Wi-Fi Penetration Testing: How We Assess Corporate

The Attack Surface

Your network extends beyond your walls.

Every wired network has a defined physical boundary. Cables terminate at wall sockets. Switches sit in locked cabinets. To connect to the network, an attacker must gain physical access to a port — which means bypassing doors, locks, access control systems, and potentially security guards. The physical perimeter and the network perimeter are, in most cases, the same thing.

Wireless networks destroy that alignment. The moment an organisation deploys a wireless access point, the network perimeter extends beyond the physical perimeter — through walls, through windows, through ceilings, and into the car park, the street, the neighbouring building, and any other location within radio range. An attacker does not need to enter the building. They do not need to bypass a single physical security control. They can sit in a vehicle with a laptop and an antenna and interact with the corporate network from outside the premises. They can probe it, attack it, and — if it is poorly configured — join it, all without setting foot on the organisation's property.

This is the fundamental security challenge of corporate wireless: it creates an attack surface that exists in physical space that the organisation does not control. The signal does not stop at the property boundary. The attacker's access begins wherever the signal reaches. Wi-Fi penetration testing exists to assess this attack surface — to determine what an attacker positioned within radio range of the organisation's wireless infrastructure could discover, exploit, and access.

Range Is Greater Than You Think

Standard corporate access points have an effective range of 30–100 metres indoors. With a directional antenna — commercially available for under £50 — an attacker can reliably interact with a Wi-Fi network from several hundred metres. With a high-gain parabolic antenna, connections at over a kilometre have been demonstrated. The 'our Wi-Fi doesn't reach outside the building' assumption is almost always wrong.

Corporate Wireless Architecture

Understanding how organisations deploy wireless.

Before examining the attack techniques, it is important to understand the common wireless architectures deployed in corporate environments — because the security posture, the attack surface, and the appropriate testing methodology differ significantly depending on how the wireless network is configured.

Configuration	Authentication Method	Typical Use	Security Posture
WPA2-Personal (PSK)	Pre-Shared Key — a single password shared by all users. Anyone who knows the password can connect.	Small businesses, guest networks, home offices. Sometimes found on corporate networks where convenience has been prioritised over security.	Weak. A single shared secret means that any user who knows the password can share it, and the password cannot be revoked for individual users without changing it for everyone. Susceptible to offline dictionary and brute-force attacks against captured handshakes. If the PSK is compromised, every device on the network is affected.
WPA2-Enterprise (802.1X)	Individual authentication via 802.1X using a RADIUS server. Each user authenticates with their own credentials (username/password, certificate, or both) through an EAP method (PEAP-MSCHAPv2, EAP-TLS, EAP-TTLS).	The standard for corporate wireless in medium to large organisations. Integrates with Active Directory or other identity providers for centralised authentication and access control.	Significantly stronger than PSK. Individual credentials enable per-user access control, revocation, and auditing. However, the security depends heavily on the EAP method used and whether certificate validation is enforced on client devices — a misconfiguration that creates one of the most significant wireless attack vectors we test.
WPA3-Personal (SAE)	Simultaneous Authentication of Equals — replaces PSK with a key exchange protocol resistant to offline dictionary attacks.	Newer deployments, particularly where PSK is required but offline attack resistance is desired. Adoption growing but not yet universal.	Significantly improves on WPA2-Personal by preventing offline password cracking — each authentication attempt must occur online against the access point, enabling rate limiting and lockout. However, transition mode (allowing WPA2 and WPA3 clients simultaneously) reintroduces WPA2 vulnerabilities.
WPA3-Enterprise	Enhanced 802.1X with mandatory 192-bit security suite, Protected Management Frames (PMF), and stronger cryptographic requirements.	High-security environments, government, defence, financial services. Requires compatible access points and client devices.	The strongest available standard. Mandatory PMF prevents deauthentication attacks. 192-bit suite enforces strong cryptography end to end. Adoption is growing but requires hardware and client support that many organisations have not yet deployed.
Open / Captive Portal	No wireless authentication. Users connect to an open SSID and are redirected to a captive portal for acceptance of terms, email registration, or voucher-based access.	Guest networks, public Wi-Fi, hospitality, retail, conference venues.	No encryption on the wireless link. Traffic is visible to any device in monitor mode. Captive portal provides access control but not confidentiality. Must be strictly segmented from the corporate network — and verifying that segmentation is a key testing objective.

