Wi-Fi Penetration Testing

🎯 Enterprise Wi-Fi Attack Surface

Modern enterprises maintain hundreds to thousands of wireless access points serving employees, guests, contractors, and IoT devices. Each access point represents potential attack surface. Wireless signals broadcast across physical space—unlike wired networks confined to cable runs, wireless signals reach parking lots, adjacent buildings, public spaces. Attackers proximity-aware: breach only requires being within radio range of vulnerable access point, not physical network access. Enterprise Wi-Fi security critical because: (1) Mobile devices primary work platform (laptops, phones, tablets), (2) Guest networks require internet access, (3) IoT devices (printers, cameras, security systems) increase endpoint diversity, (4) Compliance requirements mandate encryption standards (PCI-DSS, HIPAA, SOX).

Wireless network compromise enables: credential theft (attacker intercepts authentication traffic), data exfiltration (attacker captures unencrypted traffic or performs man-in-the-middle), lateral movement (attacker connects to Wi-Fi gaining internal network access), ransomware distribution (compromised Wi-Fi used to infect connected devices). Professional security teams must understand wireless threats to implement effective enterprise defense.

Real-World Incident Examples

Enterprise breaches frequently involve wireless compromise: hotel chain breach (attacker connected through unencrypted guest Wi-Fi capturing credit card payments), pharmaceutical company breach (rogue AP installed in parking lot capturing employee VPN credentials), financial institution breach (weak Wi-Fi password brute-forced, attacker gaining access to trading systems). Common pattern: wireless security deprioritized relative to wired/perimeter security, making wireless attractive attack vector.

📚 Learning Objectives

Wireless Protocol Fundamentals

Understanding 802.11 protocol architecture essential for identifying security weaknesses. Topics covered: (1) 802.11 Frame Structure - MAC header containing source/destination addresses, frame control flags; payload containing encrypted data; FCS (Frame Check Sequence) for integrity; (2) Authentication Process - how devices associate with access points, authentication frames exchanged, encryption negotiation; (3) Encryption Standards - WEP (deprecated), WPA (obsolete), WPA2 (current standard), WPA3 (emerging standard); (4) Channel Management - frequency bands (2.4GHz, 5GHz, 6GHz), channel width (20MHz, 40MHz, 80MHz), interference management; (5) Power Management - how devices communicate sleep schedules preventing unnecessary power drain.

WPA3 Security Concepts

WPA3 addresses WPA2 vulnerabilities: (1) Simultaneous Authentication of Equals (SAE) - replaces WPA2 Pre-Shared Key (PSK) with more robust handshake preventing password brute-force and KRACK attacks; (2) Individualized Data Encryption (OWE) - open networks now support encryption (previously open Wi-Fi = unencrypted); (3) 192-bit Encryption - enterprise WPA3 implements stronger encryption than WPA2; (4) Brute-Force Resistant - failed authentication attempts delayed, preventing high-speed password guessing; (5) Protection Against Key Recovery - even compromised password cannot retrospectively decrypt past traffic.

Rogue Access Point Detection Awareness

Detecting unauthorized access points within enterprise Wi-Fi network: (1) Signature Monitoring - known rogue AP characteristics (MAC address prefixes, firmware versions, beacon characteristics), automated scanning identifies matches; (2) SSID Analysis - suspicious SSID names, duplicate networks with same name (potential evil twin AP), SSID cloaking suspicious; (3) Signal Strength Analysis - unusual signal locations (AP in restricted area), signal strength increasing at certain location indicating rogue; (4) Client Association Monitoring - clients unexpectedly associating with new AP, client count declining on legitimate AP while new AP gains clients; (5) Traffic Pattern Analysis - rogue AP showing unusual traffic characteristics, clients connecting then immediately disconnecting (typical of probe tools).

Wireless Monitoring and Auditing Strategies

Continuous wireless security implementation: (1) Periodic Wireless Surveys - quarterly or semi-annual site surveys walking building perimeter measuring signal strength, identifying coverage gaps, documenting authorized APs; (2) Spectrum Analysis - monitoring 2.4GHz and 5GHz bands for unauthorized transmitters, identifying interference sources affecting performance; (3) Compliance Scanning - automated tools connecting to each AP verifying WPA3/WPA2 enforcement, checking certificate validity, confirming strong password requirements; (4) Penetration Testing - simulated attacks testing Wi-Fi resistance to real-world compromise attempts, identifying misconfigurations before attackers; (5) Client Device Inventory - maintaining database of authorized wireless devices (MAC addresses, usernames), identifying unauthorized devices attempting connection.