We've rebranded! Find out more about our rebrand to LRQA Nettitude here
Select Page

 WIRELESS DEVICE TESTING

LRQA Nettitude delivers wireless device testing as a common component of most internal onsite penetration tests. LRQA Nettitude delivers assessments against most common 802.11 protocols, often referred to as WIFI protocols.

LRQA Nettitude is proud to have been approved by CREST as a having certified wireless testing capability. This is an accolade that has only been awarded to 2 penetration testing companies globally, and it demonstrates our capability and experience within this specific domain of expertise.

Wireless assessments can be delivered through attacks that target the existing wireless infrastructure that runs and operates within an organisation, as well as the clients that interact with this infrastructure. It is common for both types of assessments to be conducted in a thorough wireless penetration test. Although it is possible to conduct this type of assessment remotely, through shipping wireless devices to site, LRQA Nettitude’s preferred approach is to attend the location that is being assessed, and simulate a threat actor that has local access to the surrounding airspace.

Unencrypted WLAN

There are two types of un-encrypted wireless LANs that exist.  These typically consist of visible and invisible infrastructures.

Visible Unencrypted WLANS

For visible WIFI networks, LRQA Nettitude connects to the Wireless LAN and sniffs network traffic looking for IP addressing details.  Once this information has been captured, LRQA Nettitude allocates themselves an IP address, and moves on to carrying out LRQA Nettitude standard Infrastructure Testing methodology.  For MAC filtered environments, LRQA Nettitude de-authenticates a valid client, and connects in using the valid MAC address.

Invisible Unencrypted VLANs

For invisible Wireless LANs, LRQA Nettitude de-authenticates the client, and captures the re-authentication request.  With this information, LRQA Nettitude is able to connect to the Wireless network and then carry out the phases detailed within the visible wireless network testing approach.

WEP based Networks

Two types of WEP based networks exist.  These again consist of visible and invisible infrastructures.

Visible

For visible networks, LRQA Nettitude attempts a WEP based attack, by capturing weak IVs and running them through a series of Wireless Security tools.  The intent here is to capture enough weak IVs to be able to crack the WEP key.  Once the WEP key has been cracked, LRQA Nettitude connects to the wireless network and then moves on to carrying out testing consistent with the Visible unencrypted WIFI test plan.

Invisible

For invisible networks, LRQA Nettitude de-authenticates the client and then uses a series of tools to capture re-authentication requests and Weak IV pairs.  The approach then moves on to that of the visible WEP network test plan.

WPA/WPA2 Encrypted Networks

LRQA Nettitude first determines whether the environment has a visible or hidden SSID.  The approach for undertaking this is consistent with the test plans identified in the Visible and Invisible unencrypted WIFI environment.

Once this has been determined, LRQA Nettitude issues a de-authentication packet to the WIFI connected resources. Re-authentication requests are then captured, and the EAPOL handshake is extracted.  Once this handshake has been captured, LRQA Nettitude carries out a brute force attack against it, with the intent of deciphering the WPA/WPA2 key.

LEAP Based Networks

LRQA Nettitude first determines whether the environment has a visible or hidden SSID.  The approach for undertaking this is consistent with the test plans identified in the Visible and Invisible unencrypted WIFI environment.

Once this has been determined, LRQA Nettitude issues a de-authentication packet to the WIFI connected resources. Re-authentication requests are then captured, and LRQA Nettitude looks to capture and break the LEAP requests.

802.1X WLAN

For 802.1x based attacks, it is usual for LRQA Nettitude to create a rogue access point, with the same SSID as the real WIFI network.  By a series of techniques, (de-auth/re-auth) LRQA Nettitude then coerces clients into connecting to this access point.

Once the client has tried to authenticate with the rogue access point, LRQA Nettitude will try to compromise the client by acquiring either passphrases or certificates.  In addition, LRQA Nettitude may look to inject their own certificate in to the authentication process, for poorly configured client devices.  Once the client has been compromised, LRQA Nettitude will attempt to deploy a keylogger to capture manually keyed usernames and passwords.  By gaining access to these resources, LRQA Nettitude will attempt to gain access to the WIFI environment.

Extended Wireless Device Tests

In addition to many of the standard corporate tests, LRQA Nettitude recognises that many employees will have wireless environments configured at home. These environments will frequently use standard security controls that can be re-used inside the corporate environment. LRQA Nettitude will look to deploy rogue access points into an infrastructure that masquerade as the corporate infrastructure as well as mimicking many of the weaker security controls deployed within the home wireless environment.

LRQA Nettitude has a comprehensive wireless testing methodology that is available on request. All tests are consultancy driven, and can be adapted to fit whatever your wireless security requirements dictate. Wireless testing has become a standard component of most internal penetration testing engagements.  To find out how LRQA Nettitude can help you manage the risk associated with your WIFI estate, please complete our contact form and a consultant will respond to your enquiry.

Get a free quote

speak to our experts