Skip Ribbon Commands
Skip to main content
Home > Services > Profiling > Wireless Attack and Penetration


Wireless Attack & Penetration


Wireless Penetration Tests are strategic and isolated attacks against the client’s systems. SecureState consultants will simulate a hacker and attempt to identify, exploit, and further penetrate weaknesses within wireless systems. Our Staff Members can attack many different types of wireless protocols including, 802.11, Bluetooth, RF; and can conduct detailed spectrum analysis as well. Our ultimate goal is to gain as much unrestricted access to sensitive information as possible, including: administrative level rights, full enable access over routers and switches, and access to sensitive data. Wireless Penetration Tests will evaluate risk related to potential access of your wireless network. SecureState will identify access points and devices from various areas located outside and within the facilities. A concept called “war-driving” allows attackers to use automobiles to collect sensitive information from far distances and attack key systems. Simulations utilizing war-driving, as well as performing an onsite Internal Attack and Penetration Test if the wireless network is breached, will be conducted.

  • Wireless Penetration Tests evaluate the risk related to potential access to your wireless network
  • Wireless access points provide a simple way for hackers to penetrate your internal network
  • SecureState has created cutting-edge, open-source tools to test the security of wireless networks
  • SecureState can attack many different wireless protocols including: 802.11, Bluetooth and RF (Radio Frequency)
Wireless Attack and Penetration


Wireless access points provide a simple way for hackers to penetrate your internal network. Either by sitting in a parking lot, or driving around a facility or complex, wireless hackers can find ways to get into your network. A Wireless Attack & Penetration Test will identify vulnerabilities and offer advice for hardening and remediation.


SecureState has created cutting edge open source tools to test the security of wireless networks. Our tools are used by security assessors and penetration testers in the security industry. One of these is called the EAPeak Suite which provides useful information relating to the security of the wireless network for penetration testers; while searching for vulnerabilities. Our experienced staff members regularly speak and write blogs on our wireless tools and wireless security research at National and worldwide security conferences; including, ToorCon and Black Hat Europe.

Did You Know?

  • Vulnerable wireless networks can leave your company open to attack
  • A Wireless Penetration Test quickly becomes an Internal Penetration Test if the Wireless network is breached
  • Wireless Penetration Tests should be conducted annually to keep up with the ever changing threats to wireless networks
  • SecureState creates tools to test wireless networks that are used by penetration testers from all over the world

Our Approach and Methodology

The SecureState Profiling Team is well known and highly regarded as experts in Penetration Testing. Our approach follows industry accepted testing methodologies such as PTES, NIST 800-115, OWASP and OSSTMM.  By following these methodologies, our clients can accurately replicate the testing SecureState has performed in their own environment to accurately mitigate identified vulnerabilities. The Profiling Team also helps identify strategic “root cause” issues through our Penetration Tests. SecureState's Risk Management Team is uniquely positioned to work closely with the Profiling Team in order to assist clients with mitigating these strategic “root cause” issues.

Phase I – Pre-engagement Interactions:

In this phase, SecureState works with the client to establish the rules of engagement as well as the scope and exchange contact information for both parties. SecureState provides a detailed Project Charter which contains information on scope and everything that will be required to conduct the testing. The Project Charter is discussed during the kickoff call prior to the beginning of the engagement.

Phase II – Information Gathering:

Our approach first maps the accessible network by finding responsive or “alive” access points and identifying them as client property. Directional antennas can determine where they are located. Once this list has been determined and approved by the client, key targets (AP) are selected for attack and we then find as much information as possible without transmitting a single packet. IDS/IPS evasion is extremely easy at this level. Clear-text transmissions can be sniffed and reassembled to analyze what users are viewing in real time.

Phase III – Attack & Penetration:

During this process, SecureState attempts several attacks, either bypassing or cracking security mechanisms in order to gain full access to the wireless access point. Some of these attacks can include:

  • Man in the Middle – Perform an attack that routes all communications through our machine and then to the access point without user knowledge.
  • Brute Force – Attack passwords utilizing a 1.3 terabyte rainbow table database.
  • Session Hijacking – Performing a Denial of Service attack on a client and “jacking” his session allows access to the network and bypasses encryption standards.
  • Mass De-Authentication – Performing a mass de-authentication of all associated clients forces re-association and broadcasting of usernames and passwords.

Phase IV – Client Side Attacks:

As wireless infrastructures become more secure, attackers now are focusing their attention to wireless clients. To test if these attacks will be successful against your organization, SecureState attempts a number of client side attacks against the wireless configuration service used by your organization.

If your network is using WPA or WPA2 Enterprise authentication, SecureState will perform tests against the 802.1X supplicant. These tests will determine if the supplicant is properly configured. During the supplicant attacks, our Team Members will attempt to capture and crack the credentials used to access networks using Enterprise Authentication.

Phase V – Entering the Network:

Once unrestricted access has been gained, an assessment is performed on what systems the access point is connected through. Hosts are identified through the wireless access point to determine the size of the network and the hosts associated with this network.

Phase VI – Vulnerability Discovery:

SecureState employs a variety of Vulnerability Assessment tools, both manual and automated, to perform an attack and penetration. This entails taking the detailed list compiled in Phase IV and then running an assessment against them to determine vulnerabilities.

Phase VII – Exploitation and Data Capture:

SecureState will further progress into the network as exploits and vulnerabilities become available. We perform exploits to validate proof of concept and to determine the extent of the vulnerability. SecureState applies the Vulnerability Linkage Theory, which is the practice of linking multiple vulnerabilities together in order to create higher risk vulnerabilities on the system. This process is extremely effective and is performed from a hacker’s perspective.

While the attack and penetration progresses, all packets are being captured for future analysis. Data Analysis is performed to determine what traffic is being broadcasted over your wireless network, including sniffing for usernames, passwords, and credit card information. A complete packet reconstruction of all network traffic can be performed utilizing state of the art reconstruction tools provided upon request.

Phase VIII – Post Exploitation:

The Post Exploitation Phase includes pillaging; penetrating further into the network, documenting and removing any remains from SecureState’s testing on the clients systems.

Phase IX – Reporting:

As part of the deliverable, SecureState provides a report which contains a short, graphical summary aimed at senior management, a narrative body which details major findings, and a detailed findings section aimed at technical staff. Additionally, SecureState will provide a closing call and a high-level executive presentation to summarize the penetration test; as well as provide an opportunity to ask questions about the engagement.


What Makes Us Different

  • Demonstrates our tools to clients during Wireless Attack & Penetration Tests
  • Publishes our own Exploits, Zero Days and Tools to the Information Security Community
  • Profiling Team members are known as experts in Wireless Security worldwide
  • Profiling Team members are frequent speakers at national and worldwide security and hacking conferences such as DEFCON, Black Hat, OWASP AppSec, SANS, ShmooCon, THOTCON, DerbyCon, ToorCon and more
  • Provides a secure, two-factor authentication web portal for access to PCI Wireless Assessment results
  • Follows industry-standard testing methodologies and vulnerability-rating systems