> root@wifi-rig:~# aircrack-ng -w rockyou.txt capture.pcap — KEY FOUND! [ Summer2024! ]<span class="cursor-blink">_</span>_
It was a Tuesday morning, half past seven, in a business park car park. We were sitting in a nondescript estate car in a visitor bay, drinking coffee from a flask, with a laptop on the passenger seat, a directional antenna on the dashboard, and a wireless network adapter that cost thirty-five pounds plugged into a USB port.
By ten past eight, we had captured a WPA2 handshake from the corporate wireless network. By twenty to nine, we had cracked the pre-shared key. By nine o'clock, we were on the corporate network — connected to the same VLAN as three hundred workstations, with a DHCP lease, DNS resolution, and line of sight to the domain controllers.
We had not entered the building. We had not spoken to anyone. We had not defeated a single lock, door, or access control. The organisation's physical perimeter — the walls, the doors, the reception desk, the badge readers — was entirely irrelevant. Their wireless network extended the logical perimeter into the car park, and the car park had no access control at all.
The client was a professional services firm occupying two floors of a modern office building on a business park. They employed approximately three hundred staff with a mix of permanent desks and hot-desking areas. Their IT infrastructure included on-premises servers, a Microsoft 365 tenancy, and extensive wireless coverage provided by an enterprise wireless controller and approximately forty access points.
We had been engaged to conduct a wireless security assessment — a focused evaluation of the organisation's wireless infrastructure from the perspective of an external attacker. The scope explicitly included testing from outside the building perimeter. We were authorised to attempt to connect to any wireless network broadcast by the organisation's infrastructure, to intercept and analyse wireless traffic, and to demonstrate the impact of any successful connection.
We were not authorised to perform denial-of-service attacks against the wireless infrastructure or to target personal devices. A letter of authorisation covering the wireless assessment was carried at all times.
We began with a wireless survey from the car park to understand what was visible from outside the building.
A modern office building leaks wireless signal. Access points are positioned for indoor coverage — desks, meeting rooms, breakout areas — but radio waves do not respect walls. The signal attenuates as it passes through building materials, but it does not stop. With a directional antenna and a sensitive receiver, corporate wireless networks are routinely detectable from car parks, pavements, adjacent buildings, and — in one memorable engagement — a café across the road.
We positioned the vehicle in the visitor bay closest to the building and performed a passive wireless survey using airodump-ng. Passive mode captures beacon frames and probe requests without transmitting — making it completely undetectable to the target's wireless infrastructure.
Seven wireless networks were visible from the car park. Five belonged to the client. The survey revealed a mix of security configurations — and several immediate concerns.
| SSID | Security | Purpose | Initial Assessment |
|---|---|---|---|
| YOURCOMPANY-CORP | WPA2-PSK | Primary corporate wireless — staff devices | PSK-based — key shared across all users; crackable if captured |
| YOURCOMPANY-GUEST | WPA2-PSK | Guest and visitor wireless | PSK likely printed on visitor materials; low barrier to access |
| YOURCOMPANY-SECURE | WPA2-Enterprise (802.1X) | Secured wireless for managed devices | Certificate-based auth — significantly harder to attack |
| PrinterNet | WPA2-PSK | Wireless network for print devices | Dedicated printer network — likely weak PSK; low client count |
| CONFERENCE-ROOM | Open (no encryption) | Screen-casting in meeting rooms | Open network — no encryption, no authentication |
Three observations were immediately significant. First, the primary corporate wireless network (YOURCOMPANY-CORP) used WPA2-PSK — a pre-shared key shared across all users — rather than WPA2-Enterprise with individual credentials. This meant that a single key, if captured and cracked, would grant access for anyone. Second, a network named CONFERENCE-ROOM was broadcasting with no encryption whatsoever. Third, the corporate network had the highest client count — seventy-eight connected devices across two access points visible from the car park — indicating it was the primary network for staff connectivity.
An unencrypted wireless network (CONFERENCE-ROOM) was broadcasting from the client's enterprise wireless infrastructure. Any device within range could connect without authentication and intercept all traffic on the network. Additionally, the primary corporate wireless used WPA2-PSK rather than WPA2-Enterprise, creating a single shared key that, if compromised, grants access for any attacker.
WPA2-PSK authentication works through a four-way handshake between the client device and the access point. This handshake does not transmit the pre-shared key directly, but it does transmit enough cryptographic material for an attacker to perform an offline brute-force attack against the key. Capturing a handshake is the first step in a WPA2-PSK attack.
There are two methods to capture a handshake. The traditional approach is to wait for a client to connect — or to force a reconnection by sending a deauthentication frame — and capture the resulting four-way exchange. The modern approach, available since 2018, is to capture a PMKID (Pairwise Master Key Identifier) from the access point's first message in the handshake. The PMKID method requires only a single frame from the access point and does not require any client to be connected or disconnected.
