Wireless Penetration Testing Services

From rogue access points to weak encryption algorithms, threats to wireless networks are unique and the risk the technology poses can be significant. A wireless penetration test identifies organizational weaknesses the same way an attacker would - by hacking it. Businesses must be cognizant of the security implications an unsecured wireless network can have on an organization. Praetorian's wireless penetration testing and assessment services help businesses evaluate the security of their wireless implementations and provide recommendations for improvement.

Methodologies for Product Penetration Testing

Praetorian's wireless security testing focuses on enumerating and verifying potential attack vectors and threats to your organization's wireless infrastructure. The wireless security test is compromised of the following major phases: 1) Access point discovery, 2) Wireless Penetration Testing, 3) Post wireless exploitation.

Praetorian will first attempt to identify and document all your organization's wireless access points. Praetorian will accomplish this by using powerful Ubiquiti and/or Yellowjacket devices to physically comb both the interior and exterior of all buildings for wireless signals. The purpose of the discovery phase is to identify points of exterior signal bleeding, inventory authorized access points, detect rogue employee access points, and create a structured plan for the wireless security assessment and wireless penetration test.

Once an inventory of wireless access points has been gathered, Praetorian will attempt to enumerate weaknesses within the wireless infrastructure. Penetration testing will include both attacks against the wireless access points and wireless clients. Tests may include, but are not limited to, exploiting weak encryption protocols such as WEP and legacy WPA, open wireless access points and default configurations, and user susceptibility to rogue access point association and to man in the middle attacks. All vulnerabilities and potential attack vectors will be documented and recommendations for mitigation will be provided in the final report.

Once Praetorian has obtained a foothold on the wireless network, consultants will attempt to escalate access to higher privileged areas of the wireless and wired networks to demonstrate impact. This will include an examination of the segmentation between employee and guest wireless networks as well as an examination of segmentation between the wired and wireless networks.

What You Get

Upon completion of the assessment Praetorian shall provide a single electronic report deliverable. The report will provide an analysis of the current state of the assessed security controls. The analysis will identify areas that need to be resolved in order to achieve an adequate level of security. The detailed contents of the deliverable are described below.


The report deliverable will include the following high level sections in a format suitable for management:

  • Purpose of the engagement including project's scope and approach
  • Positive security controls that were identified
  • Tactical resolutions to immediately reduce risk in the environment
  • Strategic recommendations for preventing similar issues from recurring
  • An industry comparison based on consultancy experience and results from similar previous engagements

The report deliverable will also include the following in-depth analysis and recommendations for technical staff to understand the underlying risks and recommendations:

  • A technical description and classification of each vulnerability
  • Anatomy of exploitation including steps taken and proof in the form of screenshots
  • Business or technical risk inherent in the vulnerability
  • Vulnerability classification that describes the risk level as a function of vulnerability impact and ease of exploitation
  • Technical description of how to mitigate the vulnerability

Frequently Asked Questions


  1. How much does a wireless penetration test cost?

    The cost is dependent on the size and complexity of the wireless network and the level of rigor in which testing is to be performed. This is determined through pre-sale client discussions and scoping questionnaires. The price of an engagement will be delivered as a fixed bid quote. Wireless penetration tests will always require on-site resources and travel expenses will be billed back separately to the client.

  2. How long does a wireless penetration test take to complete?

    The time to completion depends on the number of physical locations, buildings, and floors. Testing of a single location with only one floor, such as a satellite office, can be performed in a day. Multiple physical locations or large buildings with multiple floors, such as a corporate headquarters, will require a few days to a week to complete testing. On average, the typical duration of a wireless penetration test (including reporting) is three days.

  3. What is the difference between a wireless penetration test and a wireless security review?

    A wireless penetration test has three phases: 1) host and service discovery, 2) vulnerability identification and verification, 3) and exploitation. The primary objectives of a wireless penetration test are to obtain sensitive information and/or gain unauthorized access. This is accomplished by targeting weaknesses in the wireless infrastructure and/or the wireless users themselves. During a wireless security review the “proof of concept” phase that demonstrates the impact of the vulnerabilities identified is not performed; however, unlike a penetration test other “white box” activities such as client access point (AP) configuration reviews and technical interview sessions are performed.



Ready to get started?

Contact us at 1 (800) 675-5152 to get started with your Wireless Penetration Testing needs, or request a callback by submitting the form below.