TL;DR: Corporate wireless networks remain one of the most reliable initial access vectors in penetration testing engagements. PMKID attacks capture crackable hashes without needing a connected client. Evil twin attacks harvest enterprise credentials from employees who auto-connect to familiar SSIDs. EAP downgrade attacks strip TLS protections from WPA2-Enterprise. And network segmentation failures routinely give wireless access to production VLANs. WPA3 helps but does not solve the problem, especially in transition-mode deployments.
The Wireless Attack Surface: What Pentesters Target
| Attack Type | Target | Client Required | Impact |
|---|---|---|---|
| PMKID Capture | WPA2-PSK networks | No | Offline PSK cracking, full network access |
| Evil Twin | Any SSID (PSK or Enterprise) | Yes (victim connects) | Credential harvest, traffic interception |
| Deauthentication | Connected clients | Yes | Force reconnection to evil twin or capture handshake |
| EAP Downgrade | WPA2-Enterprise | Yes (victim connects) | Capture plaintext or NTLMv2 credentials |
| Rogue AP Detection Bypass | WIDS/WIPS systems | No | Persistent unauthorized access point |
| WPA3 Downgrade | Transition-mode networks | Yes | Force WPA2 connection, then apply WPA2 attacks |
| Segmentation Testing | Guest/corporate VLANs | No (post-connection) | Lateral movement to production networks |
PMKID Attacks: No Handshake Needed
Before PMKID attacks were discovered in 2018, cracking WPA2-PSK required capturing a full four-way handshake between an access point and a client. This meant either waiting for a client to connect or sending deauthentication frames to force a reconnection - both of which introduced timing dependencies and detection risk. The PMKID technique changed the economics of wireless attacks entirely.
The attack works by sending an association request directly to the access point. In the first EAPOL frame of the handshake, the AP includes a PMKID value - a hash derived from the PMK (which is itself derived from the PSK), the AP's MAC address, and the client's MAC address. The attacker captures this single frame, terminates the handshake, and takes the PMKID offline for cracking against a wordlist or rule-based attack.
Why it matters for corporate environments: Many organizations use WPA2-PSK for guest networks, IoT device networks, or conference room access points. The PSK is often a simple, human-readable passphrase that was set once and never rotated. PMKID capture requires no connected clients and no deauthentication frames - making it invisible to wireless intrusion detection systems that monitor for deauth floods.
Defending Against PMKID
Use WPA3-SAE wherever possible, which replaces PSK with a zero-knowledge proof protocol immune to offline cracking. Where WPA2-PSK must be used, enforce passphrases of 20 or more random characters and rotate them on a defined schedule. Better yet, migrate all corporate networks to WPA2-Enterprise with certificate-based EAP-TLS authentication, which eliminates shared secrets entirely.
Evil Twin Attacks on Enterprise Networks
The evil twin attack is conceptually simple: create a rogue access point broadcasting the same SSID as the target network, then wait for clients to connect. In practice, the attack is highly effective against corporate environments because of how operating systems handle wireless network selection. Devices remember SSIDs they have previously connected to and will auto-connect when the SSID is detected - choosing the access point with the strongest signal.
Against WPA2-Enterprise networks, the evil twin runs a rogue RADIUS server that accepts any credentials presented. When an employee's device auto-connects and attempts EAP authentication, the rogue server captures the authentication exchange. Depending on the EAP method in use, this yields either plaintext credentials (EAP-GTC, EAP-PAP) or NTLMv2 challenge-response hashes (MSCHAPv2 within PEAP or EAP-TTLS) that can be cracked offline.
The certificate validation problem: The defense against evil twin attacks on WPA2-Enterprise is server certificate validation - the client should verify that the RADIUS server presents a trusted certificate before submitting credentials. In practice, most organizations do not enforce certificate pinning on managed devices, and BYOD devices almost never validate certificates. Users clicking "Trust" on an untrusted certificate warning is the norm, not the exception.
