Our methodology of Wifi pentesting

The provision of a WiFi network for employees and guests greatly increases the attack surface of the company. Indeed, an attacker can then attack the latter without being physically connected to the network which allows him:

  • To access the network more easily without needing to physically enter the company
  • To be more discreet by attacking his target from a neighbouring building or even the street

A Wi-Fi audit or intrusion test initially consists of a consultant trying to break into a company's wireless network. The second step will be to check the permeability of this network with the wired network as well as the accessibility of sensitive resources. The tests and methodology vary depending on the type of WiFi network targeted:

Network connection

  • Collaborator Wifi - WPA2 Personal / WEP
    • WPS mechanism audit
    • Traffic generation
    • Traffic interception
    • Dynamic key breaking
  • Collaborator Wifi - WPA2 Enterprise (EAP, PEAP, TLS, ..)
    • Server identity theft
    • Redirecting client connections to a fake server
    • Obtaining and replaying / breaking broken hashes
    • Server white box audit (logs, configuration, password, etc.)
  • Guest Wifi (Captive portal)
    • External intrusion test on the captive portal
    • Compromise of the administration interface of the Wifi box
    • Bypass of network filtering rules implemented

Post exploitation

  • Man-In-The-Middle Attacks
    • Identity theft
    • Traffic interception
  • Network architecture
    • Access to servers and workstations on the wired network
    • Internet access and filtering
  • Wifi box white box audit
    • Connection to the secure radius server
    • Audit of events
    • Export of logs
    • Passwords
    • Network filtering
    • White box audit of client workstations