Wireless network penetration testing is a critical and often underestimated component of a comprehensive security assessment. While organizations invest heavily in perimeter and endpoint security, the wireless attack surface frequently harbors critical vulnerabilities — from rogue access points operating on the corporate network to WPA2-Personal deployments that can be cracked in hours. This guide covers the full wireless penetration testing methodology, from WPA2 Enterprise authentication analysis to evil-twin attacks and detection strategies.
WPA2-Personal vs WPA2-Enterprise: The Security Gap
WPA2-Personal (Pre-Shared Key, or PSK) uses a single shared password for all clients. This creates two fundamental problems for enterprise environments: first, when the password is compromised (by a departing employee, a guest who overshares, or a device theft), every device using that network must be reconfigured; second, the 4-way handshake captured during client association can be cracked offline with the PSK as the target.
WPA2-Enterprise (802.1X) addresses these problems by using per-user authentication via an EAP (Extensible Authentication Protocol) framework backed by a RADIUS server. Each user authenticates with their own domain credentials, certificate, or token — there is no shared secret to steal. However, the specific EAP method used determines the actual security level.
PMKID Attack Against WPA2-Personal
The PMKID attack, published by Jens Steube in 2018, eliminated the need to capture a 4-way handshake for WPA2-PSK cracking. The PMKID is derived from: PMKID = HMAC-SHA1-128(PMK, "PMK Name" || AP_MAC || Client_MAC)
Since the PMK is derived directly from the PSK, capturing a single PMKID from a beacon or association frame is sufficient to attempt offline cracking. Hcxdumptool captures PMKIDs without requiring a client connection:
hcxdumptool -i wlan0mon -o capture.pcapng --enable_status=1
hcxtools/hcxpcapngtool capture.pcapng -o hashes.hc22000
hashcat -m 22000 hashes.hc22000 wordlist.txt -r rules/best64.rule
A strong, random WPA2-PSK of 20+ characters is resistant to dictionary attacks, but many organizations use memorable passphrases that fall to dictionary attacks with mutation rules.
Evil-Twin and Rogue Access Point Attacks
An evil-twin attack deploys a rogue access point broadcasting the same SSID as a legitimate corporate network. Clients deauthenticated from the legitimate AP (via 802.11 deauthentication frame injection, which is unauthenticated in WPA2) will attempt to reconnect and may associate with the evil twin. The attacker then captures connection attempts, performs man-in-the-middle SSL inspection, or attempts credential capture through captive portal pages.
Hostapd-WPE (Wireless Pwnage Edition) is the primary tool for evil-twin attacks against WPA2-Enterprise. It impersonates a RADIUS-authenticated AP and captures EAP authentication exchanges. When clients use PEAP/MSCHAPv2 (the most common EAP deployment in Windows environments), the captured MSCHAPv2 challenge-response can be cracked using asleap or hashcat:
asleap -C <challenge> -R <response> -W wordlist.txt
EAP Downgrade and PEAP/MSCHAPv2 Attacks
PEAP with MSCHAPv2 inner authentication is the dominant WPA2-Enterprise deployment in Windows Active Directory environments because it requires no client-side certificates and integrates directly with domain credentials. However, it has a critical weakness: MSCHAPv2 is based on DES, and cracked MSCHAPv2 challenges can be converted to NTLM hashes for offline cracking or direct pass-the-hash attacks.
Proper PEAP security requires that clients validate the RADIUS server certificate and are configured to only trust the organization's specific CA. Without certificate validation, clients will connect to any server presenting a valid certificate for the configured SSID — exactly what an evil-twin attack exploits. Deploying EAP-TLS (certificate-based client authentication) eliminates the MSCHAPv2 weakness entirely but requires a PKI infrastructure and device certificates for all clients.
WPA3: Improvements and Remaining Considerations
WPA3 (Wi-Fi Protected Access 3) introduces Simultaneous Authentication of Equals (SAE), replacing the WPA2 4-way handshake. SAE is a Diffie-Hellman-based key exchange that is resistant to offline dictionary attacks — captured handshakes cannot be cracked offline because each exchange uses fresh ephemeral keying material. WPA3-Enterprise mandates 192-bit suite B cryptography when in "transition mode."
However, WPA3 deployments face several practical security considerations: WPA3/WPA2 transition mode (needed for backward compatibility) can be targeted with downgrade attacks against legacy clients; some early WPA3 implementations had SAE side-channel vulnerabilities (Dragonblood, CVE-2019-9494); and WPA3 does not address rogue AP attacks where the attacker operates a legitimate WPA3 AP with a spoofed SSID.
Wireless Intrusion Detection Systems (WIDS)
A Wireless IDS monitors the radio frequency environment for indicators of attack: deauthentication frame floods, probe response anomalies, rogue APs broadcasting corporate SSIDs, clients connecting to unknown BSSIDs, and unauthorized channel changes on managed APs. Enterprise wireless platforms (Cisco Catalyst Center, Aruba Central, Juniper Mist) include integrated WIDS functionality.
Key WIDS detection signatures to enable:
- Deauthentication/disassociation flood detection
- Rogue AP detection (unauthorized BSSID broadcasting a managed SSID)
- Evil-twin AP detection (SSID match with MAC address mismatch)
- Ad-hoc network detection
- Client probing for honeypot SSIDs
Organizations without WIDS have no visibility into wireless attacks occurring on or adjacent to their premises. In dense urban environments like Manhattan, the RF environment is particularly complex — neighboring tenants, public WiFi infrastructure, and hundreds of overlapping wireless networks make manual wireless monitoring impractical without dedicated WIDS tooling.
Fortress MSSP assesses wireless security as part of comprehensive network penetration testing engagements. Our wireless assessments include WIDS detection validation, evil-twin attack attempts, EAP methodology review, and rogue AP scanning. Contact us to include wireless assessment in your next security engagement.