Re: Slashback!

[Dino A.Dai Zovi <ddz () theta44 org>]

Thanks for bringing this up, Dave :).  Now that we're on the subject,  
everyone will have to excuse my blatant self-promotion here, but I'll  
try and answer your question.

The algorithm that XP uses is very clearly documented by Microsoft here:

http://www.microsoft.com/technet/community/columns/cableguy/cg1102.mspx
(see section "How Wireless Auto Configuration Works").

It describes exactly what Simple Nomad noticed, as step 4:
"If there are no successful connections and there is an ad hoc  
network in the list of preferred networks that is not available,  
Wireless Auto Configuration configures the wireless network adapter  
to act as the first node in the ad hoc network."

However, what K2 and I found much more dangerous was step 2:
"If there are no successful connections, Wireless Auto Configuration  
attempts to connect to the preferred networks that do not appear in  
the list of available networks, in the preferred networks preference  
order. This is done so that a Windows wireless client can connect to  
a hidden wireless network, one that is either not broadcasting its  
SSID or broadcasting an SSID of NULL"

We noticed that the client will reveal its list of preferred  
networks, in highest-precedence first order every 60 seconds when it  
is not associated to a network.  By sniffing for Probe Requests we  
can see what networks they will connect to automatically.  If you  
create a HostAP with one of those SSIDs, they will automatically  
attempt to associate.

This problem is exacerbated by the fact that the hotspot the client  
most recently connected to is added to the front of the preferred  
networks list, so it will associate to that network over a network  
that was first joined a long time ago (like their home or work  
network).  And since the hotspot (or random 'linksys' whatever) they  
joined is a cleartext network, you don't have to spoof their WPA/ 
IPSec/SecureID/Telepathy-secured home/work network, you can just  
spoof a hotspot they have joined at some point and they will be on  
your network.

KARMA comes with a patch to the MadWifi driver to cause it to respond  
to ALL Probe Requests when it is in HostAP mode.  So, the client will  
attempt to connect to the network as each network in their preferred  
networks list.  If only *one* of them is unencrypted, they will  
associate, DHCP an address, etc.  KARMA also includes a framework for  
writing and deploying client-side exploits and a simple curses GUI to  
passively observe what wireless clients are in range and what  
networks they are probing for.

While many laptops will have an ad-hoc SSID in their preferred  
networks list, almost *all* will have one or more plaintext hotspot  
networks in it.  So we targeted that instead.

As an added bonus, some drivers for XP set the "desired SSID" to a  
random 32-char value when the client is not associated to any  
network.  Surprisingly, you can get the machine to associate to a  
network with that random name and bring the interface up.  The best  
part about it is that the GUI is not notified so it will still show  
that the user isn't associated to anything, when in fact they are.   
See attached screenshot-pr0n.

More info:
Presentation  - http://www.theta44.org/software/All%20your%20layer% 
20are%20belong%20to%20us.ppt
Paper - http://www.theta44.org/karma/aawns.pdf
Software - http://www.theta44.org/karma/

Cheers,

-Dino

On Jan 15, 2006, at 9:49 AM, Dave Aitel wrote:

> How does this: http://it.slashdot.org/it/06/01/15/0815207.shtml
> An anonymous reader writes "Washingtonpost.com is reporting from  
> the 2nd annual Shmoocon hacker conference about the release of a  
> previously undocumented vulnerability in Windows. The flaw takes  
> advantage of a feature on Windows laptops that have wireless cards  
> built-in. Security researcher Mark Loveless found that Windows  
> laptops which cannot find a wireless connection are configured to  
> broadcast the name of the last SSID they associated with. They  
> assign themselves an ad-hoc 'link local' (think 169.254.x.x.)  
> address, and an attacker can configure his machine to broadcast an  
> SSID of the same name. Thus, the attacker associates with that  
> 'network' and communicates directly with the victim's machine. The  
> funny part from the Post blog entry is that Microsoft helped author  
> the RFC for link local."
>
> Differ from this:
>
> http://www.theta44.org/karma/index.html
> KARMA Wireless Client Security Assessment Tools
> KARMA is a set of tools for assessing the security of wireless  
> clients at multiple layers. Wireless sniffing tools discover  
> clients and their preferred/trusted networks by passively listening  
> for 802.11 Probe Request frames. From there, individual clients can  
> be targetted by creating a Rogue AP for one of their probed  
> networks (which they may join automatically) or using a custom  
> driver that responds to probes and association requests for any  
> SSID. Higher-level fake services can then capture credentials or  
> exploit client-side vulnerabilities on the host.
>
> KARMA includes patches for the Linux MADWifi driver to allow the  
> creation of an 802.11 Access Point that responds to any probed  
> SSID. So if a client looks for 'linksys', it is 'linksys' to them  
> (even while it may be 'tmobile' to someone else). Operating in this  
> fashion has revealed vulnerabilities in how Windows XP and MacOS X  
> look for networks, so clients may join even if their preferred  
> networks list is empty.
>
> Currently, these releases are BYOX (Bring Your Own Exploits),  
> although a number of client-side exploits have been written, tested  
> and demonstrated within this framework. Some may be included in a  
> future release. Automated agent deployment is also planned.
>
>
>
>
> -dave