We used both methods.
Four PMKID hashes captured in forty-seven seconds. No deauthentication frames sent. No client devices disrupted. No evidence of the capture in the wireless controller's logs — PMKID collection is entirely passive from the client perspective. The access points responded to our association request with the PMKID as part of the standard protocol exchange.
The YOURCOMPANY-SECURE network, which used WPA2-Enterprise (802.1X), did not yield a PMKID — this attack is only applicable to PSK networks. This is the first indication that WPA2-Enterprise provides a fundamentally different security profile.
With the PMKID hashes captured, the attack moved offline. We transferred the hash file to our cracking workstation — a desktop machine with a high-performance GPU — and began the brute-force process using Hashcat.
The strength of WPA2-PSK depends entirely on the strength of the pre-shared key. A truly random key of twenty or more characters is effectively uncrackable with current hardware. A dictionary word with minor character substitutions is not.
The guest network key — WelcomeGuest1 — fell in four seconds. The printer network — Print2023 — in eleven seconds. The corporate network key — Summer2024! — took twenty-three minutes. All three were dictionary words with predictable modifications: capitalisation, trailing numbers, or common special characters.
The corporate key followed a seasonal pattern — Summer2024! — suggesting it was rotated on a calendar basis, likely quarterly or biannually, with each new key following the same [Season][Year][Special character] pattern. This is a common practice that creates an illusion of security through rotation whilst using keys that are trivially predictable.
Seventy-one minutes from parking the car to holding the corporate wireless key. No entry to the building. No interaction with any person. No alert generated anywhere.
We connected to YOURCOMPANY-CORP using the cracked PSK. The wireless controller issued a DHCP lease on the 10.10.2.0/24 range — the same user VLAN used by wired workstations. There was no separation between the wireless and wired user networks.
From the car park, we had the same network position as a workstation plugged into a desk on the office floor. The domain controllers were reachable. DNS resolved internal hostnames. File shares were browsable. The entire internal network was accessible through a wireless connection established from a vehicle in a visitor bay.
The wireless controller did not perform any device verification. There was no certificate check. No device posture assessment. No MAC filtering (though MAC filtering is trivially bypassed and is not considered a meaningful control). Any device with the correct PSK was admitted to the corporate VLAN without further scrutiny.
Having demonstrated network access via PSK cracking, we conducted a second wireless attack to demonstrate the credential harvesting risk: an evil twin attack against the WPA2-Enterprise network.
The YOURCOMPANY-SECURE network used WPA2-Enterprise with PEAP-MSCHAPv2 — a common enterprise wireless authentication method where clients authenticate with their domain username and password, protected by a TLS tunnel established between the client and the RADIUS server. This is significantly more secure than PSK — each user has their own credentials, and the pre-shared key problem is eliminated.
However, PEAP-MSCHAPv2 has a well-documented weakness: if a client connects to a rogue access point (an 'evil twin') that presents itself as the legitimate network, and the client does not properly validate the RADIUS server's TLS certificate, the client will transmit its MSCHAPv2 challenge-response to the attacker — which can be cracked offline to recover the domain password.
Over forty-five minutes, six client devices connected to our evil twin and transmitted their MSCHAPv2 challenge-responses. The clients accepted our self-signed certificate without warning the user — indicating that the wireless profile on these devices was configured to not validate the RADIUS server certificate, or the users had been trained to dismiss certificate warnings.
We cracked the MSCHAPv2 challenge-responses offline. MSCHAPv2 is based on DES and has known cryptographic weaknesses — online services exist that can crack MSCHAPv2 responses in under a second, regardless of password complexity.
Five of six domain passwords cracked. These were not wireless keys — these were domain user credentials. The same passwords these users used to log into their workstations, access email, connect to VPN, and authenticate to every corporate application. Captured from the car park, from devices that connected to our rogue access point automatically.
Six domain user credentials were captured via an evil twin attack against the WPA2-Enterprise network. Client devices were not configured to validate the RADIUS server certificate, allowing them to connect to a rogue access point and transmit authentication material. Five of six passwords were cracked offline.
The CONFERENCE-ROOM network required no attack at all. It was an open, unencrypted wireless network broadcasting from the client's enterprise wireless controller. We connected to it from the car park without providing any credentials.
The network was intended for wireless screen-casting in meeting rooms — allowing visitors and staff to project their screens to display panels without cables. It had been created by the AV integration team during a meeting room refurbishment and had been configured on the enterprise wireless controller because the AV team did not have their own wireless infrastructure.
