Two security tools from different sources released this week:
-----Original Message----- From: Joshua Wright [mailto:[EMAIL PROTECTED] Sent: Tuesday, April 06, 2004 8:25 PM I've posted the source code and a partial-functionality Windows binary for my LEAP attack tool Asleap at http://asleap.sourceforge.net/. I've not had a lot of feedback from people testing, so I'm interested to hear what people think. Thanks. -Josh -- -Joshua Wright [EMAIL PROTECTED] http://home.jwu.edu/jwright/ pgpkey: http://home.jwu.edu/jwright/pgpkey.htm fingerprint: FDA5 12FC F391 3740 E0AE BDB6 8FE2 FC0A D44B 4A73 --- -----Original Message----- From: Max Moser <[EMAIL PROTECTED]> Date: April 4, 2004 16:27:52 PDT I would like to announce the availability of a proof of concept tool release. Hotspotter automates a method of penetration against wireless clients, independent of the encryption mechanism used. Get it at http://www.remote-exploit.org now. Feel free to provide feedback, below you will find some further information copied from the README file. Greetings Max Moser Background: ----------- During a wireless assessment for a customer some time ago, I discovered a strange characteristic of the Microsoft Windows XP wireless client. It was possible to bring the client from a secure EAP/TLS network to an insecure one without any warnings from the operating system. I discovered this was due to the configuration of multiple wireless profiles. One profile was established for the EAP/TLS network, and a second for the "ANY" network, using an empty network name (SSID). To evaluate this configuration, I established my own access point using the same SSID as the EAP/TLS network, without the privacy bit set (no encryption). Due to the configuration of the Windows XP client, I was able to force the client to switch to my network with a single deauthenticate frame; at which point the client reconnected to my "rogue" access point. The victim station did not receive a warning from the operating system to indicate they left their production network, only a small indicator for temporary wireless signal. With this attack, I was able to force a client to leave their secure wireless network and reconnect to my rogue network, albeit at a loss of network connectivity. This allowed me to evaluate the host-based security of the victim host, without the protection of the EAP/TLS network. This behaviour seems to be fixed in Windows XP Service Pack 1. I was unable to locate any documentation in the Microsoft Knowledge Base that indicated the resolution of this flaw, but there is a remaining vulnerability that can also be exploited based configured wireless profiles. A Windows XP client will probe for all the preferred network names listed in the wireless client configuration during startup, powersave-wakeup and when the driver reports signal loss for the current network name. Many coporate wireless users configure Windows XP with a business profile (secure network profile) and several other network names including commercial hotspots and home networks (insecure network profiles). Due to this configuration, it is possible to force a client to disclose the list of configured profiles, and then establish a connection to a rogue network using one of the preferred network names. Depending on the configuration of the wireless client, the client will display a bubble message indicating it has joined a different wireless network name. Once the associates to the rogue network, it is possible to interact with the client directly. This may include port scanning the victim, exploiting Windows-based vulnerabilities or simulating an otherwise "real" network using faked services and intercepted DNS queries. Note that the Apple OS X client exhibits similar behaviour, although it has not been thoroughly tested at this time. Automated penetration using Hotspotter -------------------------------------- Hotspotter was written to exploit this weakness in the Windows XP Wlan client system. Hotspotter passively monitors the network for probe request frames to identify the preferred networks of Windows XP clients, and will compare it to a supplied list of common hotspot network names. If the probed network name matches a common hotspot name, Hotspotter will act as an access point to allow the client to authenticate and associate. Once associated, Hotspotter can be configured to run a command, possibly a script to kick off a DHCP daemon and other scanning against the new victim.
