WIRELESS DEVICE TESTING

Nettitude delivers wireless device testing as a common component of most internal onsite penetration tests. Nettitude delivers assessments against most common 802.11 protocols, often referred to as WIFI protocols.

Nettitude is proud to have been approved by CREST for our certified wireless testing capability. This is an accolade that has only been awarded to 2 penetration testing companies globally, and it demonstrates our capability and experience within this specific domain of expertise.

Wireless assessments can be delivered through attacks that target the existing wireless infrastructure that runs and operates within an organization, as well as the clients that interact with this infrastructure. It is common for both types of assessments to be conducted in a thorough wireless penetration test. Although it is possible to conduct this type of assessment remotely, through shipping wireless devices to site, Nettitude’s preferred approach is to attend the location that is being assessed, and simulate a threat actor that has local access to the surrounding airspace.

Unencrypted WLAN

There are two types of un-encrypted wireless LANs that exist. These typically consist of visible and invisible infrastructures.

Visible Unencrypted WLANS

For visible WIFI networks, Nettitude connects to the Wireless LAN and sniffs network traffic looking for IP addressing details. Once this information has been captured, Nettitude allocates themselves an IP address, and moves on to carrying out Nettitude standard Infrastructure Testing methodology. For MAC filtered environments, Nettitude de-authenticates a valid client, and connects in using the valid MAC address.

Invisible Unencrypted VLANs

For invisible Wireless LANs, Nettitude de-authenticates the client, and captures the re-authentication request. With this information, Nettitude is able to connect to the Wireless network and then carry out the phases detailed within the visible wireless network testing approach.

WEP based Networks

Two types of WEP based networks exist. These again consist of visible and invisible infrastructures.

Visible

For visible networks, Nettitude attempts a WEP based attack, by capturing weak IVs and running them through a series of Wireless Security tools.  The intent here is to capture enough weak IVs to be able to crack the WEP key.  Once the WEP key has been cracked, Nettitude connects to the wireless network and then moves on to carrying out testing consistent with the Visible unencrypted WIFI test plan.

Invisible

For invisible networks, Nettitude de-authenticates the client and then uses a series of tools to capture re-authentication requests and Weak IV pairs. The approach then moves on to that of the visible WEP network test plan.

WPA/WPA2 Encrypted Networks

Nettitude first determines whether the environment has a visible or hidden SSID. The approach for undertaking this is consistent with the test plans identified in the Visible and Invisible unencrypted WIFI environment.

Once this has been determined, Nettitude issues a de-authentication packet to the WIFI connected resources. Re-authentication requests are then captured, and the EAPOL handshake is extracted.  Once this handshake has been captured, Nettitude carries out a brute force attack against it, with the intent of deciphering the WPA/WPA2 key.

LEAP Based Networks

Nettitude first determines whether the environment has a visible or hidden SSID. The approach for undertaking this is consistent with the test plans identified in the Visible and Invisible unencrypted WIFI environment.

Once this has been determined, Nettitude issues a de-authentication packet to the WIFI connected resources. Re-authentication requests are then captured, and Nettitude looks to capture and break the LEAP requests.

802.1X WLAN

For 802.1x based attacks, it is usual for Nettitude to create a rogue access point, with the same SSID as the real WIFI network.  By a series of techniques (de-auth/re-auth) Nettitude then coerces clients into connecting to this access point.

Once the client has tried to authenticate with the rogue access point, Nettitude will try to compromise the client by acquiring either passphrases or certificates.  In addition, Nettitude may look to inject their own certificate in to the authentication process, for poorly configured client devices.  Once the client has been compromised, Nettitude will attempt to deploy a keylogger to capture manually keyed usernames and passwords.  By gaining access to these resources, Nettitude will attempt to gain access to the WIFI environment.

Extended Wireless Device Tests

In addition to many of the standard corporate tests, Nettitude recognizes that many employees will have wireless environments configured at home. These environments will frequently use standard security controls that can be re-used inside the corporate environment. Nettitude will look to deploy rogue access points into an infrastructure that masquerade as the corporate infrastructure as well as mimicking many of the weaker security controls deployed within the home wireless environment.

Nettitude has a comprehensive wireless testing methodology that is available on request. All tests are consultancy driven, and can be adapted to fit whatever your wireless security requirements dictate. Wireless testing has become a standard component of most internal penetration testing engagements.  To find out how Nettitude can help you manage the risk associated with your WIFI estate, please complete our contact form and a consultant will respond to your enquiry.