Dailydave mailing list archives
Re: Slashback!
From: "Dino A. Dai Zovi" <ddz () theta44 org>
Date: Mon, 16 Jan 2006 16:11:32 -0500
On Jan 16, 2006, at 12:57 PM, Alexander Bochmann wrote:
...on Sun, Jan 15, 2006 at 09:56:14AM -0600, Technocrat wrote:Dave Aitel wrote:Good point, I have heard of this attack before now..it isn't very "new"How does this: http://it.slashdot.org/it/06/01/15/0815207.shtml Differ from this: http://www.theta44.org/karma/index.htmljust not talked about in a large public forum before now.Perhaps I'm missing something critical here, but this seems exactly like the thing that hotspotter[1] is targeting, and that was released in April 2004.From the readme: "A Windows XP client will probe for allthe preferred network names listed in the wireless client configuration during startup, powersave-wakeup and when the driver reports signal loss for the current network name. [..] Due to this configuration, it is possible to force a client to disclose the list of configured profiles, and then establish a connection to a rogue network using one of the preferred network names." Alex. [1] http://www.remote-exploit.org/index.php/Hotspotter_main
Yep, they attack basically the same problem :). Hotspotter came out right as we were working on this (I referenced it in the paper, but I don't think I put it on our slides which I should have).
Hotspotter checks probes against a database of known hotspot names and then configures a HostAP network with that name if there is a match. KARMA takes a different approach and uses a modified driver to automatically respond to any probe request. This attacks all clients in parallel, helps win the race if there is another network the client may join, and uncovered the "random SSID" wireless network association vulnerabilities in Windows and MacOS X AirPort Classic. Apple fixed this in an AirPort update this summer, Microsoft said they'd fix it in the next service pack (it only affects older 802.11b- only cards).
-Dino
Current thread:
- Slashback! Dave Aitel (Jan 15)
- Re: Slashback! Dino A . Dai Zovi (Jan 15)
- Re: Slashback! H D Moore (Jan 15)
- Re: Slashback! Kurt Grutzmacher (Jan 16)
- Re: Slashback! Mike Kershaw (Jan 17)
- Re: Slashback! Kurt Grutzmacher (Jan 16)
- Re: Slashback! Technocrat (Jan 15)
- Re: Slashback! Alexander Bochmann (Jan 16)
- Re: Slashback! Dino A. Dai Zovi (Jan 16)
- Re: Slashback! Alexander Bochmann (Jan 16)
- <Possible follow-ups>
- RE: Slashback! Taylor, Gord (Jan 16)
- Re: Slashback! Dino A. Dai Zovi (Jan 16)
- Re: Slashback! byte_jump (Jan 17)
- Re: Slashback! Curt Wilson (Jan 17)
- Re: Slashback! Dino A. Dai Zovi (Jan 16)
- RE: Slashback! Taylor, Gord (Jan 16)
- RE: Slashback! Skyler King (Jan 18)
- RE: Slashback! Dave Korn (Jan 18)
- RE: Slashback! Skyler King (Jan 18)