September 19, 2023

Wireless penetration testing – From guest Wi-Fi to domain admin in 20 minutes

Jonathan Onyeaka highlights the security risks within guest wireless networks, demonstrating via a real-life case study how quickly a threat actor can take advantage of common misconfigurations to walk themselves 'through the door'

A common issue identified while performing a penetration test for new clients is multiple misconfigurations within their wireless (Wi-Fi) network. It is common for an organisation to have three main types of wireless networks: Corporate, Staff and Guest. One of the most significant risks to a business is when these networks are not sufficiently isolated or segmented from each other.

Network isolation and segmentation are two areas that should be reviewed during a wireless network engagement to ensure that the correct security measures are in place to protect the confidentiality of data. If not configured correctly, a threat actor could gain unauthorised access to an organisation's resources or assets by accessing the wireless network by performing Pre-Shared Key (PSK) attacks or simply obtaining the wireless network password.

What is network isolation?

Network isolation, also called AP/client/SSID isolation, prevents users connected to a wireless network from communicating with other devices in the same wireless network (SSID) as computers and servers in the wired network. If network isolation is not configured correctly and a wireless network is compromised, a threat actor could pivot through the network by accessing and compromising other devices visible on the same wireless network.

What is network segmentation?

Network segmentation is an architectural approach separating a network into segments or subnets, acting as multiple small networks. Segmentation enhances security because traffic between each segmented network can be controlled, and rules can be enforced to stop all traffic in one segment from reaching another, or traffic flow can be controlled by traffic type, source, destination, and many other options. An organisation can use segmentation to ensure that someone connected to the guest wireless network does not have access to corporate assets on the corporate network.

Case study - From guest Wi-Fi to domain administrator in 20 minutes

During a penetration test, a consultant was tasked with assessing the security of multiple wireless networks, which included a corporate wireless network, two staff networks and a guest network. One of the objectives of the assessment was to test the staff and guest networks to ensure they could not access corporate assets. The security of a guest Wi-Fi is paramount because they typically offer free rein for anyone; if it isn't segmented from other networks, anyone can walk in and access business-critical stuff. The risk increases as a malicious threat actor can use antennas to access wireless networks over a greater distance, meaning they could connect to these networks from a car park or a more disclosed position.

While testing the guest wireless network, the consultant performed reconnaissance to discover which hosts on the same network they could communicate with, which uncovered the first vulnerability: lack of network segmentation. The misconfigured guest Wi-F could communicate with multiple servers on the corporate network. Therefore, the consultant exploited misconfigurations to gain a list of active directory users and performed password-spraying attacks where numerous user accounts were compromised.

Due to network isolation also not being correctly configured on the network, the consultant tested the compromised credentials on devices connected to the guest network and managed to gain local administrator access on a host. With local administrator access, the consultant could dump cached credentials where some plain text passwords were found and run through additional active directory password spraying attacks, in which two domain administrator service accounts were compromised.  

Concerned that your guest wireless network might be putting your corporate assets at risk? Talk to one of our experts today - contact Ciaran Mullen

We're here to help

Our experts are on hand to learn about your organisation and suggest the best approach to meet your needs. Contact an expert today.

Get in touch