----- Original Message ----- From: "Max Moser" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Sunday, April 04, 2004 7:25 PM Subject: Automated wireless client penetration tool "hotspotter" released.
> I would like to announce the availability of a proof of concept tool > release. Hotspotter automates a method of penetration against wireless > clients, independent of the encryption mechanism used. Get it at > http://www.remote-exploit.org now. > > Feel free to provide feedback, below you will find some further > information copied from the README file. > > Greetings > > Max Moser > > > Background: > ----------- > During a wireless assessment for a customer some time ago, I discovered > a > strange characteristic of the Microsoft Windows XP wireless client. It > was > possible to bring the client from a secure EAP/TLS network to an > insecure one > without any warnings from the operating system. I discovered this was > due to > the configuration of multiple wireless profiles. One profile was > established > for the EAP/TLS network, and a second for the "ANY" network, using an > empty > network name (SSID). > > To evaluate this configuration, I established my own access point using > the > same SSID as the EAP/TLS network, without the privacy bit set (no > encryption). > Due to the configuration of the Windows XP client, I was able to force > the > client to switch to my network with a single deauthenticate frame; at > which > point the client reconnected to my "rogue" access point. The victim > station did > not receive a warning from the operating system to indicate they left > their > production network, only a small indicator for temporary wireless > signal. > > With this attack, I was able to force a client to leave their secure > wireless > network and reconnect to my rogue network, albeit at a loss of network > connectivity. This allowed me to evaluate the host-based security of > the > victim host, without the protection of the EAP/TLS network. > > This behaviour seems to be fixed in Windows XP Service Pack 1. I was > unable to > locate any documentation in the Microsoft Knowledge Base that indicated > the > resolution of this flaw, but there is a remaining vulnerability that > can also > be exploited based configured wireless profiles. > > A Windows XP client will probe for all the preferred network names > listed in > the wireless client configuration during startup, powersave-wakeup and > when the > driver reports signal loss for the current network name. Many coporate > wireless users configure Windows XP with a business profile (secure > network > profile) and several other network names including commercial hotspots > and home > networks (insecure network profiles). Due to this configuration, it is > possible to force a client to disclose the list of configured profiles, > and > then establish a connection to a rogue network using one of the > preferred > network names. Depending on the configuration of the wireless client, > the > client will display a bubble message indicating it has joined a > different > wireless network name. > > Once the associates to the rogue network, it is possible to interact > with the > client directly. This may include port scanning the victim, exploiting > Windows-based vulnerabilities or simulating an otherwise "real" network > using > faked services and intercepted DNS queries. > > Note that the Apple OS X client exhibits similar behaviour, although it > has not > been thoroughly tested at this time. > > > Automated penetration using Hotspotter > -------------------------------------- > Hotspotter was written to exploit this weakness in the Windows XP Wlan > client > system. Hotspotter passively monitors the network for probe request > frames to > identify the preferred networks of Windows XP clients, and will compare > it to a > supplied list of common hotspot network names. If the probed network > name > matches a common hotspot name, Hotspotter will act as an access point > to allow > the client to authenticate and associate. Once associated, Hotspotter > can be > configured to run a command, possibly a script to kick off a DHCP > daemon and > other scanning against the new victim. > > -- NYCwireless - http://www.nycwireless.net/ Un/Subscribe: http://lists.nycwireless.net/mailman/listinfo/nycwireless/ Archives: http://lists.nycwireless.net/pipermail/nycwireless/