The Methodology

How we approach a wireless penetration test.

A corporate Wi-Fi penetration test follows a structured methodology that progresses from passive reconnaissance through active testing to exploitation and post-exploitation analysis. Each phase builds on the intelligence gathered in the previous one, and the approach is adapted based on what we discover about the target environment.

Phase 1: Passive Wireless Reconnaissance

Before transmitting a single packet, we listen. A wireless adapter in monitor mode captures all Wi-Fi frames in range — beacon frames from access points, probe requests from client devices, data frames, authentication exchanges, and management frames. This passive reconnaissance reveals every SSID being broadcast (and, through probe request analysis, hidden SSIDs that clients are searching for), the number and location of access points, the security configuration of each network (WPA2-Personal, WPA2-Enterprise, WPA3, Open), the EAP method in use for Enterprise networks (visible in authentication exchanges), the channel plan and signal strength map, client devices associated with each network (MAC addresses, probe request history), and vendor identification of access points and clients from OUI analysis. All of this intelligence is gathered without the target organisation being able to detect our presence — passive monitoring generates no network traffic and triggers no alerts.

Phase 2: Wireless Environment Mapping

Using the intelligence from Phase 1, we build a comprehensive map of the wireless environment: which SSIDs exist and their security configurations, where access points are physically located (estimated from signal strength measurements at multiple positions), how far the wireless signal extends beyond the building perimeter, which client devices are connected and which networks they trust (revealed by their probe requests), whether any rogue or unauthorised access points are present, and whether the access point infrastructure is centrally managed (controller-based) or autonomous. This map informs the testing approach — different network configurations require different attack techniques, and understanding the full wireless landscape ensures we test the right targets in the right order.

Phase 3: Active Testing and Exploitation

With the environment mapped, we begin active testing — transmitting packets, interacting with access points and clients, and attempting to exploit identified weaknesses. The specific techniques depend on the target configuration: for WPA2-Personal networks, we attempt handshake capture and offline cracking; for WPA2-Enterprise, we test certificate validation and deploy evil twin attacks; for all networks, we test for rogue access point susceptibility; for network segmentation, we test whether guest networks are properly isolated from corporate resources. Each technique is detailed in the following sections.

Phase 4: Post-Association Testing

Once connected to a wireless network — whether through cracked credentials, evil twin credential capture, or authorised test credentials — we assess what can be reached from the wireless network. This is where wireless testing connects to broader network penetration testing: can we reach the corporate LAN from the wireless VLAN? Is traffic between wireless clients isolated? Can we access servers, printers, management interfaces, or other sensitive resources? Is the wireless network segmented from environments containing sensitive data? Can we reach systems that should only be accessible from the wired network? The answers determine whether the wireless network is merely an inconvenience to an attacker (requiring credential compromise to connect) or a gateway to the wider corporate environment.

Phase 5: Reporting and Remediation Guidance

The deliverable is a detailed report covering every phase of the assessment: the wireless environment map, the SSIDs identified and their configurations, the attack techniques attempted and their outcomes, evidence of successful exploitation (screenshots, captured credentials, accessed resources), the post-association attack surface available from each wireless network, and prioritised remediation recommendations. Where we identified that an attacker in the car park could compromise the wireless network and reach the domain controller, we document the complete attack path — not just the wireless vulnerability, but the full chain from initial wireless access to business-critical system.

Attack Techniques

What we test and how we test it.

The following sections detail the specific attack techniques used during wireless penetration testing. Each technique targets a different aspect of the wireless security architecture, and the applicability of each depends on the configuration of the target environment.

WPA2-Personal Attacks

Cracking the shared secret.

