Wireless networks are consistently underestimated as an initial access vector. Organisations pour budget into perimeter firewalls and endpoint protection while leaving their 802.11 estate largely unaudited. In our wireless penetration testing engagements across Toronto and beyond, we repeatedly find that a single rogue access point or a weak PSK is enough to land an attacker squarely inside a corporate network — no phishing required, no VPN to defeat. This post details the full attack surface we assess and what we consistently find in the field.
Why Wireless Is Still a Reliable Entry Point
The assumption that WPA2 Enterprise deployments are "secure enough" leads many organisations to skip wireless assessments entirely. That assumption is wrong. Even where protocol-level security is sound, deployment mistakes — mixed-mode networks, legacy SSID coexistence, weak EAP configurations, and permissive guest networks bridged to internal segments — consistently provide viable attack paths.
Beyond configuration errors, the physical reality of RF propagation means that corporate SSIDs frequently bleed into public spaces: lobbies, car parks, adjacent buildings. An adversary with a directional antenna and 30 minutes of patience can capture authentication material from the pavement outside your office without ever entering the premises. The attack surface is larger than most network diagrams reflect.
- Mixed WPA2/WPA3 transition mode networks expose WPA2 downgrade paths
- Guest networks bridged or poorly segmented from corporate VLANs
- Legacy SSIDs maintained for compatibility that use weaker security settings
- RADIUS servers with permissive EAP method negotiation
- Wireless controllers with default credentials or unpatched firmware
- RF coverage extending far beyond physical premises
WPA2 PSK Cracking and PMKID Capture
WPA2 Pre-Shared Key networks remain common in branch offices, retail environments, and smaller enterprise deployments. The classic attack — capturing a four-way handshake by de-authenticating a connected client — is well understood, but many practitioners are less familiar with the PMKID attack introduced by Jens Steube in 2018, which eliminates the need to wait for or force a client reconnection.
The PMKID is derived from the PMK, the SSID, and the MAC addresses of the AP and client. Critically, it is transmitted in the first EAPOL frame of the handshake, meaning a single frame from the AP is sufficient to begin an offline dictionary attack — no connected client required. In practice this dramatically reduces dwell time during the assessment.
# Put the wireless interface into monitor mode
airmon-ng start wlan0
# Capture PMKID directly from the AP without waiting for a client
hcxdumptool -i wlan0mon --enable_status=1 -o capture.pcapng
# Convert the capture to hashcat format
hcxpcapngtool -o hashes.hc22000 capture.pcapng
# Run dictionary attack with hashcat (mode 22000 covers both PMKID and EAPOL)
hashcat -m 22000 hashes.hc22000 /usr/share/wordlists/rockyou.txt -r rules/best64.ruleAgainst a GPU-equipped cracking rig, an 8-character mixed-case alphanumeric PSK will typically fall within hours when subjected to rule-based mutation. Passphrases below 15 characters that are based on dictionary words or company names are reliably cracked. We have recovered PSKs derived from company names, street addresses, and phone numbers in under ten minutes on engagements — information trivially obtained through OSINT prior to the on-site assessment.
For traditional handshake capture, the workflow remains effective:
# Identify target network and channel
airodump-ng wlan0mon
# Focus capture on the target BSSID and channel
airodump-ng -c 6 --bssid AA:BB:CC:DD:EE:FF -w handshake wlan0mon
# De-authenticate a connected client to force reauthentication
aireplay-ng -0 5 -a AA:BB:CC:DD:EE:FF -c 11:22:33:44:55:66 wlan0mon
# Crack the captured handshake
aircrack-ng handshake-01.cap -w /usr/share/wordlists/rockyou.txtWPA3 Dragonfly Handshake Weaknesses
WPA3 replaced the PSK authentication model with SAE — Simultaneous Authentication of Equals — based on the Dragonfly key exchange. The design goal was to eliminate offline dictionary attacks by ensuring that each authentication attempt requires an online interaction with the AP, making brute-force impractical at scale. The protocol achieved this goal, but it introduced a different class of vulnerabilities during its early deployment lifecycle.
