Banking security WIFI Pen testing
The client is an international bank with total assets of USD 500 million. The bank offers a full range of banking services for private and corporate clients.
Our team was tasked with conducting a wireless network penetration test for an international financial institution that needed to verify the design and implementation of the network.
# CLIENT REQUIREMENTS
Our team received the task:
to conduct a wireless network penetration test for an international financial institution that needed to verify the design and implementation of the network.
WHAT WE DID
THE "EVIL TWIN ATTACK" PROCESS
The client had carefully designed the network to provide separate access for employees and guests. The guest network was found to be physically separated from the company's global network. However, the employees' wireless clients were configured with certain flaws, which made our attempts to attack the network completely successful.
WIFI penetration test algorithm:
- We installed an Evil Twin PoC wireless access point on the customer's premises. That is, we created a fake wireless access point with authorization on the web interface - Captive Portal - that has an ID similar to that of a legitimate access point. After that, to speed up the reconnaissance process, we forced the legitimate access point to go offline with a jammer. This way, we forced devices that were already connected to the target network to reconnect. So far, clients have connected to the fake access point automatically because it looked like a legitimate one. After reconnecting, the clients would provide us with a 4-way handshake, which was used to authenticate the devices on the network. These handshakes were intercepted in order to crack the network password using brute force or dictionary attacks. This last step of password cracking allowed us to log into the network.
WIFI hacking scenario:
- Here, the scenario is to create a fake access point with a fake portal, DoS attack the legitimate access point, and use the fake access point to steal login credentials to a corporate WPA network.
By executing a twin attack, we were quickly able to penetrate the network through corporate WiFi. Since the wireless network was using RADIUS authentication with AD credentials, a successful handshake interception was enough to gain initial access to the network and an account in the office domain. Provided that the customer did not use any wireless scanning tools, the Evil Twin AP remained undetected for an extended period of time.
After demonstrating the system's weaknesses and the corresponding privacy risks, we recommended changing the encryption to mimic a legitimate AP to reject networks without proper SSID and authentication settings, and helped implement security remediation measures.
We will contact soon