Key Takeaways
- WPA2-PSK with a guessable passphrase is broken in practice. WPA3 raises the bar but is not a guarantee.
- WPA2-Enterprise (EAP-PEAP, EAP-TTLS, EAP-TLS) is the standard for corporate WiFi. Misconfigured certificate validation on clients is the single most-exploited weakness.
- Evil twin and rogue AP attacks remain the most reliable corporate WiFi compromise. A laptop running hostapd-wpe captures NetNTLMv2 hashes that crack offline.
- Captive portals have a long history of bypass techniques (DNS tunnelling, ICMP, MAC spoofing of an already-authenticated device). Most are still exploitable.
- Bluetooth and BLE testing is increasingly part of corporate wireless scope: building-access readers, conference-room peripherals, smart locks, asset trackers.
Why Corporate Wireless Pentest Still Matters
Indian enterprises run wireless at every site. Corporate WiFi for staff, guest WiFi for visitors, point-of-sale WiFi in retail, IoT WiFi for sensors and cameras, and increasingly BLE for building access, asset tracking and conference-room equipment. Each layer is a discrete network with its own threat model.
Wireless is uniquely exposed because the medium is physical airwaves and reaches well beyond the building perimeter. An attacker in the car park, a neighbouring office, or a vehicle in the loading bay is on the same RF surface as the staff. Physical security controls cannot keep the attacker out of range. Cryptographic controls have to do all the work.
Methodology Overview
Our wireless engagement runs across five layers: WiFi (2.4 GHz and 5 GHz, 802.11 a/b/g/n/ac/ax/be), Bluetooth Classic and Bluetooth Low Energy (BLE), Zigbee and Thread where in scope, RFID and NFC for building-access systems, and the wired side of the wireless infrastructure (controllers, RADIUS servers, captive portal hosts).
Each layer has its own toolset and threat model. The engagement runs over 1 to 2 weeks of on-site testing plus 1 week of offline cracking on captured handshakes, hashes and tokens. Reports map to ISO/IEC 27001:2022 Annex A network and access control objectives, PCI DSS 4.0 wireless requirements where applicable, and OWASP IoT relevant categories for BLE peripherals.
Need a Pentest Engagement?
Codesecure runs manual, OSCP-led VAPT for Indian businesses across web, API, mobile, network, cloud, AD, IoT, wireless and thick client. ISO/IEC 27001:2022 certified delivery with named consultants and a free retest within 90 days.
See Pentest Services →WPA2 and WPA3: Passphrases, Handshakes, KRACK and Dragonblood
WPA2 Personal (PSK) is broken in practice for any guessable passphrase. We capture the 4-way handshake using aircrack-ng or hcxdumptool, extract the hash, then crack offline with Hashcat (mode 22000). Indian corporate WiFi using staff-friendly passphrases ('CompanyName@2024', 'Welcome123', vendor names with simple suffix) cracks in under an hour on a single GPU. The PMKID attack (hcxpcaptool, hashcat mode 22000) removes the need to capture a real handshake, accelerating things.
WPA3 introduces SAE (Simultaneous Authentication of Equals, Dragonfly handshake) which is resistant to offline brute force. However, the Dragonblood vulnerabilities (side-channel and downgrade attacks, 2019) and subsequent research show WPA3 transition mode (mixed WPA2 and WPA3) remains exploitable through downgrade. Pure WPA3 with no transition fallback is the target state.
KRACK (Key Reinstallation Attack, 2017) is patched in current driver stacks but still a useful test against legacy Android, IoT and embedded clients that may not have received the firmware update.
WPA2-Enterprise: EAP, RADIUS, and Client Cert Validation
Enterprise WiFi typically uses 802.1X with EAP-PEAP, EAP-TTLS, or EAP-TLS. The strongest of these is EAP-TLS (mutual certificate authentication). The weaker variants (PEAP, TTLS with MSCHAPv2 inside) carry usernames and challenge-response hashes that can be captured and cracked offline.
The dominant real-world weakness is client-side certificate validation. If the laptops, phones and IoT devices on the corporate WiFi are not configured to validate the RADIUS server's certificate (including the CA, the server name, or both), an attacker running hostapd-wpe with a forged server certificate can capture the NetNTLMv2 challenge-response from every device that connects. The hashes crack offline (Hashcat mode 5500). At an Indian client recently, this technique gave us domain credentials from 23 devices in 90 minutes.
Evil Twin and Rogue Access Point
An evil twin is a malicious access point broadcasting the same SSID as the legitimate corporate WiFi. Clients with auto-connect enabled prefer the higher-signal-strength AP, which is easy to arrange by sitting closer to the target than the legitimate AP, optionally combined with a deauthentication attack to evict the client from the real AP.