The Dragonblood vulnerabilities disclosed by Mathy Vanhoef and Eyal Ronen in 2019 demonstrated multiple implementation-level weaknesses. Side-channel attacks — timing differences and cache-based observations during the hunting-and-pecking algorithm — allowed partial offline key recovery. Downgrade attacks exploiting transition mode (networks advertising both WPA2 and WPA3) allowed an adversary to force clients to authenticate via WPA2, restoring offline crackability. Denial-of-service via commit frame flooding was also demonstrated, consuming AP resources without rate limiting.
In 2025 enterprise environments, fully patched WPA3-only deployments have addressed the Dragonblood implementation flaws. The residual risk we focus on in assessments is the transition mode downgrade. Where an SSID is advertised in WPA3 Transition Mode, any client that falls back to WPA2 for any reason is immediately subject to PMKID and handshake capture. Transition mode is the default deployment stance for most enterprise wireless controllers because it maintains compatibility with WPA2-only clients — meaning the majority of "WPA3" deployments in the field are not WPA3-only.
# Confirm transition mode operation via beacon frame inspection
tshark -i wlan0mon -Y "wlan.fc.type_subtype == 8" \
-T fields -e wlan.sa -e wlan_mgt.rsn.akms.type 2>/dev/null | \
grep -E "AA:BB:CC:DD:EE:FF"
# AKM suite type 2 = WPA2-PSK, type 8 = SAE (WPA3)
# Both present confirms transition mode — WPA2 downgrade is viableEvil Twin and Rogue Access Point Deployment
An evil twin attack deploys an access point impersonating a legitimate corporate SSID, then either de-authenticates clients from the genuine AP or relies on clients probing for known networks to capture their association. The technique is effective against both WPA2 PSK networks (harvesting handshakes for offline cracking) and open/captive portal environments (intercepting credentials submitted to fake login pages). Against EAP-based networks, a more sophisticated variant intercepts RADIUS authentication to capture hashed credentials.
We use hostapd-wpe for enterprise evil twin deployments. The tool extends hostapd with credential logging for multiple EAP types — MSCHAPv2, LEAP, TTLS/PAP, and others — making it the practical standard for wireless EAP interception assessments.
# Install hostapd-wpe (Kali Linux)
apt install hostapd-wpe
# Minimal hostapd-wpe configuration for EAP credential capture
# /etc/hostapd-wpe/hostapd-wpe.conf
interface=wlan1
ssid=CorporateWiFi
channel=6
hw_mode=g
ieee8021x=1
eap_server=1
eap_user_file=/etc/hostapd-wpe/hostapd-wpe.eap_user
ca_cert=/etc/hostapd-wpe/certs/ca.pem
server_cert=/etc/hostapd-wpe/certs/server.pem
private_key=/etc/hostapd-wpe/certs/server.key
private_key_passwd=whatever
dh_file=/etc/hostapd-wpe/certs/dh
# Launch the rogue AP
hostapd-wpe /etc/hostapd-wpe/hostapd-wpe.confWhen a client authenticates to the rogue AP, hostapd-wpe logs the captured EAP identity and MSCHAPv2 challenge/response. The NetNTLMv1 or NetNTLMv2 material can be fed directly into hashcat for offline cracking or relayed in an NTLM relay attack if the account is used elsewhere on the network.
# hostapd-wpe output — captured MSCHAPv2 credential
mschapv2: Thu Aug 4 09:17:42 2025
username: CORP\jsmith
challenge: 4a:3b:2c:1d:0e:ff:ee:dd
response: aa:bb:cc:dd:ee:ff:00:11:22:33:44:55:66:77:88:99:aa:bb:cc:dd:ee:ff:00:11
# Crack with hashcat (mode 5500 = NetNTLMv1, mode 5600 = NetNTLMv2)
hashcat -m 5500 "CORP\\jsmith::::4a3b2c1d0effeeaa:aabbccddeeff00112233445566778899aabbccddeeff0011" \
/usr/share/wordlists/rockyou.txtRADIUS and EAP Credential Interception
WPA2 Enterprise networks delegate authentication to a RADIUS server using the IEEE 802.1X framework. The security of this model depends entirely on clients correctly validating the RADIUS server certificate. If a client is configured to accept any certificate, or to accept certificates from any CA without verifying the server identity, it will authenticate to a rogue AP presenting a self-signed certificate — handing over credentials to an attacker.
