RE: Slashback!

["Taylor, Gord" <gord.taylor () rbc com>]

> However, what K2 and I found much more dangerous was step 2:
> "If there are no successful connections, Wireless Auto Configuration
attempts to connect to the preferred networks that
> do not appear in the list of available networks, in the preferred
networks preference order. This is done so that a 
> Windows wireless client can connect to a hidden wireless network, one
that is either not broadcasting its SSID or
> broadcasting an SSID of NULL" 

I ran into exactly this same scenario - a good personal firewall helps
since the laptop must be joined to a "friendly" network to have a
"friendly" policy applied. But this causes the occasional denial of
service if you're working wired and your wireless adapter joins the
"unfriendly" network since the policy switches from "friendly" to
"unfriendly" mode midway through a session. Not a big deal for me, but
I'm sure it stumps users all the time.


-----Original Message-----
From: Dino A.Dai Zovi [mailto:ddz () theta44 org] 
Sent: 2006, January, 15 3:48 PM
To: Dave Aitel
Cc: dailydave () lists immunitysec com
Subject: Re: [Dailydave] Slashback!

Thanks for bringing this up, Dave :).  Now that we're on the subject,
everyone will have to excuse my blatant self-promotion here, but I'll
try and answer your question.

The algorithm that XP uses is very clearly documented by Microsoft here:

http://www.microsoft.com/technet/community/columns/cableguy/cg1102.mspx
(see section "How Wireless Auto Configuration Works").

It describes exactly what Simple Nomad noticed, as step 4:
"If there are no successful connections and there is an ad hoc network
in the list of preferred networks that is not available, Wireless Auto
Configuration configures the wireless network adapter to act as the
first node in the ad hoc network."

However, what K2 and I found much more dangerous was step 2:
"If there are no successful connections, Wireless Auto Configuration
attempts to connect to the preferred networks that do not appear in the
list of available networks, in the preferred networks preference order.
This is done so that a Windows wireless client can connect to a hidden
wireless network, one that is either not broadcasting its SSID or
broadcasting an SSID of NULL"

We noticed that the client will reveal its list of preferred networks,
in highest-precedence first order every 60 seconds when it is not
associated to a network.  By sniffing for Probe Requests we can see what
networks they will connect to automatically.  If you create a HostAP
with one of those SSIDs, they will automatically attempt to associate.

This problem is exacerbated by the fact that the hotspot the client most
recently connected to is added to the front of the preferred networks
list, so it will associate to that network over a network that was first
joined a long time ago (like their home or work network).  And since the
hotspot (or random 'linksys' whatever) they joined is a cleartext
network, you don't have to spoof their WPA/
IPSec/SecureID/Telepathy-secured home/work network, you can just spoof a
hotspot they have joined at some point and they will be on your network.

KARMA comes with a patch to the MadWifi driver to cause it to respond to
ALL Probe Requests when it is in HostAP mode.  So, the client will
attempt to connect to the network as each network in their preferred
networks list.  If only *one* of them is unencrypted, they will
associate, DHCP an address, etc.  KARMA also includes a framework for
writing and deploying client-side exploits and a simple curses GUI to
passively observe what wireless clients are in range and what networks
they are probing for.

While many laptops will have an ad-hoc SSID in their preferred networks
list, almost *all* will have one or more plaintext hotspot networks in
it.  So we targeted that instead.

As an added bonus, some drivers for XP set the "desired SSID" to a
random 32-char value when the client is not associated to any network.
Surprisingly, you can get the machine to associate to a network with
that random name and bring the interface up.  The best part about it is
that the GUI is not notified so it will still show  
that the user isn't associated to anything, when in fact they are.   
See attached screenshot-pr0n.

More info:
Presentation  - http://www.theta44.org/software/All%20your%20layer%
20are%20belong%20to%20us.ppt
Paper - http://www.theta44.org/karma/aawns.pdf
Software - http://www.theta44.org/karma/

Cheers,

-Dino

_______________________________________________________________________

This e-mail may be privileged and/or confidential, and the sender does not waive any related rights and obligations.
Any distribution, use or copying of this e-mail or the information it contains by other than an intended recipient is 
unauthorized.
If you received this e-mail in error, please advise me (by return e-mail or otherwise) immediately.  

Ce courrier électronique est confidentiel et protégé. L'expéditeur ne renonce pas aux droits et obligations qui s'y 
rapportent.
Toute diffusion, utilisation ou copie de ce message ou des renseignements qu'il contient par une personne autre que le 
(les) destinataire(s) désigné(s) est interdite.
Si vous recevez ce courrier électronique par erreur, veuillez m'en aviser immédiatement, par retour de courrier 
électronique ou par un autre moyen.