WPA2-Personal networks authenticate clients using a Pre-Shared Key (PSK). The security of the entire network depends on the strength of this single password — because the authentication handshake contains enough information for an attacker to test candidate passwords offline, without any further interaction with the access point.

Technique	How It Works	What It Demonstrates
Four-Way Handshake Capture	When a client connects to a WPA2-PSK network, it performs a four-way handshake with the access point. We capture this handshake by placing our adapter in monitor mode and either waiting for a client to connect naturally or sending deauthentication frames to force a client to disconnect and reconnect (triggering a new handshake). The captured handshake is then subjected to offline password cracking using tools such as Hashcat or Aircrack-ng with dictionaries, rule sets, and brute force.	If the PSK is a dictionary word, a common phrase, a predictable pattern, or shorter than approximately 12 random characters, it will be cracked — often in minutes or hours. Demonstrates the risk of weak PSK selection and the fundamental limitation of shared-secret authentication.
PMKID Harvesting	Discovered in 2018, this technique captures the PMKID (Pairwise Master Key Identifier) from the first frame of the four-way handshake — or in some implementations, from a single association request to the access point. Unlike the full handshake capture, this does not require a connected client and does not require deauthentication attacks. We simply send an association request to the target access point and capture the PMKID from the response. The PMKID contains the information needed for offline password cracking.	Demonstrates that the PSK can be attacked even when no clients are connected. A network that appears unused or dormant is still vulnerable if the PSK is weak. This technique is faster and stealthier than traditional handshake capture.
Offline Dictionary and Brute Force	Once a handshake or PMKID is captured, we test the PSK against extensive dictionaries (common passwords, organisation-specific terms, industry wordlists), apply mutation rules (appending numbers, substituting characters, capitalisation variations), and — for shorter keys — attempt exhaustive brute force. Modern GPU-accelerated cracking with Hashcat can test billions of WPA2-PSK candidates per second.	Demonstrates the practical strength of the PSK against realistic attack capability. A PSK of 'Summer2024!' will fall to dictionary attack in seconds. A randomly generated 20-character passphrase will resist indefinitely. The difference between these outcomes is entirely determined by PSK selection policy.

WPA2-Enterprise Attacks

Exploiting the trust relationship between client and server.

WPA2-Enterprise with 802.1X authentication is significantly more secure than PSK — but it is not immune to attack. The most significant vulnerability in most WPA2-Enterprise deployments is not a flaw in the protocol itself but a misconfiguration in how client devices validate the authentication server's certificate. This misconfiguration is the foundation of the evil twin attack — one of the most effective techniques in wireless penetration testing.

Evil Twin / Rogue RADIUS Attack

We deploy an access point broadcasting the same SSID as the target corporate network, paired with a rogue RADIUS server configured to accept any client authentication attempt. When a client device attempts to connect to our evil twin (because it sees a familiar SSID with stronger signal or because we have deauthenticated it from the legitimate network), it begins the 802.1X authentication process — and this is where the vulnerability lies. If the client device does not properly validate the RADIUS server's certificate (checking that the certificate is issued by the expected CA, that the server name matches, and that the certificate chain is trusted), it will proceed with authentication and transmit the user's credentials to our rogue server. For PEAP-MSCHAPv2 — the most common EAP method in corporate environments — we capture the MSCHAPv2 challenge-response hash, which can be cracked offline or relayed. Tools such as hostapd-wpe (hostapd Wireless Pawn Edition) and EAPHammer automate this attack. The success rate in corporate environments is alarmingly high — because configuring certificate validation correctly on every client device (Windows, macOS, iOS, Android, Linux) requires deliberate Group Policy or MDM configuration that many organisations have not implemented.

Certificate Validation Testing

Even without deploying a full evil twin, we test whether client devices enforce certificate validation by examining the 802.1X supplicant configuration on sample devices (where access is provided) or by observing client behaviour during evil twin deployment. Common misconfigurations include: certificate validation disabled entirely (the client accepts any certificate), server name not specified (the client accepts a certificate from any server, even with a different name), trusted CA not pinned (the client accepts certificates from any CA, including attacker-generated ones), and users able to override certificate warnings by clicking 'Connect Anyway'. Each of these misconfigurations enables the evil twin attack. On managed Windows devices, Group Policy can enforce correct configuration — but the policy must be applied, tested, and maintained.

