Wireless (WiFi) Penetration Testing: WPA2/WPA3, Evil Twin, PMKID and Protection

Quick answer: Wireless penetration testing measures whether a company's WiFi infrastructure can be taken over from outside, without ever touching a physical cable. The attack surface crosses the building's walls: from a parking lot or street an attacker can crack the password, deceive users with a rogue access point (Evil Twin) or exploit enterprise 802.1X misconfigurations. Known attacks include KRACK and PMKID on WPA2 and Dragonblood on WPA3; deauthentication and Evil Twin target the human factor. Protection is built with WPA3, Protected Management Frames, strong passwords, properly certificate-validated 802.1X and rogue-AP detection.

While companies invest in external security, WiFi is often overlooked, yet the wireless network is a surface reachable from outside the building that opens a door straight into the internal network. If an attacker cracks the WiFi password from a parking lot without touching a cable, they are now on the internal network and the scenario of this article's sibling, Active Directory internal network penetration testing, begins. NIST's WLAN security guide (SP 800-153) offers recommendations for configuration security and continuous monitoring of wireless networks, but for current encryption it should be read together with the Wi-Fi Alliance WPA3 specification.

What wireless testing measures

The test probes three main axes. First, encryption resilience: whether the WPA2 or WPA3 password can be cracked offline. Second, the human factor: whether a rogue access point can deceive users and collect credentials. Third, enterprise configuration: exploiting certificate-validation and client-configuration errors on networks using 802.1X. The test also covers the separation between guest and corporate networks, network segmentation and paths from WiFi into the internal network.

WPA2 attacks

PMKID: clientless password cracking

Classic WPA2 password cracking used to require capturing the four-way handshake a client produces when joining the network. The PMKID attack disclosed by Hashcat developer Jens Steube in 2018 changed this: the attacker captures the PMKID value from a single EAPOL frame in the access point's first message and cracks it offline, with no connected client or full handshake needed. This significantly simplified the capture-with-hcxdumptool and crack-with-hashcat process and is a serious risk for weakly passworded corporate WiFi.

KRACK: the WPA2 handshake flaw

KRACK (Key Reinstallation Attacks), disclosed by Mathy Vanhoef in 2017, replays messages in WPA2's four-way handshake to force nonce and key reinstallation, leading to decryption of traffic. Older Android and Linux clients were especially vulnerable. Environments with unpatched devices are tested for this.

WPA3 attacks: Dragonblood

WPA3 provides stronger authentication than WPA2 and protection against offline password guessing; it is mandatory for new Wi-Fi CERTIFIED devices and enforces Protected Management Frames. However, the Dragonblood vulnerabilities disclosed by Mathy Vanhoef and Eyal Ronen in 2019 showed that WPA3's SAE (Dragonfly) handshake can be open to password-partitioning attacks via timing and cache-based side channels (CVE-2019-9494, CVE-2019-13377). WPA3 is more secure, but unpatched implementations and backward WPA2 compatibility (transition mode) introduce new risks; the test checks these.

Evil Twin, rogue AP and deauthentication

The most effective wireless attacks do not break encryption, they deceive people. The attacker sets up a rogue access point (Evil Twin) with the same name (SSID) as the company network. With deauthentication frames they drop users off the real network; this is easy on networks without protected management frames. When users connect to the rogue network, a captive portal harvests WiFi or corporate passwords. This scenario is where wireless testing intersects with phishing and social engineering simulation and tests human awareness. The Aircrack-ng suite is a complete toolkit for assessing wireless security, including monitoring, deauth, injection and WPA-PSK cracking.

Enterprise WiFi: 802.1X testing

Large organizations use 802.1X (WPA2/WPA3-Enterprise) instead of a shared password; each user authenticates with their own credential or certificate. The most common error here is clients not properly validating the server certificate: in that case the attacker can stand up a rogue RADIUS server and harvest corporate credentials. The test probes client configuration, certificate validation and EAP method security.

Protection

1. WPA3 and Protected Management Frames. Use WPA3 wherever possible and enforce management-frame protection; this makes deauthentication and Evil Twin attacks harder.
2. Strong, long passwords. On WPA2/WPA3-Personal networks, long random passwords make PMKID and offline cracking practically impossible.
3. Properly configured 802.1X. On enterprise networks ensure clients strictly validate the server certificate; this closes the rogue RADIUS attack.
4. Network segmentation. Fully separate guest WiFi from the corporate network; segmentation prevents an attacker who reaches WiFi from moving into the internal network.
5. Rogue AP detection and continuous monitoring. Monitor for same-SSID rogue access points with wireless intrusion detection.
6. Patching. Keep client and infrastructure devices current against known vulnerabilities such as KRACK and Dragonblood.

How we work at DSET

We run wireless tests in an authorized way with scope, physical location and time window defined in writing; for the legal framework see the penetration testing contract and legal authorization. For our methodology see the PTES seven stages.

Frequently Asked Questions

Do you need to come to the office for a WiFi test? Yes, wireless testing requires physical proximity; the team tests from around and inside the building within the defined scope.

We use WPA3, are we safe? WPA3 is a major improvement but not absolute; transition mode, unpatched implementations and 802.1X misconfigurations still carry risk. The test verifies these.

Will the test disrupt the network? Techniques such as deauthentication are applied in a controlled way within scope; tests requiring broad disruption are done with written approval and a suitable window.

Sources

• Wi-Fi Alliance, security and WPA3: https://www.wi-fi.org/discover-wi-fi/security
• Dragonblood, WPA3 vulnerabilities (Vanhoef, Ronen): https://wpa3.mathyvanhoef.com/
• KRACK, WPA2 handshake attack (Vanhoef): https://www.krackattacks.com/
• Aircrack-ng: https://www.aircrack-ng.org/
• PMKID clientless attack (Hashcat, Steube): https://hashcat.net/forum/thread-7717.html
• NIST SP 800-153, WLAN security guide: https://csrc.nist.gov/pubs/sp/800/153/final

To prove whether your corporate WiFi can be taken over from outside, contact DSET.