesting?

For a client, the biggest benefit is the benefit of knowledge. If you are vulnerable through any Wi-Fi security shortcomings, it is better to know about it sooner rather than later. Only once the full extent of a problem has been understood can a viable solution be discussed and implemented.

After a pentest has been performed, it’s much easier for decision-makers to assess the current state of the Wi-Fi environment, and for management to make decisions regarding equipment upgrades and capital expenditure on wireless infrastructure. If the pentest report is thorough and informative, it can help to determine what the wireless strategies of the organization should be going forward.  

For a penetration tester, there are also benefits to performing tests for clients. For starters, testing real-world production networks for vulnerabilities can present a greater challenge to a pentester, given the fact that there are many unknown variables on a client’s network as opposed to a test lab.

These challenges can help to improve and build valuable, hands-on skills for a pentester. Finding unique and challenging problems can also help employment prospects, especially if a freelance pentester makes a good impression with a client. Good word-of-mouth feedback goes a long way in pentesting circles. So uncovering unique threats can open up additional opportunities for such professionals, especially if they bring previously-unknown threats to the attention of product developers and company owners.

Frequently Asked Questions:

How Often Should Wireless Pentesting Take Place?

Most organizations will be mandated by the standard that they follow as to how often they need to perform pentesting of their wireless infrastructure. Each standard will have its own set of methodologies that describe what best practice is, as well as how to document the actual testing phases so that compliance can be recorded for auditing purposes at a later date.

What is a Rogue Wireless Network?

A rogue wireless network is simply a wireless access point, such as a Wi-Fi station or router, that is plugged into a network but does not comply with the standards of the organization’s existing wireless infrastructure. Find out more from the InfoSec Institute Resources page here.

How is a Rogue Wireless Network Installed?

The most common occurrence of this type of security threat is when a device has been brought into the organization and either knowingly or unknowingly connected to the network. Brand-new equipment can sometimes come with Wi-Fi activated by default but not configured, meaning that once turned on, the device will broadcast a signal.

Why Are Rogue Wireless Networks a Threat?

An unconfigured or undocumented wireless device that is able to broadcast its own SSID is dangerous because it offers an easy entry point onto a network, especially if it is using default login credentials. This opens up the entire organization’s network to potential abuse.

Do Employees Expose Businesses to Wireless Threats?

Yes. Any person carrying a device that can connect to company Wi-Fi could potentially be a threat to the organization. Malware can be transferred over the network unintentionally via smartphone, laptop and tablets, especially if the Wi-Fi segments are not locked down properly. If servers are not isolated on a separate VLAN and are visible to all wireless network traffic, then there is a potential risk of infection and security breaches.

Is It Worth Having Wireless Networks in Businesses, Considering the Potential Risks?

Wireless technologies definitely have a place in modern businesses, but as with any technology, the configuration standards that are applied to the equipment will greatly determine the utility and safety of it. Industries that require staff to carry handheld scanners and tablets, such as warehousing and manufacturing, could not operate as efficiently without wireless networks.

Most Common Wi-Fi Attacks

There are too many vulnerabilities, security shortfalls and exploits in existence for us to name, but here are some of the most common methods that are used by hackers to access wireless networks.

Man-in-the-Middle

This is possibly one of the most common attacks and is basically an eavesdropping tactic. The attacker is able to intercept and transmit data so that the victim believes that they are talking to a legitimate contact. From here, attackers are able to use social engineering to manipulate their target or infect the target‘s device remotely, opening them up to more vulnerabilities and exploits.

Packet Analyzers and Sniffers

Attackers are able to intercept and sniff packets that are being transmitted over the wireless network and, in some cases, intercept unencrypted data directly inside of TCP packets. The data gathered through this type of application can give an attacker valuable insight into the internal workings of the network that they are targeting and can help them formulate an attack strategy.

Malware

Malware is a serious threat to wireless networks and can self-propagate over networks, making it very difficult to stop once it has taken hold on a wireless network segment. Infections can occur just by having two devices connected to the same wireless network, making the rapid spread of such infections very fast.

Poor Wi-Fi Setup

Unfortunately, it is quite common for improperly-configured devices to be the root cause of wireless network infiltration. This comes especially if there are no centralized management tools available for IT staff to gain an overview perspective of the environment.

Conclusion

Wireless pentesting is a vital tool that can be used as often as is necessary. Whenever suspicions of wireless infiltration and unauthorized access arise, it is a good idea to consult a professional to assess the situation properly, report on any and all significant findings and advise on the next course of action that needs to be taken. Once the remedial actions have been taken, then the pentester should return for a follow-up assessment and pick up again on where they left off.

If your company is following a specific standard then it is essential that you follow the instructions that go with it, as this will ensure that your organization remains compliant and safe.  

 

Sources

Major Wi-Fi security flaw could allow hackers to listen in on any of your devices, CNBC

What should you learn next?

What should you learn next?

From SOC Analyst to Secure Coder to Security Manager — our team of experts has 12 free training plans to help you hit your goals. Get your free copy now.

‘All wifi networks’ are vulnerable to hacking, security expert discovers, The Guardian

Graeme Messina
Graeme Messina

Graeme is an IT professional with a special interest in computer forensics and computer security. When not building networks and researching the latest developments in network security, he can be found writing technical articles and blog posts at InfoSec Resources and elsewhere.