MSCHAPv2 Credential Cracking and Relay

When an evil twin attack captures MSCHAPv2 challenge-response hashes, the hashes can be cracked offline. MSCHAPv2 has a known cryptographic weakness — the challenge-response can be reduced to a DES problem that is computationally trivial with modern hardware. Services such as crack.sh have historically demonstrated the ability to crack any MSCHAPv2 hash to its underlying NTLM hash in under 24 hours. Once cracked, the credentials provide the user's domain username and password — which in most organisations grants access not only to the wireless network but to email, file shares, VPN, and any other system authenticated against the same Active Directory domain. Alternatively, in some configurations the captured hash can be relayed directly without cracking.

EAP Downgrade and Method Negotiation

During the evil twin attack, we test whether client devices can be induced to negotiate a weaker EAP method than intended. If the corporate network uses EAP-TLS (certificate-based authentication, which is resistant to credential theft), but the client supplicant is also configured to accept PEAP-MSCHAPv2 as a fallback, our rogue RADIUS server can negotiate the weaker method and capture credentials. This is a configuration issue rather than a protocol flaw — but it is surprisingly common in environments where the wireless configuration has evolved over time and legacy settings remain.

Rogue Access Points

The threat already inside your network.

A rogue access point is an unauthorised wireless access point connected to the corporate network — whether placed deliberately by an attacker or inadvertently by an employee who wanted better Wi-Fi coverage in their office. Either way, the result is the same: an uncontrolled, unmonitored entry point into the wired network that bypasses all perimeter security controls.

During wireless penetration testing, we test for rogue access points in two ways. First, we scan the wireless environment to identify any access points that are not part of the organisation's authorised wireless infrastructure — by comparing detected access points against the organisation's inventory of managed devices, examining MAC address OUIs to identify consumer-grade hardware that would not be part of a corporate deployment, and identifying access points connected to the corporate network that do not appear in the wireless controller's management interface. Second, we test the organisation's ability to detect a rogue access point by deploying one ourselves (with authorisation) — connecting a small, discreet access point to an available network port and monitoring whether the wireless intrusion detection system, network access control, or IT security team identifies and responds to it.

The rogue access point test is frequently one of the most revealing findings in a wireless assessment. Many organisations have no capability to detect rogue access points — no wireless intrusion detection, no 802.1X port authentication on wired ports (which would prevent an unauthorised device from connecting to the network), and no process for periodically surveying the wireless environment. A £30 consumer access point plugged into a network port under a desk can provide an attacker with persistent, undetected wireless access to the corporate LAN — bypassing firewalls, VPNs, and every other perimeter control.

Client-Side Attacks

Attacking the devices rather than the network.

Wireless attacks do not only target the access point infrastructure. Client devices — laptops, phones, tablets — present their own attack surface, particularly through the behaviour of their wireless supplicant (the software that manages Wi-Fi connections).

Probe Request Analysis

When a wireless device is not connected to a network, it broadcasts probe requests — frames that ask 'Is [network name] available?' for every network the device has previously connected to. These probe requests reveal the preferred network list (PNL) of the device — every network it has connected to in the past. From a car park, we can capture probe requests from devices inside the building and learn which SSIDs employees' devices are searching for. This intelligence enables targeted attacks: if we see devices probing for 'Marriott_WIFI' or 'Starbucks', we can create an access point with that SSID, and devices configured to auto-connect will join our network automatically — without user interaction.

Karma and MANA Attacks

Karma attacks exploit probe request behaviour at scale. A rogue access point running Karma-enabled firmware responds to every probe request it sees — regardless of what SSID is being requested — claiming to be that network. If a device probes for 'CorpWiFi', the Karma AP responds as 'CorpWiFi'. If another device probes for 'HomeNetwork', it responds as 'HomeNetwork'. MANA (the modern evolution of Karma) extends this with targeted approaches and can handle WPA2 networks. Once a client associates with the Karma/MANA access point, all its traffic flows through the attacker — enabling traffic interception, credential harvesting, DNS manipulation, and man-in-the-middle attacks against web traffic.