Once the client connects to the evil twin, the attacker is the man in the middle. For open WiFi or PSK WiFi with a known passphrase (collected from another source), traffic is decrypted directly. For WPA2-Enterprise, the techniques in the previous section apply. For HTTPS traffic, we use sslstrip2 and tools that combine deauth + DNS spoof + captive portal phishing.
Rogue AP detection in the customer environment is also tested. Most enterprise wireless controllers (Cisco, Aruba, Ruckus, Meraki, Mist) have rogue-AP detection features that work well only if configured. We document the detection coverage and timing in the report.
Stuck on Scope or Compliance Pressure?
Whether you need pentest for SOC 2, ISO 27001, RBI, a customer questionnaire or pure proactive testing, our VAPT lead is available for a 30-minute free scoping call. No obligation, no slideware.
Talk to a Pentest Lead →Captive Portal Bypass
Captive portals (guest WiFi sign-in, hotel-style splash pages) typically restrict outbound traffic until the user clicks Accept or enters credentials. The restriction is enforced at the gateway, usually based on the device MAC address.
Common bypasses: spoof the MAC address of an already-authenticated device (often visible from the wireless captures), tunnel data over DNS to a controlled resolver (allowed because the captive portal needs DNS open), tunnel data over ICMP, abuse misconfigured gateway routes, or exploit time-based session expiry edge cases. NoDogSplash, Mikrotik HotSpot, and Cisco ISE captive portals all have published or documented bypasses depending on configuration.
Bluetooth and BLE Testing
Bluetooth Classic and Bluetooth Low Energy are increasingly in scope for corporate wireless engagements. Devices include building-access readers, conference-room speakerphones, presentation receivers, smart locks, asset trackers and printers.
We use nRF Connect, gatttool, btlejack, Sweyntooth tooling, and Ubertooth or Frontline analysers for capture. Standard tests cover pairing mode (Just Works versus Numeric Comparison versus Passkey), GATT characteristic access control (often missing entirely), undocumented characteristics that expose configuration or root, replay of captured GATT writes for unlock or unauthorised actions, and known vendor vulnerabilities (BlueBorne, BlueFrag, SweynTooth, BLESA, BLURtooth).
A common finding: building-access readers that pair with anyone within range and expose an unauthenticated unlock characteristic. Once paired, the reader can be operated indefinitely by any phone with the right magic bytes.
Reporting and Re-Test
Reports include: map of detected SSIDs and channels, RF coverage observations (where the corporate WiFi reaches outside the intended physical area), captured handshakes summary, cracked passphrase strength analysis, rogue and evil twin demonstrations with screenshots, BLE inventory with security posture per device, and prioritised remediation roadmap mapped to ISO 27001 and PCI DSS controls.
Quick wins include: rotate corporate WiFi passphrase to a 20-plus character random value, enforce WPA3 transition off, deploy MDM profiles enforcing RADIUS certificate validation, rotate guest WiFi credentials per visit, audit BLE device inventory, and tune controller rogue-AP detection. Each is achievable inside 30 days. Free re-test within 90 days is standard.
Frequently Asked Questions
Do you do on-site wireless pentest in India?
Yes. Codesecure delivers on-site wireless engagements across India and the Middle East. Our wireless rig (Alfa adapters, Ubertooth, BladeRF, HackRF, Pwnagotchi-class devices, Wireshark, hashcat-loaded laptops) is shipped or carried as needed.
Can you test our wireless without disrupting users?
Yes. Deauthentication tests are run only against a small set of test endpoints with permission. Handshake capture, evil twin and BLE testing run alongside legitimate operations without service impact. Where rogue-AP detection testing is in scope, we coordinate with the SOC team.
How long does a wireless pentest take?
A single-site corporate engagement typically runs 5 to 8 working days on-site plus 5 to 7 days of offline cracking and reporting. Multi-site rollouts are scoped as a programme with a representative site sample.
Do you also test our IoT and OT wireless?
Yes, where in scope. We extend the engagement with IoT-specific (BLE, Zigbee) and where relevant OT-specific (proprietary RF, sub-GHz) tooling. See our IoT and SCADA pentest guides for more on those layers.
How does wireless pentest cost in India?
A single-site engagement typically runs INR 2 to 5 lakh in India, depending on layer coverage (WiFi only versus WiFi plus BLE plus Zigbee). Multi-site programmes are quoted at a per-site rate after scoping. Codesecure offers fixed-price proposals.
Do you map findings to PCI DSS 4.0?
Yes. PCI DSS 4.0 requires quarterly wireless testing for in-scope cardholder-data environments (Requirements 11.2). Our reports satisfy that evidence requirement plus map to ISO/IEC 27001:2022 Annex A network controls and DPDP Section 8 reasonable security safeguards.
Test Your Airwaves Before Someone In The Car Park Does
Codesecure has tested corporate wireless across India for banks, retail chains, hospitals and IT services. ISO/IEC 27001:2022 certified delivery, named OSCP consultants, full WiFi plus BLE coverage, free retest within 90 days.