Deauthentication as a Force Multiplier
Pentesters combine evil twin attacks with targeted deauthentication frames. By sending deauth packets spoofing the legitimate AP's MAC address, client devices are disconnected from the real network and forced to reassociate. If the evil twin has a stronger signal or responds faster, the client connects to the rogue AP. IEEE 802.11w (Management Frame Protection) mitigates deauthentication attacks, but requires both the AP and all clients to support it - and many legacy devices do not.
EAP Downgrade and Credential Harvesting
WPA2-Enterprise supports multiple EAP (Extensible Authentication Protocol) methods, and not all are equal. EAP-TLS uses mutual certificate authentication and is resistant to credential theft. PEAP and EAP-TTLS wrap an inner authentication method (typically MSCHAPv2) inside a TLS tunnel - but if the client does not validate the outer TLS certificate, the tunnel provides no protection against a rogue server.
The downgrade attack exploits this hierarchy. A rogue RADIUS server advertises support for the weakest EAP method the client will accept. If the client is configured for PEAP with MSCHAPv2 but does not enforce certificate validation, the rogue server captures the MSCHAPv2 challenge-response. This hash is crackable: MSCHAPv2 is based on DES, and tools like chapcrack can reduce the cracking effort to a single DES key search, which takes hours on commodity hardware.
Remediation: Deploy EAP-TLS with client certificates on all managed devices. For environments where EAP-TLS is not feasible, enforce RADIUS server certificate validation through MDM profiles on all corporate devices. Block EAP-GTC and EAP-PAP entirely - these transmit credentials in plaintext within the TLS tunnel.
Rogue AP Detection and WIDS Evasion
Enterprise wireless deployments typically include a Wireless Intrusion Detection System (WIDS) or Wireless Intrusion Prevention System (WIPS) that monitors the RF environment for unauthorized access points. During penetration testing, evading these systems is part of the assessment - if the WIDS fails to detect a rogue AP, that is itself a finding.
Common evasion techniques include operating on a channel not monitored by the WIDS sensors, using directional antennas to limit the rogue AP's signal footprint, spoofing the BSSID of a legitimate AP to blend into the authorized AP list, and operating at low power to avoid threshold-based detection. More sophisticated approaches use 5GHz bands when the WIDS primarily monitors 2.4GHz, or exploit gaps in sensor coverage in areas like parking lots, stairwells, and building perimeters.
What we report: The finding is not just "we deployed a rogue AP" - it is the specific gap in the WIDS coverage or detection logic that allowed it. Actionable remediation includes sensor placement adjustments, enabling rogue AP containment features, and configuring alerts for new BSSIDs that are not in the authorized AP inventory.
Network Segmentation Failures
Wireless penetration testing does not end when the tester obtains network access. A critical phase of the assessment is segmentation testing: verifying that wireless network segments are properly isolated from each other and from sensitive internal networks. The guest WiFi should not reach the corporate LAN. The IoT VLAN should not have routes to the database tier. Conference room networks should not have access to the management plane.
In practice, segmentation failures are among the most common and impactful findings in wireless assessments. We routinely find guest networks with routes to internal DNS servers that respond to zone transfer requests, IoT VLANs with full Layer 3 connectivity to the corporate network, and "isolated" wireless segments that share a flat network with servers containing sensitive data. These findings convert a guest WiFi password - often posted on a sign in the lobby - into a foothold on the internal network.
For a comprehensive assessment of your wireless infrastructure - including evil twin testing, PMKID capture, EAP security validation, WIDS effectiveness, and segmentation verification - schedule a wireless penetration test with Lorikeet Security.
Assess Your Wireless Security Posture
Lorikeet Security performs on-site wireless penetration testing covering evil twin attacks, PMKID capture, EAP downgrade testing, rogue AP detection validation, and network segmentation analysis. Find the gaps before an attacker does.