Deauthentication Attacks

The IEEE 802.11 standard includes management frames — including deauthentication frames — that are not authenticated or encrypted in WPA2 (they are protected by Protected Management Frames in WPA3). An attacker can send spoofed deauthentication frames that appear to come from the legitimate access point, forcing client devices to disconnect. This serves multiple purposes during testing: it forces clients to reconnect, generating handshakes for capture; it pushes clients towards an evil twin access point that may have a stronger signal; and it disrupts wireless service to demonstrate denial-of-service capability. The effectiveness of deauthentication attacks against the target environment is a testable finding — if WPA3 or PMF (802.11w) is deployed, these attacks are mitigated.

Captive Portal Evasion and Guest Network Escape

Guest networks protected by captive portals are intended to provide internet access while isolating guests from corporate resources. We test this isolation by attempting to bypass the captive portal (MAC address spoofing of an already-authenticated client, DNS tunnelling, ICMP tunnelling, exploiting pre-authentication access to DNS or DHCP), and by testing whether the guest network VLAN is properly segmented from the corporate network. Common findings include guest VLANs that can reach internal servers, captive portals that can be bypassed through DNS manipulation, and guest networks that share a subnet or routing path with corporate resources.

Segmentation Testing

The question that matters most — what can you reach from the wireless?

Compromising a wireless network is only the first step. The business impact depends entirely on what the attacker can reach once connected. A wireless network that provides internet access but no route to internal resources represents a minimal risk even if compromised. A wireless network that provides direct access to the corporate LAN, Active Directory, file servers, and applications containing sensitive data represents a critical risk.

Network segmentation testing is therefore the most important phase of any wireless penetration test. Once connected to each wireless network (corporate, guest, IoT, BYOD), we systematically test what can be reached:

Test	What We Assess	Common Findings
VLAN Isolation	Whether the wireless VLAN is properly isolated from the corporate LAN, server VLANs, management VLANs, and other network segments. We test for VLAN hopping, inter-VLAN routing that should not exist, and firewall rules that permit traffic between wireless and restricted segments.	Guest wireless VLANs with routes to internal servers. Corporate wireless on the same VLAN as the wired LAN (no segmentation at all). Firewall rules that permit wireless-to-server traffic for 'convenience' that was never revoked.
Service Accessibility	Which services are accessible from the wireless network — Active Directory domain controllers, DNS servers, DHCP, file shares, printers, web applications, database servers, management interfaces, and cloud service endpoints.	Domain controllers reachable from the guest network. Printer management interfaces accessible from any wireless client. Internal web applications with no additional authentication beyond network access.
Client Isolation	Whether wireless clients can communicate with each other directly (peer-to-peer) or whether client isolation is enforced at the access point. Direct client communication enables ARP spoofing, traffic interception, and lateral movement between wireless devices.	Client isolation disabled on the corporate SSID, allowing any wireless client to intercept traffic from other wireless clients on the same network.
Internet Breakout	How wireless traffic reaches the internet — whether it traverses the corporate firewall (providing visibility to security monitoring), breaks out directly at the site (potentially bypassing security controls), or is tunnelled to a centralised internet gateway.	Guest network internet traffic that bypasses the corporate web proxy and its content filtering, logging, and malware scanning.
DNS and DHCP Intelligence	What information the DHCP and DNS services reveal about the internal network — domain names, server names, internal IP ranges, and service locations that inform further attack steps.	DHCP on the guest network that assigns addresses in the same range as the corporate LAN. DNS that resolves internal hostnames from the wireless network, revealing the internal server infrastructure.

The Toolbox

Tools of the trade for wireless assessment.

Wireless penetration testing requires specialist hardware and software beyond what is used in standard network or application testing. The following represents the core toolkit used during wireless engagements.

