Loading...
Loading...
On-site corporate wireless security assessment: evil-twin rogue APs, WPA2/WPA3-Enterprise PEAP credential harvesting, VLAN segregation failures, and guest/BYOD isolation testing. RMiT branch-network aligned.
Corporate wireless infrastructure is treated as solved infrastructure by most organisations. WPA2-Enterprise or WPA3 is deployed, a RADIUS server authenticates users, and the guest SSID is on a separate VLAN. In practice, these controls frequently have gaps that allow a threat actor with physical proximity — a car park, a shared building lobby, or a public-facing office — to harvest domain credentials, reach internal resources from the guest network, or intercept employee traffic.
The PEAP/MSCHAPv2 vulnerability is the most commonly exploited gap in Malaysian corporate wireless deployments. WPA2-Enterprise with PEAP is the dominant authentication method at banks, telcos, and large enterprises — but without enforced server certificate validation on every client device, a rogue AP can harvest domain credentials from employees whose devices auto-associate. Those credentials work on VPN, Outlook Web Access, and Active Directory.
nCrypt's wireless penetration testing is conducted on-site with specialist RF equipment. We execute each attack scenario within agreed time-windows and document outcomes with timestamped evidence, not just configuration observations.
Each scenario is executed within an agreed scope and time-window. Outcomes are documented with evidence: captured handshakes, VLAN route traces, or association logs.
A rogue AP broadcasting a legitimate-looking SSID is the most effective way to intercept employee credentials without touching the corporate network. Our consultants deploy a controlled evil-twin in the target's RF environment and measure how quickly client devices auto-associate. We capture the WPA2-Enterprise handshake or PEAP challenge, demonstrating credential harvesting potential. Where captive portals are used for guest access, we bypass authentication to confirm that guest users can reach unexpected resources.
WPA2-Enterprise with PEAP (MSCHAPv2) is deployed across most Malaysian corporate offices and bank branches as the “secure” Wi-Fi authentication method. The attack does not require cracking WPA2 itself — it exploits the inner authentication protocol. When a client auto-connects to our rogue AP, it completes the PEAP handshake, exposing the MSCHAPv2 challenge/response pair. This pair can be passed to an offline cracking service and converted to a plaintext domain credential. We demonstrate this end-to-end and confirm whether your NAC or certificate pinning controls prevent it.
Guest Wi-Fi and BYOD SSID are intended to be isolated from the corporate network. In practice, misconfigured VLAN tagging, inter-VLAN routing rules, or shared firewall policies frequently allow a guest network client to reach internal resources. We connect to the guest SSID and attempt lateral movement: ARP scanning for internal RFC1918 ranges, DNS resolution of internal hostnames, and direct access to management interfaces reachable from the guest VLAN. BYOD SSID is tested for client isolation — whether a personal device can communicate directly with another BYOD device or with corporate endpoints.
Smaller sites and retail branches often deploy WPA2-Personal (pre-shared key) networks. The PMKID attack allows handshake-less key capture — a single beacon frame from the AP yields the PMKID, which can be subjected to offline dictionary attack without any client being present. We capture PMKIDs during the site survey phase and run them against a wordlist reflecting common Malaysian password patterns (company names, addresses, registration numbers) under lab conditions to demonstrate feasibility. Findings document whether the PSK is derivable from public information.
802.1X is the port-based network access control standard used on wired switches as well as wireless infrastructure. We test whether a non-compliant device can gain network access by exploiting EAP identity response spoofing, MAC address bypass (MAB), or timing gaps in the RADIUS authentication exchange. Findings confirm whether your NAC enforcement is operating as designed or whether an attacker with a managed device can bypass access control and reach internal segments.
Every engagement begins with scope agreement and ends with full decommissioning of test equipment. No persistent hardware is left at the site.
Floor plans, SSID list, number of APs, VLAN topology, and any NAC/MDM controls are agreed and documented before the site visit. Testing proceeds within the agreed perimeter.
We map all SSIDs visible at the target site, including hidden networks. Nearby third-party SSIDs are documented to establish the ambient RF environment and confirm our rogue AP does not interfere with non-target networks.
Agreed attack scenarios are executed in sequence, with timestamped evidence capture. Each attack is documented with the outcome: success, partial, or mitigated — and the specific control that mitigated it if applicable.
All rogue APs are decommissioned at the end of each testing window. No persistent hardware is left at the site. Network logs generated by the test are provided to the customer for SIEM correlation.
BNM RMiT's technology risk management and cyber resilience requirements expect FIs to implement wireless network security controls and prohibit the connection of unauthorised devices to production networks.
RMiT expects network segmentation that isolates wireless access from production systems handling financial data.
A wireless pentest with explicit VLAN segregation and guest isolation testing provides direct evidence for RMiT technology risk examination.
Branch-network assessments are particularly relevant for banks with distributed Wi-Fi deployments across branch offices.
Common questions about wireless penetration testing for Malaysian corporate and financial sector organisations.
A single-site corporate wireless assessment typically takes one to two days on-site, plus half a day for report writing. Multi-site assessments covering branch office networks are scoped individually — typically one day per site with consolidated reporting. Engagements that include 802.1X bypass testing and RADIUS configuration review add approximately half a day. Final reports are delivered within five business days of on-site testing completion.
We design the engagement to minimise operational impact. Passive survey and PMKID capture are entirely non-disruptive — they involve listening only. Active attack scenarios (evil-twin, rogue AP) are executed during agreed windows, typically outside peak hours or in agreed RF zones. We do not broadcast jamming signals or conduct denial-of-service testing against production APs unless explicitly scoped and agreed. Client auto-association testing targets test devices, not employee devices, unless the scope specifically includes measuring response time against live client devices.
WPA3-Personal (SAE) is significantly stronger than WPA2-Personal against offline dictionary attacks — the Simultaneous Authentication of Equals handshake does not expose a crackable element the way WPA2-PSK PMKID does. However, WPA3 does not protect against evil-twin attacks if client devices do not enforce server certificate validation (Management Frame Protection alone is insufficient), and WPA3-Enterprise implementations using PEAP as the inner method retain the MSCHAPv2 vulnerability. Mixed WPA2/WPA3 transition mode also downgrades protections. We test the actual deployed configuration, not the theoretically strongest setting.
BNM RMiT does not mandate wireless penetration testing by name, but it does require documented network access controls, wireless security controls, and periodic technology risk assessments. RMiT's network segmentation and access control expectations require FIs to control wireless access and segment it from production systems. A wireless pentest with VLAN segregation and guest isolation findings is the most direct evidence that these controls function as intended. BNM technology risk examiners regularly request evidence of wireless control testing during examinations.
A configuration review is read-only — we examine AP and RADIUS server settings, VLAN configuration, and NAC policies against a checklist without connecting any attacking device. A wireless pentest actively exploits weaknesses: we deploy a rogue AP, capture handshakes, attempt VLAN hopping from a guest connection, and demonstrate actual attack outcomes rather than just identifying theoretical weaknesses. Both produce useful findings; the pentest provides proof-of-concept evidence that configuration review cannot.
Share your scope. We'll respond within 24 hours.
Share your scope. We'll respond within 24 hours.
An on-site wireless assessment answers the question your configuration review cannot: can an attacker in your car park harvest domain credentials from employees inside?
Complementary services Malaysian buyers commonly pair with wireless penetration testing.
Internal and external network pentests with lateral-movement simulation.
Learn moreFirmware, hardware and radio-protocol testing for connected devices.
Learn moreProfessional enterprise network design, structured cabling guidance, firewall setup, and Wi-Fi installation.
Learn more