This is the single most common and impactful finding in our wireless enterprise assessments. The misconfiguration is pervasive because many mobile device management platforms and IT administrators configure 802.1X supplicants without enabling server certificate validation, reasoning that it complicates deployment. The consequence is that every device on the network is vulnerable to evil twin credential capture from anyone within RF range.
The EAP methods in use also determine the severity of the captured material:
- PEAP-MSCHAPv2: Most common. Inner credentials are domain username and password hash. Crackable offline. Directly relay-able via NTLM relay.
- EAP-TTLS/PAP: Credentials transmitted in cleartext inside the TLS tunnel. If the tunnel terminates at the rogue AP, credentials are immediately readable.
- EAP-TLS: Certificate-based mutual authentication. Not directly vulnerable to credential capture — but weak certificate issuance practices or improperly protected private keys can still expose the deployment.
- LEAP: Legacy Cisco protocol. Cryptographically broken. Should not appear in any modern network, but we still encounter it in environments with Cisco legacy infrastructure.
We verify client validation behaviour using a rogue AP with a mismatched certificate. If the client authenticates, the finding is confirmed. We document every supplicant configuration encountered during the assessment and note whether per-device certificate pinning is enforced via MDM.
Wireless Segmentation Testing
Gaining wireless association is frequently only the first step. The subsequent question is: what can a wireless client reach? We test wireless segmentation rigorously because misconfigured guest VLANs and flat wireless architectures that place wireless clients in the same broadcast domain as wired servers are among the most common and highest-impact findings we document.
Our wireless segmentation testing methodology covers the following:
- Inter-SSID routing: Can a client on the guest SSID reach RFC 1918 space served by the corporate SSID? We test with explicit connection attempts across SSID VLAN boundaries.
- Wireless controller management plane exposure: Is the wireless controller admin interface reachable from a client SSID? We regularly find Cisco WLC, Aruba, and Fortinet management interfaces accessible from guest networks.
- AP management VLAN exposure: The AP management VLAN is often on the same subnet as infrastructure. A client who can route to it can attempt to authenticate to the AP itself.
- DHCP scope analysis: Default gateway, DNS server, and scope options reveal which network a wireless client has been placed in. This is a fast check that frequently reveals flat deployments.
- DNS rebinding and captive portal bypass: Guest networks with captive portals can often be bypassed via DNS tunnelling (iodine) or by exploiting split-horizon DNS misconfigurations.
# Quick segmentation check from a connected wireless client
# Check default gateway and routing table
ip route show
# Probe corporate RFC 1918 ranges from guest SSID
nmap -sn 10.0.0.0/8 172.16.0.0/12 192.168.0.0/16 --exclude $(ip route | grep default | awk '{print $3}')
# Attempt to reach the wireless controller management interface
# Common defaults: 192.168.1.1, 10.0.0.1, subnet .1 or .254
curl -sk https://192.168.1.1/ | grep -i "login\|controller\|aruba\|cisco\|fortinet"In one engagement at a multi-tenant office building in Toronto, we associated to the guest SSID of a financial services client and found direct L3 routing to their primary server VLAN — the same network hosting their file servers and an unpatched ESXi host. The guest wireless network had been migrated to a new controller six months prior and the VLAN assignment had been incorrectly configured during the migration. No one had validated it.
Wireless Assessment Methodology
A comprehensive wireless penetration test covers passive reconnaissance, active enumeration, protocol-level attacks, and physical validation. We structure our wireless assessments in four phases:
Phase 1 — Passive Reconnaissance. We survey the RF environment without transmitting, documenting all visible SSIDs, BSSIDs, channels, signal strength, security settings, and client probe requests. Probe requests from client devices reveal SSIDs of previously connected networks — useful for targeted evil twin construction — and are captured passively with no interaction with the target network.