The network was supposed to be isolated. It was not. A review of the wireless controller's configuration revealed that the CONFERENCE-ROOM SSID was mapped to the same VLAN as the guest wireless network — VLAN 60. The guest VLAN had internet access and, due to a misconfigured firewall rule identified during our assessment, had partial access to the server VLAN on ports 80 and 443.
An open wireless network, broadcasting from the enterprise infrastructure, accessible from the car park, with a route to internal servers. No password. No authentication. No encryption. Not even WPA2-PSK. Just an open door, broadcasting its invitation at the speed of light.
| Step | Action | Weakness Exploited |
|---|---|---|
| 01 | Passive wireless survey from car park — 5 SSIDs identified | Wireless signal extends beyond building perimeter |
| 02 | PMKID capture from PSK networks — 47 seconds | WPA2-PSK vulnerable to offline key recovery via PMKID |
| 03 | Cracked corporate PSK (Summer2024!) — 23 minutes | Predictable seasonal key pattern; dictionary word with substitution |
| 04 | Connected to corporate VLAN from car park | No device verification; wireless clients on same VLAN as wired |
| 05 | Evil twin against WPA2-Enterprise — 6 domain credentials captured | No RADIUS certificate validation on client devices; PEAP-MSCHAPv2 |
| 06 | Connected to open CONFERENCE-ROOM network — route to servers | Unencrypted SSID on enterprise controller; misconfigured VLAN mapping |
Wireless security has improved significantly over the past decade. WEP is extinct. WPA is rare. WPA3 is gaining adoption. Enterprise wireless controllers provide sophisticated management, monitoring, and rogue access point detection. And yet, on engagement after engagement, we find that the wireless network is the easiest entry point into organisations that have invested heavily in every other aspect of their security posture.
The reasons are consistent.
The most impactful single change is migrating from WPA2-PSK to WPA2/3-Enterprise with EAP-TLS. EAP-TLS uses client certificates rather than passwords for authentication. Each device has a unique certificate issued by the organisation's certificate authority. The evil twin attack is eliminated because the client validates the server's certificate (and the server validates the client's certificate) — a rogue access point cannot present a valid certificate. There are no passwords to capture. There is no shared key to crack. Each client's authentication is unique, certificate-bound, and resistant to interception.
If EAP-TLS is not immediately achievable, PEAP with strict certificate validation is a significant improvement over the current state. The wireless profile deployed to managed devices must specify the expected RADIUS server certificate (or CA), and the profile must reject connections to servers presenting unexpected certificates. This configuration prevents the evil twin attack by ensuring clients will not transmit credentials to a rogue access point.
Wireless network placement must be reviewed. Wireless clients should not be placed on the same VLAN as wired workstations. A dedicated wireless VLAN with firewall rules governing access to internal resources provides an additional layer of segmentation — even if the wireless key is compromised, the attacker's access is constrained by the inter-VLAN firewall rules.
Transmit power management on perimeter-facing access points is a simple, low-cost measure that reduces the wireless footprint outside the building. Modern enterprise wireless controllers can adjust per-AP transmit power — reducing the power on access points near external walls limits signal leakage into car parks and public areas without affecting indoor coverage.
Physical security controls exist to prevent unauthorised people from entering your building. They work. Badge readers, reception desks, locks, CCTV — these are proven controls that provide meaningful protection against physical intrusion.
But your wireless network extends your perimeter beyond your walls, your locks, and your reception desk. It radiates outward, through concrete, through glass, through plasterboard, into car parks and pavements and adjacent buildings. Anyone within range is inside your logical perimeter — regardless of whether they are inside your physical one.
We sat in a visitor bay. We drank coffee. We captured a handshake, cracked a key, and connected to the corporate network. Then we deployed an evil twin, captured domain credentials, and cracked five passwords. Then we connected to an open network that should not have existed. All from the driver's seat of a car, in a car park with no barrier, no camera, and no reason for anyone to notice.
Until next time — stay sharp, stay curious, and walk outside your building with a wireless scanner. Your network does not end at the front door.
This article describes a wireless security assessment conducted under formal engagement with full written authorisation from the client. All identifying details have been altered or omitted to preserve client confidentiality. The evil twin attack was conducted under controlled conditions with scope-specific authorisation. Intercepting wireless communications without authorisation is a criminal offence under the Computer Misuse Act 1990 and the Wireless Telegraphy Act 2006. Do not attempt to replicate these techniques without proper authorisation.
Hedgehog Security conducts wireless security assessments from the attacker's perspective — from outside your perimeter. We test PSK strength, evil twin susceptibility, certificate validation, SSID hygiene, VLAN segregation, and the effectiveness of your wireless IDS. Your wireless network is an extension of your corporate network. It deserves the same scrutiny.