Dailydave mailing list archives
RE: Slashback!
From: "Taylor, Gord" <gord.taylor () rbc com>
Date: Mon, 16 Jan 2006 11:33:53 -0500
However, what K2 and I found much more dangerous was step 2: "If there are no successful connections, Wireless Auto Configuration
attempts to connect to the preferred networks that
do not appear in the list of available networks, in the preferred
networks preference order. This is done so that a
Windows wireless client can connect to a hidden wireless network, one
that is either not broadcasting its SSID or
broadcasting an SSID of NULL"
I ran into exactly this same scenario - a good personal firewall helps since the laptop must be joined to a "friendly" network to have a "friendly" policy applied. But this causes the occasional denial of service if you're working wired and your wireless adapter joins the "unfriendly" network since the policy switches from "friendly" to "unfriendly" mode midway through a session. Not a big deal for me, but I'm sure it stumps users all the time. -----Original Message----- From: Dino A.Dai Zovi [mailto:ddz () theta44 org] Sent: 2006, January, 15 3:48 PM To: Dave Aitel Cc: dailydave () lists immunitysec com Subject: Re: [Dailydave] Slashback! Thanks for bringing this up, Dave :). Now that we're on the subject, everyone will have to excuse my blatant self-promotion here, but I'll try and answer your question. The algorithm that XP uses is very clearly documented by Microsoft here: http://www.microsoft.com/technet/community/columns/cableguy/cg1102.mspx (see section "How Wireless Auto Configuration Works"). It describes exactly what Simple Nomad noticed, as step 4: "If there are no successful connections and there is an ad hoc network in the list of preferred networks that is not available, Wireless Auto Configuration configures the wireless network adapter to act as the first node in the ad hoc network." However, what K2 and I found much more dangerous was step 2: "If there are no successful connections, Wireless Auto Configuration attempts to connect to the preferred networks that do not appear in the list of available networks, in the preferred networks preference order. This is done so that a Windows wireless client can connect to a hidden wireless network, one that is either not broadcasting its SSID or broadcasting an SSID of NULL" We noticed that the client will reveal its list of preferred networks, in highest-precedence first order every 60 seconds when it is not associated to a network. By sniffing for Probe Requests we can see what networks they will connect to automatically. If you create a HostAP with one of those SSIDs, they will automatically attempt to associate. This problem is exacerbated by the fact that the hotspot the client most recently connected to is added to the front of the preferred networks list, so it will associate to that network over a network that was first joined a long time ago (like their home or work network). And since the hotspot (or random 'linksys' whatever) they joined is a cleartext network, you don't have to spoof their WPA/ IPSec/SecureID/Telepathy-secured home/work network, you can just spoof a hotspot they have joined at some point and they will be on your network. KARMA comes with a patch to the MadWifi driver to cause it to respond to ALL Probe Requests when it is in HostAP mode. So, the client will attempt to connect to the network as each network in their preferred networks list. If only *one* of them is unencrypted, they will associate, DHCP an address, etc. KARMA also includes a framework for writing and deploying client-side exploits and a simple curses GUI to passively observe what wireless clients are in range and what networks they are probing for. While many laptops will have an ad-hoc SSID in their preferred networks list, almost *all* will have one or more plaintext hotspot networks in it. So we targeted that instead. As an added bonus, some drivers for XP set the "desired SSID" to a random 32-char value when the client is not associated to any network. Surprisingly, you can get the machine to associate to a network with that random name and bring the interface up. The best part about it is that the GUI is not notified so it will still show that the user isn't associated to anything, when in fact they are. See attached screenshot-pr0n. More info: Presentation - http://www.theta44.org/software/All%20your%20layer% 20are%20belong%20to%20us.ppt Paper - http://www.theta44.org/karma/aawns.pdf Software - http://www.theta44.org/karma/ Cheers, -Dino _______________________________________________________________________ This e-mail may be privileged and/or confidential, and the sender does not waive any related rights and obligations. Any distribution, use or copying of this e-mail or the information it contains by other than an intended recipient is unauthorized. If you received this e-mail in error, please advise me (by return e-mail or otherwise) immediately. Ce courrier électronique est confidentiel et protégé. L'expéditeur ne renonce pas aux droits et obligations qui s'y rapportent. Toute diffusion, utilisation ou copie de ce message ou des renseignements qu'il contient par une personne autre que le (les) destinataire(s) désigné(s) est interdite. Si vous recevez ce courrier électronique par erreur, veuillez m'en aviser immédiatement, par retour de courrier électronique ou par un autre moyen.
Current thread:
- Slashback! Dave Aitel (Jan 15)
- Re: Slashback! Dino A . Dai Zovi (Jan 15)
- Re: Slashback! H D Moore (Jan 15)
- Re: Slashback! Kurt Grutzmacher (Jan 16)
- Re: Slashback! Mike Kershaw (Jan 17)
- Re: Slashback! Kurt Grutzmacher (Jan 16)
- Re: Slashback! Technocrat (Jan 15)
- Re: Slashback! Alexander Bochmann (Jan 16)
- Re: Slashback! Dino A. Dai Zovi (Jan 16)
- Re: Slashback! Alexander Bochmann (Jan 16)
- <Possible follow-ups>
- RE: Slashback! Taylor, Gord (Jan 16)
- Re: Slashback! Dino A. Dai Zovi (Jan 16)
- Re: Slashback! byte_jump (Jan 17)
- Re: Slashback! Curt Wilson (Jan 17)
- Re: Slashback! Dino A. Dai Zovi (Jan 16)
- RE: Slashback! Taylor, Gord (Jan 16)
- RE: Slashback! Skyler King (Jan 18)
- RE: Slashback! Dave Korn (Jan 18)
- RE: Slashback! Skyler King (Jan 18)