Tool	Purpose	Role in Assessment
Alfa AWUS036ACH / AWUS036ACSM	External USB wireless adapters with chipsets that support monitor mode and packet injection — essential capabilities that most built-in laptop Wi-Fi adapters do not provide.	The foundation of wireless testing. Without an adapter that supports monitor mode, passive reconnaissance and most active attacks are not possible.
Aircrack-ng Suite	A comprehensive suite of tools for wireless auditing: airmon-ng (monitor mode), airodump-ng (packet capture), aireplay-ng (deauthentication and injection), and aircrack-ng (WPA handshake cracking).	The core toolset for wireless reconnaissance, handshake capture, and WPA-PSK cracking. Used in virtually every wireless engagement.
Hashcat	GPU-accelerated password cracking tool supporting WPA2-PSK handshakes, PMKID hashes, MSCHAPv2 challenge-response hashes, and many other hash types.	Offline cracking of captured WPA2-PSK handshakes and enterprise credentials. GPU acceleration provides orders-of-magnitude performance improvement over CPU-based cracking.
hostapd-wpe / EAPHammer	Modified hostapd (host access point daemon) configured to act as a rogue access point with a rogue RADIUS server for capturing WPA2-Enterprise credentials during evil twin attacks.	The primary tool for evil twin attacks against WPA2-Enterprise networks. Captures MSCHAPv2 challenge-response hashes from clients that do not properly validate the RADIUS server certificate.
Kismet	Wireless network detector, sniffer, and intrusion detection system. Provides comprehensive passive monitoring of the wireless environment across multiple channels simultaneously.	Used for continuous passive monitoring during the reconnaissance phase and for detecting wireless anomalies throughout the engagement.
hcxdumptool / hcxtools	Specialist tools for capturing PMKID hashes from WPA2-PSK access points without requiring a connected client or deauthentication attacks.	Enables the PMKID harvesting attack — a stealthier alternative to traditional handshake capture that works even when no clients are connected.
Wireshark	Network protocol analyser for detailed inspection of captured wireless frames — 802.11 management frames, EAP exchanges, authentication handshakes, and associated traffic.	Used for deep analysis of captured traffic, troubleshooting attack techniques, and documenting evidence of successful exploitation.

Defence

Securing corporate wireless — practical recommendations.

The findings from wireless penetration testing translate directly into actionable security improvements. The following recommendations represent the controls that, based on our engagement experience, have the greatest impact on reducing wireless security risk.

Deploy WPA2/WPA3-Enterprise with Enforced Certificate Validation

Use 802.1X authentication for all corporate wireless networks. Configure client devices — via Group Policy for Windows, MDM profiles for macOS/iOS/Android — to validate the RADIUS server certificate: pin the trusted CA, specify the expected server name, and disable the user's ability to accept untrusted certificates. This single configuration change defeats the evil twin attack by ensuring client devices will refuse to authenticate against a rogue RADIUS server presenting an untrusted certificate. Where possible, deploy EAP-TLS (mutual certificate authentication) instead of PEAP-MSCHAPv2 to eliminate the credential exposure entirely.

If PSK Is Required, Make It Strong and Rotate It

Where WPA2/WPA3-Personal is necessary (guest networks, IoT devices that do not support Enterprise), use a randomly generated passphrase of at least 20 characters. Rotate the PSK regularly — and whenever an employee who knows it leaves the organisation. Consider deploying WPA3-SAE where devices support it, as SAE eliminates the offline dictionary attack that makes weak PSKs so dangerous. For guest access, use unique per-session or per-device credentials issued through a captive portal rather than a shared PSK.

Enable Protected Management Frames (802.11w / PMF)

Protected Management Frames prevent spoofed deauthentication and disassociation attacks by cryptographically authenticating management frames. PMF is mandatory in WPA3 and optional (but recommended) in WPA2. Enable PMF on all SSIDs where client device compatibility allows. This prevents attackers from forcibly disconnecting clients — a prerequisite for many wireless attacks including handshake capture and evil twin client steering.

