Home/Resources/Agents/Wireless Security Scanner
Network & Boundary

Wireless Security Scanner

Catches the evil-twin AP and the WPA2-PSK corporate SSID before the attacker in the parking lot does.

Covered practices · NIST SP 800-171 Rev 2
3.1.17Protect wireless accessPrimary3.1.16Authorize wireless accessPrimary3.13.8Transmission confidentiality3.13.11FIPS-validated cryptography3.13.1Boundary protection
6
Wireless security postures classified per beacon (open through WPA3-E)

The problem

Wireless is a different boundary problem than wired. The corporate SSID's RSN configuration is what stands between an attacker in the parking lot and the contractor's network. Open WiFi is rare on corporate networks but WPA2-PSK is common, and PSK fails 3.1.16 individual authorization outright because every employee shares the same key with no individual accountability.

Evil-twin attacks are practical and cheap. An attacker broadcasts an SSID matching the corporate name from a different BSSID, captures credentials, or pivots clients onto a hostile network undetected. Detection requires comparing every observed BSSID for the corporate SSID against a list of authorized BSSIDs, which most contractors do not maintain and could not reconcile if asked.

WPA3-Enterprise 192-bit is the only widely deployed wireless security that uses FIPS-approved cipher suites. WPA2-Enterprise with CCMP is acceptable but not FIPS-validated. Most contractor wireless sits somewhere between WPA2-PSK and WPA2-Enterprise, neither FIPS, both deployed, both flagged the moment the agent's first sweep completes.

What CMMC requires

NIST SP 800-171 Rev 2 controls this agent verifies. Primary mappings drive the gap assessment; secondary mappings provide supporting evidence in the SSP.

Primary mapping
NIST 3.1.17Protect wireless access

Verifies wireless access is protected by authentication and encryption. Audits the corporate SSID's RSN configuration against FIPS and CMMC requirements.

Read in NIST 800-171 r2
NIST 3.1.16Authorize wireless access

Detects rogue APs and unauthorized SSIDs broadcasting variants of the corporate name. Authorization-prior-to-connection requires knowing what is authorized.

Read in NIST 800-171 r2
Secondary mapping
NIST 3.13.8Transmission confidentiality

WEP and WPA-TKIP are broken,they do not protect CUI in transit regardless of being labeled encryption. Maps directly to transmission confidentiality.

Read in NIST 800-171 r2
NIST 3.13.11FIPS-validated cryptography

WPA3-Enterprise (192-bit) is the only widely deployed wireless security that uses FIPS-approved cipher suites. Anything below it fails 3.13.11 substantively.

Read in NIST 800-171 r2
NIST 3.13.1Boundary protection

Rogue APs bypass the authorized network boundary entirely. Detection of an evil-twin AP is a 3.13.1 boundary integrity finding.

Read in NIST 800-171 r2

How it works

Per-platform detection logic. The agent runs unprivileged where possible and falls back gracefully when raw access is unavailable.

Linux

Requires libpcap or raw socket access and iw dev <iface> set type monitor mode. Channel-hops 2.4GHz (1, 6, 11) and common 5GHz channels with 100ms dwell time per channel for a full sweep in roughly 30 seconds. Parses the RSN IE from beacon frames for AKM (PSK, 802.1X, SAE), pairwise cipher (CCMP-128, GCMP-256, TKIP), and 802.11w MFP requirement. Falls back to iwlist scan when monitor mode is unsupported, with reduced detail and an explicit runtime warning. Reads /etc/NetworkManager/system-connections/ for saved profiles.

Windows

Uses the Native WiFi API (wlanapi.dll) for passive enumeration via the Windows scan API. Less detail than Linux monitor mode but covers corporate SSID auth and cipher checks correctly. Reads saved profiles via netsh wlan show profiles export and audits each one against the configured corporate baseline.

macOS

Uses the CoreWLAN framework via airport -s or wdutil info for active scans, with capability comparable to Windows. Reads saved profiles from system preferences and reports the same RSN, MFP, and WPS verdicts in the same structured format as Linux and Windows.

What it finds

Concrete findings written to the assessor's mental model,not abstract categories. Severity drives POA&M priority and SPRS deduction.

  • CRITICAL
    Corporate SSID is open or WEP
    Beacon RSN IE shows no encryption or WEP. WEP has been broken since 2001,neither configuration provides any meaningful protection.
  • CRITICAL
    Corporate SSID using WPA/TKIP
    Pairwise cipher is TKIP. WPA's TKIP cipher has been deprecated since 2012,practical attacks exist.
  • CRITICAL
    Rogue AP detected matching corporate SSID
    Beacon from an unknown BSSID is broadcasting the corporate SSID name. Evil-twin attack pattern,flag with channel, signal strength, and observed encryption.
  • HIGH
    Corporate SSID using WPA2-PSK
    Pre-shared key authentication. No individual user accountability and no FIPS-approved cipher suite. Fails 3.1.16 and 3.1.17 substantively.
  • HIGH
    WPS enabled on corporate SSID
    WPS IE present in beacon. Pixie Dust and PIN brute-force attacks against WPS are practical and well-documented.
  • HIGH
    Substring SSID match suggests social engineering
    Nearby SSID is a substring or near-variant of the corporate name (e.g., CorpNet vs CorpNetwork). Phishing infrastructure indicator.
  • MEDIUM
    802.11w MFP optional or disabled
    Management Frame Protection not required. Deauthentication attacks succeed,clients can be forced off the network.
SPRS impact

3.1.17 is a 5-point control. 3.1.16 is a 5-point control. A WPA2-PSK corporate SSID hits both, 10 points of combined exposure that the contractor often does not realize they are carrying. WEP or open is the same 10 points but more visibly catastrophic on the assessment report. WPA3-Enterprise 192-bit is the only configuration that produces no findings under either control. Rogue AP detection adds 3.13.1 (5 points) on top, bringing total potential exposure to 15+ points from wireless misconfiguration alone.

How it hooks into the platform

Hosts with monitor-mode-capable adapters are identified during auto-discovery and the platform schedules wireless sweeps on them automatically. You register the corporate SSID and authorized BSSIDs once at setup, and choose whether observed beacon data stays on-prem or syncs up. Measured RSN IE configuration drafts the SSP's 3.1.16 and 3.1.17 wireless access narrative as a configured-versus-measured table. BSSIDs not on the authorized list become rogue-AP POA&M items immediately, with channel and signal strength. Switch-integration data cross-references guest SSID port VLANs; new SSIDs in range alert on the next sweep.

How we know it's working

Acceptance criteria from the engineering spec,what the agent must do to ship.

  • Identifies WPA2-Enterprise, WPA2-PSK, WPA3-Enterprise, WPA3-Personal, WEP, and Open
  • Reads MFP required, optional, and disabled correctly from each beacon
  • Detects WPS from the WPS IE on every observed corporate-SSID beacon
  • Surfaces evil-twin BSSID mismatches with channel and signal strength
  • Sweeps non-overlapping 2.4GHz and common 5GHz channels every cycle
  • Falls back to iwlist gracefully when monitor mode is unsupported
  • Parses saved wireless profiles on all three supported platforms
Other agents in Network & Boundary
Network & Boundary

Network Scanner & CUI Topology Mapper

Replaces the SSP boundary diagram drawn from memory with one the assessor will actually accept.

Network & Boundary

Switch Integration & VLAN Topology

Replaces inferred VLAN boundaries with authoritative ones the assessor cannot argue with.

Run this agent against your environment.

Book a 30-minute scoping call. We'll deploy the agent on your systems and walk through the findings together.

Book a Scoping Call →