Wireless is an inherently insecure protocol. Most companies recognize this, and focus their resources on minimizing the impact of wireless breaches rather than preventing them outright. During red team engagements, the wireless perimeter is cracked within the opening days of the assessment, or it isn't cracked at all. From an attacker's perspective, the real challenge lies in moving laterally out of the isolated sandbox in which network administrators typically place their wireless networks. Enterprise network teams are typically aware of this fact, and many will attempt to justify weak wireless perimeter security by pointing out how difficult it is to pivot from the WLAN into production.
However, preventing an attacker from doing so is only easy when the network in question is used exclusively for basic functions such as providing Internet connectivity to employees. When wireless networks are used to provide access to sensitive internal infrastructure, the issue of access control gets significantly messier. A door must be provided through which authorized entities can freely traverse. As with cryptographic backdoors, a door that requires a key is a door no less.
In this presentation, we will focus on methods through which red team operators can extend their reach further into the network after gaining their initial wireless foothold. We'll begin with a quick recap on how to use rogue access point attacks to breach all but the most secure implementations of WPA2-EAP. We'll then demonstrate methods of evading the most commonly used methods of WLAN access control, and explore whether segmentation of a wireless network is truly possible. Finally, we will demonstrate how contemporary network attacks can be combined with wireless man-in-the-middle techniques to create brutal killchains that would be impossible to achieve over a wired medium.