Segment Wireless Networks from Critical Resources

Place each wireless SSID on its own VLAN with firewall rules that restrict access to only the resources that wireless users legitimately need. Guest wireless should have no route to internal resources — only internet access. Corporate wireless should be treated as a less-trusted network than the wired LAN, with access to sensitive systems controlled by firewall policy. IoT and BYOD devices should be on separate, restricted VLANs. Test this segmentation regularly — it is one of the most frequently misconfigured aspects of wireless deployment.

Deploy Wireless Intrusion Detection / Prevention

Enterprise wireless controllers from major vendors (Cisco, Aruba, Meraki, Juniper Mist) include wireless intrusion detection and prevention (WIDS/WIPS) capabilities that can detect rogue access points, evil twin attacks, deauthentication floods, and other wireless attacks. Enable these features and ensure they are monitored. Configure alerts for rogue access point detection, unusual client behaviour, and spoofed management frames. A WIDS that detects our evil twin attack during a penetration test is a positive finding — it means the organisation has visibility into wireless threats.

Implement 802.1X on Wired Ports

Rogue access points are most effective when they can be connected to an unprotected wired network port. Deploying 802.1X port authentication on wired switch ports (NAC — Network Access Control) ensures that only authorised devices can connect to the network — whether the device is a laptop, a printer, or a rogue access point plugged in under a desk. Combined with MAC Authentication Bypass (MAB) for devices that do not support 802.1X supplicants, wired NAC eliminates the rogue access point threat at its source.

Manage Your Signal Footprint

While you cannot prevent all wireless signal from leaking beyond your premises, you can reduce unnecessary exposure. Adjust access point transmit power to provide adequate indoor coverage without excessive outdoor leakage. Position access points away from external walls where practical. Use directional antennas where appropriate to focus coverage inward. Conduct periodic wireless surveys to understand where your signal reaches — and compare that coverage to your threat model. If your corporate Wi-Fi is detectable and usable from the public car park across the street, you have a larger attack surface than necessary.

Test Regularly

Wireless environments change — access points are added, configurations drift, new SSIDs appear, and client devices accumulate networks in their preferred network lists. Annual wireless penetration testing validates that security controls remain effective, that segmentation has not been broken by operational changes, that new access points have been configured to the same security standard as existing ones, and that the organisation's ability to detect wireless attacks has not degraded. Wireless testing should be included in the scope of any comprehensive penetration testing programme.

Summary

The bottom line.

Corporate wireless networks extend the organisation's attack surface beyond its physical perimeter and into space it does not control. An attacker positioned within radio range — in a car park, a neighbouring building, or the street — can discover wireless networks, capture authentication material, deploy rogue access points, and, if the wireless infrastructure is poorly configured, gain access to the corporate network without entering the building or triggering a single physical security control.

Wi-Fi penetration testing assesses this risk using the same techniques a real attacker would employ — passive reconnaissance, handshake and PMKID capture, evil twin deployment against WPA2-Enterprise, rogue access point testing, client-side attacks, and post-association segmentation testing. The findings reveal not just whether the wireless network can be compromised, but what an attacker can reach once they are connected — which is ultimately the measure of risk that matters.

The most impactful defences are well understood and achievable: WPA2/WPA3-Enterprise with enforced certificate validation defeats the evil twin attack that is the single most effective technique against corporate wireless. Strong segmentation limits what an attacker can reach even if they compromise the wireless. Protected Management Frames prevent deauthentication attacks. Wireless intrusion detection provides visibility into threats that ground-based physical security cannot see. And wired 802.1X prevents rogue access points from bridging the gap between the wireless threat and the wired network. The wireless network is an extension of your corporate network — and it deserves the same rigour, the same testing, and the same investment in security as any other component of your infrastructure.

Wireless Security Assessment

What could an attacker reach from your car park?

Our wireless penetration testing assesses your corporate Wi-Fi from the attacker's perspective — testing authentication, segmentation, detection, and the full attack chain from the pavement to the domain controller.

Commission a Wireless Assessment Read: Pen Test vs Vulnerability Scan

All Posts Get in Touch