Phase 2 — Active Enumeration and Protocol Assessment. We authenticate to each in-scope SSID using provided credentials and enumerate the accessible network from each wireless segment. We test authentication mechanisms, certificate validation behaviour, EAP method negotiation, and SSID isolation settings.
Phase 3 — Attack Simulation. Based on Phase 1 and 2 findings, we execute targeted attacks within scope: PMKID capture and offline cracking against PSK networks, evil twin deployment for EAP credential interception, de-authentication attacks to measure client resilience, and segmentation bypass attempts from each wireless segment.
Phase 4 — Physical Validation. We walk the physical perimeter of the assessed facility to measure RF propagation — documenting locations from which corporate SSIDs are accessible and signal strength at those locations. This is included in our report to provide concrete evidence for the physical exposure component.
Defensive Guidance
The findings from our wireless assessments translate directly into a prioritised remediation roadmap. The controls below address the vulnerabilities most consistently identified across our client base.
Enforce RADIUS server certificate validation on all supplicants. This is the single highest-impact control for WPA2 Enterprise networks. Deploy supplicant configuration via MDM and pin the RADIUS server certificate or issuing CA. Reject authentication if the certificate cannot be validated. Without this control, every device is vulnerable to evil twin credential capture regardless of which EAP method is in use.
Migrate from PEAP-MSCHAPv2 to EAP-TLS where operationally feasible. Certificate-based mutual authentication eliminates the credential capture attack class entirely. The deployment overhead of a client certificate PKI is non-trivial but is the architecturally correct solution for high-security environments.
Isolate wireless VLANs and validate segmentation after any change. Guest, corporate, and IoT wireless VLANs must be tested for inter-VLAN routing after every infrastructure change. Automated post-change validation — a simple nmap scan from each wireless segment to other segments — catches misconfiguration before attackers do.
Deploy WPA3-only mode rather than transition mode. Transition mode reintroduces WPA2 attack surface for any client that downgrades. If legacy WPA2-only devices must be supported, place them on a separate SSID with strict network access controls rather than permitting downgrade on the primary corporate SSID.
Implement wireless intrusion detection. Commercial wireless controllers from Cisco, Aruba, and Fortinet include rogue AP detection capabilities. Enable these features and configure alerting for rogue AP detection, de-authentication flood events, and clients associating to SSIDs with mismatched BSSIDs. Passive RF monitoring provides visibility that complements perimeter-focused detection controls.
Rotate PSKs on a defined schedule and enforce minimum complexity. For environments that cannot move to 802.1X, PSK minimum length should be 20 characters with no relation to the organisation name, address, or any other publicly discoverable information. Rotate PSKs annually or immediately following any suspected credential exposure.
Disable legacy EAP methods at the RADIUS server. LEAP, EAP-MD5, and EAP-GTC should be disabled. PEAP and TTLS should require inner method MSCHAPv2 at minimum; PAP inside TTLS transmits cleartext credentials and should be prohibited. Enforce EAP method negotiation restrictions in RADIUS policy so clients cannot negotiate down to weaker methods.
Conclusion
Wireless networks remain one of the most consistent and underestimated initial access vectors in enterprise environments. WPA2 PSK cracking via PMKID, evil twin credential interception against PEAP-MSCHAPv2, and segmentation failures in guest network deployments translate directly into domain credential capture and internal network access — with no physical premises access required.
The good news is that the controls are well understood. Server certificate pinning, EAP-TLS migration, WPA3-only deployment, and validated wireless segmentation collectively close the majority of the attack surface we exploit. The challenge is consistent implementation and ongoing validation through regular wireless penetration testing as the environment evolves.
If your organisation's wireless infrastructure has not been assessed within the past twelve months, or following any significant wireless infrastructure change, contact us to scope a wireless security assessment. We conduct wireless penetration tests across the Greater Toronto Area and remotely for multi-site environments.