After initiating the project, we collect the scoping/target information from the client. This information includes a list of all MAC Addresses and SSIDs in scope. The information will assist us in determining which access points are accounted for, and which access points are essentially rogue access points. This process also involves a brief meeting with the client to review and acknowledge the rules of the penetration testing engagement and confirm project scope and testing timelines.
Due to the nature of the wireless network, information gathering is conducted using a well-known technique called War Driving. This method essentially includes driving around the organisation’s premises to sniff out WI-FI signals using high-gain network adapters such as the alfa card. This technique also helps determine whether the wireless signal is leaking outside your organisation significantly and if that would allow us (or an attacker) to target your wireless network from nearby locations.
After information gathering, we attempt to gain unauthorised access to the wireless networks in scope. Depending on how a wireless network is configured, we launch several attacks against the network such as WEP/WPA-PreShared Key cracking, various password attacks, evil twin attacks, or disassociation attacks. The goal of this step is to determine the organisation’s susceptibility to an attacker trying to gain unauthorised access to the internal network through wireless channels.
If successful in cracking and authenticating the wireless network, we proceed to test several aspects of the network as a regular connected user. If unsuccessful, we request credentials to the networks from the client to provide a holistic assessment. At this stage, the testing includes ensuring the guest network is correctly segmented from the internal network and examining for availability and security of access point administrative logins. Additionally, we try to identify any corporate devices on “Guest” networks that are evading company policies and network restrictions.
After completing the assessment, SecureTriad provides an assessment report which includes executive summary and technical findings. The executive summary is written for management consumption and is a high-level overview of assessment activities, scope, most critical issues discovered, and overall risk scoring. We also include strategic recommendations to assist business leaders in making informed decisions regarding the information systems/devices. The technical findings include all vulnerabilities listed individually, with details for recreating the issue with necessary screenshots, understanding of the potential risk, recommended remediation actions, and helpful reference links.