Need help with implementation or an upcoming project? We offer professional services at reasonable rates to help you with your next network rollout, security audit, architecture design, and more. Click here to find out more.

Getting access to an organization's wireless network can make pentesting a lot easier. First, it allows you to have a presence on the network without finding an open ethernet jack, and you can roam. Second, it could allow you to stay on the network some distance away from the building if wireless signal is good enough, so you could keep testing after-hours. Many organizations rely on 802.1X, or products like Cisco NAC to keep their networks secure and restrict access, but in the SMB where budgets are a bit slimmer it's very common to just use WPA(2)-PSK where everyone shares a key.

Some organizations regularly update the PSK, though in my experience many can't remember the last time they changed it. Those that change it regularly almost always cite the worry that former employees could sit outside the building and use their wireless, which is a valid security concern. You may be able to find the PSK written down on a sticky note, or a helpful employee might be willing to give it to you. Chances are if the organization is using PSKs and has branch offices the same key will work there as well, for employee ease-of-access. If neither of those work and you're able to get access to an organization's laptop for a minute there's always a third option - Metasploit.

If we have access to a client's laptop where the wireless profile had already been configured, all we'd need to do is run a tiny Powershell script generated by TrustedSec's Unicorn, which will call back to our pentesting server with a Metasploit handler running, and give us access. This is just one of the methods that Unicorn allows, and we'll cover the others in ongoing articles.

The script takes only a second to run, then the Powershell window closes and it appears nothing had happened. I have tested this on Windows 7 and Windows 10, both with antivirus running and updated, and logged in as a typical unprivileged user.

First, we'll boot and update Kali Linux, the typical tool of choice for this. Log in and open a terminal window. Then we'll download TrustedSec's Unicorn by cloning the Git project:

mkdir unicorn_latest ; cd unicorn_latest git clone https://github.com/trustedsec/unicorn.git