Security audit - what it is and how it works
Security audit: what it covers, how it unfolds across five phases, and how it differs from a penetration test.
Read
Pen Testing
WiFi penetration testing: how a wireless network is tested
WiFi penetration testing is a controlled, authorised security test of a wireless network in which a specialist simulates an attacker to verify whether anyone can connect to your network without permission, intercept traffic or bypass the segmentation between guests and internal systems. Unlike scanning a wired infrastructure, the wireless signal travels beyond the walls of your company: into the car park, the hallway, the neighbour's office. This is precisely why WiFi penetration testing reveals risks that a classic password audit and firewall rule review simply cannot see.
Naše rješenje
Penetration testing - we find vulnerabilities before the hackers do. You do not have to handle it alone; we take care of it for your company. Request a free assessment.
In practice this means that someone with a laptop in a car in front of your building can attempt what a real attacker would do: eavesdrop on traffic, spoof an access point, or exploit a weak protocol to reach your data. The goal of the test is not to show that something is "theoretically possible", but to demonstrate concretely how far an attacker can get and how much effort it actually takes.
Why a wireless network is particularly exposed
A cable has to be physically plugged in. A wireless signal does not need to be "plugged in" anywhere - it is already in the air. That changes the entire logic of defence. With a wired network the attacker has to enter the premises; with WiFi, simply being within range is enough. Most companies in the region run at least two overlapping networks: an internal one (office computers, servers, NAS, ERP) and a guest one (clients, suppliers, employees' phones). The problem arises when these two networks are not truly separated, but only appear to be.
Typical weaknesses we see in the field:
- A guest network that "sees" internal resources - a guest connects to the visitor WiFi and from there can reach the printer, the NAS or the router's management interface.
- The same password for years - a WPA2 password known to every former employee, external technician and half the town.
- Forgotten legacy devices - an access point in the warehouse still running on WEP or WPA-TKIP.
- Unprotected management interfaces - router administration accessible over WiFi with the factory password.
- Lack of monitoring - nobody notices when an unknown access point bearing your company's name appears.
What WiFi penetration testing looks like step by step
Professional WiFi penetration testing follows a clear methodology. It is not done at random, but in agreed phases with a written scope and authorisation (scope and rules of engagement), so that the test is legal and does not disrupt production.
1. Reconnaissance and mapping
First, we establish what you are actually broadcasting into the air. The tester passively listens to every access point within range, capturing their names (SSIDs), channels, signal strength and security protocols. Often, even at this stage, a "ghost" network is found that the IT department never knew existed: a private router someone brought from home, an old device from a procurement five years ago, or a guest network that broadcasts much further than it should.
2. Protocol and authentication analysis
Next, we look at how devices authenticate. Is WEP in use (completely broken), WPA2-PSK with a shared password, or modern WPA3 and enterprise authentication via user accounts? The tester attempts to capture the so-called handshake (the moment a device connects) and to check offline how resistant the password is to guessing. A short or dictionary-based password falls here in a matter of minutes.
3. Active attacks and the evil twin
Here, real-world attack scenarios are simulated. The most dangerous is the evil twin: the tester sets up a rogue access point with the same name as yours ("Company-WiFi") and a stronger signal. Employees' devices automatically connect to the fake network because they recognise the familiar name, and the attacker now sees their traffic and can attempt to steal credentials. A similar principle applies to a rogue AP (a fake access point plugged into your internal network), through which an attacker creates a hidden back door into your system.
4. Segmentation check and lateral movement
Once the tester has connected (whether to the guest or the internal network), they check how far they can go. Can they reach the servers from the guest network? Can they see the ERP, invoices, shared folders? This is the most important part for businesses, because it shows the actual business impact, not just a technical flaw.
5. A prioritised report
In the end you receive a document that ranks every finding by risk, describes how it was exploited and, most importantly, how to fix it specifically. Without that, a test is just a list of alarms.
Security protocols: what is safe and what should be switched off
A large part of the risk comes down to which protocol your devices use. Here is the summary we use when talking to clients:
| Protocol | Status | Recommendation |
|---|---|---|
| WEP | Broken, cracked in minutes | Disable immediately, no exceptions |
| WPA / TKIP | Outdated, vulnerable | Replace |
| WPA2-PSK | Still widespread, depends on the password | Strong password or move to enterprise |
| WPA2-Enterprise | Good, individual accounts | Recommended for companies |
| WPA3 | The most secure available today | The target when refreshing equipment |
WPA3 resolves a large part of the old problems: it is more resistant to offline password guessing and better protects individual sessions. But take note: moving to WPA3 on its own does not fix poor segmentation or a rogue AP. Security is not a single switch, but a set of measures.
Practical recommendations for companies in the region
Whether you operate in Mostar, Sarajevo, Zagreb or Belgrade, the same patterns keep repeating. Here is what you can do even before you order a test:
- Separate the guest and internal networks so that a guest genuinely cannot see internal resources, not just so that they are on a different SSID.
- Remove every device still running on WEP or WPA-TKIP.
- Change the factory passwords on routers and access points, and restrict administration to the wired connection only.
- Introduce individual user accounts (WPA2/WPA3-Enterprise) instead of a single shared password, especially if you have employee turnover.
- Set up monitoring that alerts you when an unknown or fake access point appears.
These measures reduce the risk, but they do not replace a test. Only when someone actually tries to break in do you see where the defence is thin.
How NeoBit performs WiFi penetration testing
NeoBit, based in Mostar, carries out authorised wireless network testing for companies in Bosnia and Herzegovina and the wider region. We come on site, map everything you are broadcasting, simulate evil twin and rogue AP scenarios, check the segmentation of the guest network and test the resilience of your passwords and protocols. Everything is done within a written scope and an agreed time slot so that we do not disrupt production. The result is a clear, prioritised report with concrete steps, plus our support around EDR/SIEM monitoring and SOC services if you want continuous oversight.
If you are not sure how exposed your WiFi is, the best first step is a short assessment. Contact NeoBit for a free initial consultation and a quote for WiFi penetration testing, and together we will define the scope and priorities.
Frequently asked questions
How long does WiFi penetration testing take?
For an average single-location company the test usually takes from one to a few days, depending on the number of access points and networks. Additional time goes into analysing the captured data and producing the report. Larger organisations with multiple branches require a longer engagement.
Will the testing bring down our network or disrupt our work?
A serious test is planned to minimise disruption. Most activities are passive or targeted, and potentially disruptive actions (such as simulating an evil twin) are agreed in advance and carried out under controlled conditions, often outside business hours. Everything is done within a written scope and with your authorisation.
Is simply moving to WPA3 enough?
No. WPA3 is a big step forward because it better protects passwords and sessions, but it does not fix poor network segmentation, rogue access points or unprotected management interfaces. Wireless network security is a set of measures, and a test shows which of them are missing in your environment.
Our company is small, do we even need WiFi penetration testing?
Yes, because attackers do not only choose large targets. Small companies often have a single shared password, a guest network connected to the internal one and legacy equipment, which is an ideal combination for an attack. It is precisely small and medium-sized companies that benefit most from one good test, because critical problems are resolved quickly and inexpensively.
Related guides: Cyber security in Bosnia and Herzegovina - a complete guide · Security assessment (security audit) - what it is and how it works · Red team, blue team and purple team - the differences
