What to Expect with a Raxis Wireless Penetration Test

Although social engineering attacks – including phishing, vishing, and smishing – are the most popular and reliable ways to gain unauthorized access to a network, some hackers simply don’t have the social or communications skills necessary to perform those attacks effectively. Wireless attacks, by contrast, are typically low-risk, high-reward opportunities that don’t often require direct interaction with the target.

That’s one reason why pentesting for wireless networks is one of Raxis’ most sought-after services. We have the expertise and tools to attack you in the same ways a real hacker will. In fact, I’ve successfully breached corporate networks from their parking lots, using inexpensive equipment, relatively simple techniques, and by attacking devices you might never suspect.

To appreciate how we test wireless networks, remember that wireless simply means sending radio signals from one device to another. The problem with that is that no matter how small the gap between them, there’s always room for a hacker to set up shop unless the network is properly secured.

So, if Raxis comes onsite to test your wireless network, the first thing we will likely do is map your network. This is a mostly passive activity in which we see how far away from your building the wireless signal travels normally. But we also have inexpensive directional antennas that allow us to access it from further away if we need to be stealthier.

Using an easily accessible aircrack-ng toolkit, we can monitor and capture traffic from wireless devices as well as send our own instructions to others that are unprotected. (I’ll go into more detail about that in a moment.)

As we establish the wireless network’s boundaries, we also determine whether there are guest networks or even open networks in use. Open networks, as the name implies, require no special permission to access. Even on controlled guest networks, we can usually get in with little effort if weak passwords are used or the same ones reused. Once we’re in as a guest, we’ll pivot to see if we can gain unauthorized access to other areas or other users’ data.

While this is going on, we will often set up a rogue access point, essentially just an unauthorized router that passes traffic to the internet. If the network is configured properly, it should detect this access point and prevent network traffic from accessing it. If not, however, we can capture the credentials of users who log into our device using a man-in-the-middle attack.

Scottie with a directional wireless antenna

Our primary goal here is to capture usernames and password hashes, the characters that represent the password after it has been encrypted. In rare cases, we’re able to simply “pass the hash” and gain access by sending the encrypted data to the network server.

Most networks are configured to prevent this technique and force us to use a tool to try to crack the encryption. Such tools – again, readily available and inexpensive – can guess more than 300 billion combinations per second. So, if you’re using a short, simple password, we’ll have it in a heartbeat. Use one that’s more complex and it may take longer or we might never crack it.

If a network isn’t properly secured, however, we might be able to find a way in that doesn’t require a password. Many people who use wireless mice and keyboards, for example, don’t realize that we can sometimes intercept those signals as well. For non-Bluetooth devices, we can use our aircrack-ng tools to execute commands from a user’s (already logged-in) device.

As a proof of concept, we sometimes change screensavers or backgrounds so that network admins can see which devices are vulnerable. However, we can also press the attack and see if we’re able to pivot and gain additional access.

The good news for business owners is that there are simple methods to protect against all these attacks:

  • Never create an open network. The convenience does not justify the security risk.
  • If you have a guest network, make sure that it is not connected to the corporate network and that users are unable to access data from any others who may also be using it.
  • Use the latest wireless security protocol (WPA3) if possible.
  • If you’re using WPA2 Enterprise, make sure the network is requiring TLS and certificates.
  • If you’re using WPA3 Personal, make sure your password is at least 30 characters long. (That’s not a typo – 30 characters is still out of reach for most hash-cracking software.)

Here’s the most important piece of advice: Test your network regularly. New exploits are found every day, and hackers’ tools get better, faster, and cheaper every day. The only way to stay ahead of them is with professionals like us who live in their world every day.

And, trust me, you’d much rather have Raxis find your vulnerabilities than the bad guys.

Raxis X logo as document separator
You See a Wireless Mouse. We see an easy way in.