Wireless Penetration Test

Wireless Penetration Test

A wireless penetration test is essential. Wireless networks are a convenient method for staff and others to access your network. As they can often be from outside of your premises, wireless networks can introduce significant risk.

Wireless networks are the least tested, highest risk networks within the majority of organisations. WiFi is widely used by laptops, printers, smartphones, tablets and IoT devices within organisations. Often be deployed to cover general office space, meeting rooms, secure areas, reception spaces and often even reaching outside of buildings into public spaces. Incorrectly configured WiFi networks can put sensitive data at risk, as the data can sometimes be exposed to unauthorised devices or eavesdroppers. But it is not just the WiFi networks that present risks. IoT devices and WiFi-enabled systems expand and extend WiFi networks without the administrators being aware. Good regular penetration testing is essential, and where wireless is involved, wireless penetration testing should be included.

Unsecured wireless access points, default configured IoT devices and WiFi-enabled core systems all present a significant security risk to an organisation’s data. The risk of potential for data leakage and attackers gaining access to corporate networks from outside of the physical office space is increased. Even the board room TV’s can be attacked wirelessly. Targeted and persistent attacks from actors such as APTs against corporate wireless users are also on the rise. Attackers have been seen to set up a rogue access point in an adjacent office or car park, in an attempt to coerce users into connecting to their malicious access point instead of the legitimate access point in their office space.

Typical vulnerabilities that are often found in wireless networks include:

  • Easily-guessable user credentials or Pre-Shared Keys (PSK) meaning attackers can guess login details and connect to your network from the car park
  • Poor segregation between wireless clients potentially allows visitors to connect to your employees’ wireless devices
  • Lack of network segregation between different wireless networks (SSIDs) allowing less secure guest networks to connect to internal networks that you thought were protected
  • Sensitive information exposure resulting in data theft or the failure of a compliance audit
  • Weak network traffic encryption allowing attackers to read network traffic remotely
  • Wireless clients are susceptible to rogue wireless access points controlled by an attacker resulting in credential theft or data loss
  • Unexpected or undocumented wireless devices connected to the network
  • Antenna for hire botnets are on the increase

Our wireless penetration test service will assist you in identifying the level of access that a malicious user could achieve if they have been able to position themselves within range of your organisation’s wireless access points.

How a wireless penetration test works

Depending on the types of wireless networks in use, our consultants will use a combination of automated and manual testing, with the goal of achieving network connectivity to your organisation’s network through vulnerabilities that may be present.

Our typical methodology for a Wireless Network Penetration Test includes the following:

  1. Identifying weak encryption protocols
  2. Capturing authentication handshakes
  3. Cracking Pre-Shared Keys (PSK) to allow remote access
  4. Identifying rouge access points that may have been planted inside the organisation’s building(s)
  5. Authentication attacks against wireless devices and the organisation’s Access Points (APs)
  6. Identifying information disclosure when wireless clients connect to your network
  7. Certificate spoofing attacks
  8. Identify unconfigured or unsecured IoT devices that can be Wi-Fi Hijacked

During the assessment, our consultancy team can deploy rogue wireless access points throughout your organisation, which will be used to try and coerce employees into connecting to them. These may be configured with SSIDs such as “Free Wireless Hotspot” in an attempt to get users to connect to these instead of the corporate network. In the event of a user connecting to one of these rogue access points, we can attempt to further the attack on the workstation and then potentially onto the corporate domain.

For wireless networks that use WPA-Enterprise authentication, a configuration review will be performed on a sample wireless client (such as a laptop), as weaknesses in WPA-Enterprise authentication are not always apparent from passive information gathering.

Engagement prerequisites

  • A signed & completed Testing Consent Form
  • List of wireless SSIDs to be tested.
  • If network segregation testing is to be performed, we will need the IP address ranges that you would like us to ensure are segregated from the wireless network.
  • A signed and completed testing consent form
  • An up-to-date network diagram showing both the wireless and wired networks
  • If a wireless controller is in scope of testing, we will need the IP address of the controller and credentials that we can access it with. This can be a read-only account providing the account will allow us to inspect all areas of the controller.
  • If a WPA-Enterprise network is in scope of testing, we will need a corporate laptop or device that we can access with administrative rights in order to check the configuration.
  • An office location which is in range of the wireless networks to be tested.
  • Ensure that any Intrusion Prevention Systems have been disabled or Hedgehog’s IP range ( to is white-listed for the duration of the test

Engagement deliverables

Engaging with Hedgehog Security for your Wireless Penetration Test will provide you with the following:

Pre-engagement support

Prior to your test commencing, our penetration tester(s) will discuss the scope of work with you, so that a full understanding is obtained of what your Internet-facing network services are used for. This not only allows the test to run more efficiently but also allows the discovered vulnerabilities to be rated more accurately in terms of risk.

During the testing phase, our consultant(s) will engage directly with you – notifying you of any critical vulnerabilities that may be present within your infrastructure or any evidence in our results that may indicate a security breach may have already taken place.


Once the penetration test has been completed, you will be provided with the following:

Comprehensive Technical Report

Our clear & concise reporting format contains an Executive Summary that can be understood by all members of your organisation – including individuals who may be in management or non-technical roles. All vulnerabilities contain a sufficient level of technical detail, so that your development team and systems administrators can quickly pinpoint the root cause of the vulnerability and apply the recommended course of action.

Technical References

Where applicable, we provide additional reference URLs for each vulnerability, so that further information on the vulnerabilities can be obtained from reputable sources of technical information.

Risk-Based Approach with CVSS Scoring

A risk-based approach is used throughout the report and all vulnerabilities are scored in line with CVSS (Common Vulnerability Scoring System). This allows the contents of the report to be fed into your own internal risk assessments and allows a plan to be developed to address the vulnerabilities which present the highest risk to your organisation.

Secure & Encrypted Test Portal

Due to the sensitive content which may be contained in our test reports, all test reports are delivered to our customers through a secure test portal. Our portal is highly encrypted and is tested on a regular basis.

After Care

Once our engagement is complete and our final report has been delivered to you, our penetration testing team will remain available to you indefinitely for any questions you may have surrounding the report’s findings or our consultancy engagement with you.

We pride ourselves in partnering with our customers to provide ad-hoc security advice and to ensure that our engagement with you doesn’t simply end once the final report has been delivered.

We are committed to ensuring, that as our customer, you receive the utmost value out of our consultancy services and look forward to developing a long-lasting business relationship with you.

Conference Call

Once you have received our final report, you have the option of attending a conference call between the consultant(s) involved in delivering your project and individuals within your organisation who you feel would benefit from a more in-depth discussion of the report’s findings.

A conference call is suitable for both management and technical staff and provides you with the perfect opportunity to ensure that all vulnerabilities and their recommended course of action are fully understood by stakeholders and technical staff who may be tasked with applying the recommended course of action.

Free 14-Day Retest

With the testing being conducted remotely, we include a free retest of all issues identified in the report, providing they are mitigated within 14 days of the reporting being issued. This allows you time to take corrective action and ensures that your efforts have been successful in mitigating the vulnerabilities.

Talk To A Security Specialist

Book a free consultation with a security specialist to discuss your current concerns or security requirements.

Hedgehog Security needs the contact information you provide to us to contact you. You may unsubscribe from these communications at any time.  By clicking "Request Callback" below you agree for us to store and process your data.  For information on how to unsubscribe please review our Privacy Policy.

Cyber Security Consulting

Penetration Testing

SOC as a Service

Cyber Essentials

Vulnerability Scanning