Many people in a home or work environment these days have laptops and mobile phones which need to connect to the internet via a wireless network. Although convenient, it can open up the network to attackers if not set up correctly. With a hardwired network, an attacker needs to break into the building to gain access to the physical network, whereas a wireless network can be accessed without needing to enter the building in which the network is being hosted.
Wi-Fi Penetration Testing Checklist
To ensure that only those who are meant to access the network are able to, the network is usually secured in some form. The two most popular forms of securing a wireless network are via Certificate-Based Authentication and Password-Based Authentication. As time has gone on, the methods of securing a wireless network have improved to overcome the flaws discovered along the way.
For example, a legacy means of securing a wireless network was via a method known as WEP which was found to be flawed in that it sent across the access password in small bits within the data transmitted. This meant that an attacker who was able to collect enough data would be able to recover the access password. Although this method is still available, it is never set as the default method of security for a wireless network.
The newest form of securing a wireless network is via WPA3, though many devices may not offer support for this form of security and may require WPA2 instead. The WPAx means of securing a wireless network is based on a method of authentication known as a handshake. This handshake is one of the first packets sent to the access point containing an encrypted form of the password. All subsequent packets sent do not contain the password as with WEP. This means that the only way an attacker would be able to gain access to this network, would be to listen for and collect a handshake packet as the legitimate client connects to the access point.
Once the attacker has a copy of the encrypted password, they must then attempt to find the password which matches the one in the handshake. If the password is considered weak or exists within a password list, then the password would be easily recoverable. It is important to ensure that all passwords are strong, not guessable, and don’t exist on any password lists. This would mean that, even if an attacker were to get hold of a handshake packet, they would not be able to work out the password. It should be noted that WPA3 works to combat the flaw that WPA2 has in that WPA2 allows an attacker to be able to perform “offline” password cracking.
Collecting the handshake packet
There are two main methods of collecting the handshake packet, one method targets a feature called PMKID which allows the handshake packet to be retrieved without a user being connected to the network, another targets the moment when a user connects to the network. In the event that PMKID is disabled, the handshake packet will only be sent when a client connects to a network. In this case, an attacker wouldn’t be able to collect the handshake packet whilst clients are already connected to the network; therefore, the attacker must force the clients to disconnect from the access point so that they attempt to reconnect to the access point and send the handshake packet whilst the attacker is listening for it. This is known as a deauthentication attack in which the attacker sends packets at the access point masquerading as the connected client to inform the access point that they have disconnected. The access point will then disconnect the client forcing them to resend the handshake packet in order to reconnect which is then intercepted by the attacker.
Another method of connecting to a network is via a feature called WPS which is available in many home devices. This feature allows a user to connect to their network by pressing the “Push to connect” button on their router. The router will send the Wi-Fi password to the client which will automatically connect to the network without the need for the user to type in a password at all. This method of connecting is weak against brute force style attacks in order to trick the router into sending an attacker the connection information. Although this method is convenient for ease of connection, disabling it is highly recommended.
Within a corporate environment, Certificate-Based Authentication (802.1x) can offer many benefits over Password-Based Authentication. Mainly because it doesn't operate on the premise of a guessable string for access but instead uses a certificate located on the client's device. Although it is more complicated to set up this method of authentication, it does provide a greater level of protection.
User vs Guest Access
Another consideration should be made for user and guest user segregation to ensure that users who are connecting to the internet via a guest access point, are not able to access the non-guest areas of the network. Ideally, guest networks should be on their own separate VLAN within the network infrastructure with no access to anything else, including other guest users, to ensure that not only is the business infrastructure safe, but also to ensure that other guests are not at risk if an attacker were to gain access to the usually less secure guest Wi-Fi.
Ensuring that a Wi-Fi network is secure is vital for the protection of the network against geographically close attackers. The main areas of focus should be;
ensuring that the access point is protected with a strong encryption method and
a strong password
So that, in the event a handshake is captured, the password would not easily be obtainable; and ensuring that, if there is a guest network available alongside a corporate network, that there is adequate segregation in place such that guests are not able to access internal assets not intended for them to be able to access.
During a Wi-Fi penetration test, these aspects should be tested to ensure they are set up securely.
If you like this blog post, find more content in our Glossary.