Home
/Checklists
/Wireless Network Pentest Checklist

Infrastructure27 items

Wireless Network Pentest Checklist

A wireless network security testing checklist covering Wi-Fi infrastructure, authentication mechanisms, encryption protocols, rogue device detection, and client-side attacks. Applicable to enterprise, guest, and IoT wireless networks.

NIST SP 800-153NIST SP 800-115PCI DSS 11.1CIS Controls

Progress: 0 of 27 items

Identify all wireless networks and SSIDs in scopeinfo

Document corporate, guest, IoT, and any hidden wireless networks to be tested.

Obtain floor plans and identify physical testing locations

Map building layouts to plan testing positions and signal coverage areas.

Prepare wireless testing equipment (adapters, antennas, SDR)

Ensure monitor-mode capable adapters and directional antennas are available.

Confirm legal authorization for wireless signal interception

Ensure authorization covers wireless packet capture and deauthentication testing.

Document expected wireless security configurations (WPA2/WPA3, 802.1X)

Understand the intended security architecture for comparison during testing.

Scan and enumerate all wireless networks in the target areainfo

Use airodump-ng or Kismet to identify all SSIDs, BSSIDs, channels, and encryption types.

Identify hidden SSIDs through probe request analysislow

Monitor probe requests and responses to reveal hidden network names.

Enumerate connected clients and their device typesinfo

Identify client MAC addresses, OUI vendors, and probe request patterns.

Map wireless signal coverage and identify signal bleed outside physical boundariesmedium

Test signal strength from parking lots, adjacent buildings, and public areas.

Detect rogue access points and unauthorized wireless deviceshigh

Compare discovered APs against the authorized AP inventory to identify rogues.

Identify the wireless controller and management interfacemedium

Locate the wireless LAN controller and check for accessible management portals.

Capture WPA2 four-way handshakes for offline crackinghigh

Perform targeted deauthentication to capture handshakes and crack PSK with hashcat.

Test WPA2-Enterprise for EAP downgrade and credential capturecritical

Set up a rogue AP with hostapd-mana to test for PEAP/MSCHAPv2 credential capture.

Test for PMKID-based attacks on WPA2 networkshigh

Capture PMKID from AP association responses for offline PSK cracking without deauthentication.

Verify WPA3-SAE implementation and test for downgrade attackshigh

Check for WPA3 transition mode vulnerabilities and Dragonblood attack susceptibility.

Test guest network captive portal for authentication bypassmedium

Attempt MAC spoofing, DNS tunneling, and portal bypass to access the network without authentication.

Verify 802.1X certificate validation on client devicescritical

Test whether clients accept rogue RADIUS server certificates without proper validation.

Deploy evil twin access point to capture client credentialscritical

Create a convincing rogue AP with matching SSID to harvest credentials from connecting clients.

Test network segmentation between wireless and wired networkshigh

Verify that wireless clients cannot access restricted wired network segments.

Perform man-in-the-middle attacks on wireless clientshigh

Use ARP spoofing or rogue AP to intercept traffic and test for sensitive data exposure.

Test for client isolation on guest and shared networksmedium

Verify that clients on the same wireless network cannot communicate directly with each other.

Attempt lateral movement from wireless network to internal resourceshigh

Test whether wireless network access enables reaching internal servers, databases, or management systems.

Document wireless coverage maps and signal bleed areas

Include heat maps showing signal strength outside physical security perimeters.

Report all rogue devices and unauthorized wireless networks found

Provide MAC addresses, locations, and risk assessment for each rogue device.

Provide wireless security hardening recommendations

Recommend WPA3 migration, RADIUS certificate pinning, and wireless IDS/IPS deployment.

Document cracked PSK passwords and enterprise credential captures

Report password quality issues and recommend rotation and complexity improvements.

Remove rogue access points and testing artifacts from the environment

Shut down all evil twin APs and remove any rogue devices deployed during testing.

Related Vulnerabilities

Cryptographic Failures

high

Identification and Authentication Failures

high

Security Misconfiguration

medium

Industries Using This Checklist

Financial Services & Banking

Healthcare

Report Vulnerabilities Faster with Vulnsy

Stop rewriting the same findings. Use Vulnsy's reusable templates, collaborative workflows, and professional report generation to deliver pentest reports 10x faster.

Start Free Trial

Vulnsy

Modern penetration testing reporting platform. Built by pentesters, for pentesters.

Platform

Features
Pricing
FAQ

Resources

Vulnerability Knowledge Base
Pentest Checklists
Cybersecurity Glossary
Industries
Blog
Free Tools

Contact

luke@vulnsy.com

Wireless Network Pentest Checklist

Pre-Engagement

Reconnaissance

Authentication & Encryption Testing

Exploitation & Post-Access

Reporting

Related Vulnerabilities

Industries Using This Checklist

Report Vulnerabilities Faster with Vulnsy