Basic Things To Know About Wi-Fi Pen Testing
Wireless LAN access points (hereinafter referred to as wireless APs) are highly convenient and are being installed for internal business purposes. However, there are three security threats in the wireless AP: “wiretapping”, “spoofing” and “malicious wireless AP.” Wireless LAN Pen testing is a service that comprehensively diagnoses whether the security measures of wireless APs installed by customers against these three security threats are appropriate and reports the existence of problems.
Wireless LAN is already one of the most important communication infrastructures in many companies. Along with the acceleration of the introduction of Bring Your Own Devices (BYOD), security measures for wireless LAN systems, user awareness, and operation management will be important, but the current situation is still fragile. In addition, wireless LAN can be easily accessed from the outside, and it is possible to break into the company’s internals by bypassing the measures taken in the past with wired systems. This time, the WiFi Pen Test service, which has become mainstream overseas, can comprehensively confirm the security of the current wireless LAN system.
Conducting a local network survey to confirm that the appropriate security settings have been made based on the wireless AP design documents, and a site survey to confirm that the appropriate security settings have been obtained from interception of wireless LAN communication, etc.
Wi-fi Penetration Testing Consists of Two Parts:
1. Field survey
By intercepting the radio waves of the wireless LAN communication for the purpose of confirming that there is no malicious wireless AP. With your consent, pen testers will actually attack the legitimate access point and investigate the resistance to sniffing and spoofing by attackers.
2. Desktop Survey
Review the wireless AP design documents, etc., and evaluate from a third party’s point of view that security settings that are difficult for attackers to intercept and spoof are secure.
Basic Overview of Wi-fi Penetration Testing:
For WEP WLAN:
Wired Equivalent Privacy is highly discouraged for use in any environment. It uses very weak encryption which was established in 1997, and subsequently replaced by WPA. There is no point to subject WEP Wi-fi network to penetration testing, as anyone can just Google “hacking WEP Wi-fi”, follow the simple instructions using any laptop and WEP gets cracked in no-time. The penetration testing team will just advice the company to fully migrate to a much more secure WPA, WPA2 or even the newest WPA3 encryption if supported by the access point.
For WPA and WPA2:
- Various tools are available for pen testers to use. They can download Airsnarf, Karma, or Hotspotter. These tools are not exclusive to pen testers, the public can download them as well. But having the tools and knowing how to use the tools are two different aspects.
- Use dictionary attack tools such as Aircrackng and coWPAtty. This is to attempt to crack the WPA/WPA2 password using words contained in a known dictionary. This attack is the reason security professionals strongly discourage the use of a password that can be seen in a dictionary, as it is easy for attackers to discover it through dictionary attacks.
- Advanced penetration testers can also use rainbow tables in order to on-the-fly attempt to crack the passphrase using pre-computed hashes.
Other than the actual simulated attacks as detailed above, pen testers also check other aspects of the wireless LAN, like the following:
- Confirmation of security flaws from design documents
Confirm the security measures of items not understood in the field survey from design documents.
- Investigation of unauthorized access points and external radio leakage situations
Investigation of non-regular access points from multiple survey points. Investigation that it is not possible to intercept radio waves from authorized access points from points outside the service provision
- Implementation of fake attacks on regular access points
Intercepting communication radio waves such as WPA transmitted at the time of authentication and performing analysis of authentication key. Investigate the possibility of intrusion by implementing MAC address restrictions etc. which is one of the security functions of wireless AP.
Flow of wireless LAN diagnosis:
1.Hearing and preparation for diagnosis
You will need to fill out the questionnaire with the information you need for the desktop and field surveys. Usually submitted one week before the start of diagnosis.
2. Conduct a desktop survey
Based on questionnaires and design documents, the pen test team investigates what are exact setting of wireless AP is appropriate.
3. Conduct of field survey
Attempts to intercept radio waves and break into wireless APs locally. This step usually takes a whole day to finish.
4.Report of diagnosis result and provide advice to mitigate discovered weaknesses
The pen test team shall submit a diagnostic report usually within 10 business days after the completion of the field survey. Conducting a briefing session at the customer’s office is possible, depending on the terms of the pen test agreement.