SlideShare a Scribd company logo

Attacking Automatic Wireless Network Selection

A
amiable_indian

The document discusses vulnerabilities in wireless network selection that can be exploited to attack clients. It describes how an attacker can spoof disassociation frames to force clients to rescan and discover preferred networks, then create a rogue access point with the same SSID to get clients to associate with the attacker's network instead of secure networks. It also demonstrates attacks on Windows and MacOS wireless configuration using tools like KARMA to target and compromise clients.

1 of 29
“ All your layer are belong to us” Attacking Automatic Wireless Network Selection Dino A. Dai Zovi and Shane A. Macaulay {ddaizovi,smacaulay1}@bloomberg.com
Agenda Windows XP Wireless Auto Configuration (WZCSVC) Attacking Wireless Auto Configuration Mac OS X AirPort KARMA: Wireless Client Attack Toolkit Demo All your layer are belong to us
Wireless Auto Configuration Algorithm First, Client builds list of available networks Send broadcast Probe Request on each channel
Wireless Auto Configuration Algorithm Access Points within range respond with Probe Responses
Wireless Auto Configuration Algorithm If Probe Responses are received for networks in preferred networks list: Connect to them in preferred networks list order Otherwise, if no available networks match preferred networks: Specific Probe Requests are sent for each preferred network in case networks are “hidden”
Wireless Auto Configuration Algorithm If still not associated and there is an ad-hoc network in preferred networks list, create the network and become first node Use self-assigned IP address (169.254.Y.Z)
Wireless Auto Configuration Algorithm Finally, if “Automatically connect to non-preferred networks” is enabled ( disabled by default ), connect to networks in order they were detected Otherwise, wait for user to select a network or preferred network to appear Set card’s SSID to random 32-char value, Sleep for minute, and then restart algorithm
Attacking Wireless Auto Configuration Attacker spoofs disassociation frame to victim Client sends broadcast and specific Probe Requests again Attacker discovers networks in Preferred Networks list (e.g. linksys, MegaCorp, t-mobile)
Attacking Wireless Auto Configuration Attacker creates a rogue access point with SSID MegaCorp
Attacking Wireless Auto Configuration Victim associates to attacker’s fake network Even if preferred network was WEP (XP SP 0) Attacker can supply DHCP, DNS, …, servers
Wireless Auto Configuration Attacks Join ad-hoc network created by target Sniff network to discover self-assigned IP (169.254.Y.Z) and attack Create a more Preferred Network Spoof disassociation frames to cause clients to restart scanning process Sniff Probe Requests to discover Preferred Networks Create a network with SSID from Probe Request Create a stronger signal for currently associated network While associated to a network, clients sent Probe Requests for same network to look for stronger signal
Wireless Auto Configuration 0day Remember how SSID is set to random value? The card sends out Probe Requests for it We respond w/ Probe Response Card associates Host brings interface up, DHCPs an address, etc. Verified on Windows XP SP2 w/ PrismII and Orinoco (Hermes) cards Fixed in Longhorn
Packet trace of Windows XP associating using random SSID 00:49:04.007115 BSSID:ff:ff:ff:ff:ff:ff DA:ff:ff:ff:ff:ff:ff SA:00:e0:29:91:8e:fd Probe Request (^J^S^V^K^U^L^R^E^H^V^U...) [1.0* 2.0* 5.5* 11.0* Mbit] 00:49:04.008125 BSSID:00:05:4e:43:81:e8 DA:00:e0:29:91:8e:fd SA:00:05:4e:43:81:e8 Probe Response (^J^S^V^K^U^L^R^E^H^V^U...) [1.0* 2.0* 5.5 11.0 Mbit] CH: 1 00:49:04.336328 BSSID:00:05:4e:43:81:e8 DA:00:05:4e:43:81:e8 SA:00:e0:29:91:8e:fd Authentication (Open System)-1: Succesful 00:49:04.337052 BSSID:00:05:4e:43:81:e8 DA:00:e0:29:91:8e:fd SA:00:05:4e:43:81:e8 Authentication (Open System)-2: 00:49:04.338102 BSSID:00:05:4e:43:81:e8 DA:00:05:4e:43:81:e8 SA:00:e0:29:91:8e:fd Assoc Request (^J^S^V^K^U^L^R^E^H^V^U...) [1.0* 2.0* 5.5* 11.0* Mbit] 00:49:04.338856 BSSID:00:05:4e:43:81:e8 DA:00:e0:29:91:8e:fd SA:00:05:4e:43:81:e8 Assoc Response AID(1) :: Succesful
“ First of all, there is no ‘we’…”
Vulnerable PNL Configurations If there are no networks in the Preferred Networks List, random SSID will be joined If all networks in PNL are encrypted, random SSID will have left-over WEP configuration (attacker will have to guess key) We supply the challenge, victim replies with challenge XOR RC4 keystream Our challenge is 000000000000000000… We get first 144 bytes of keystream If there are any unencrypted networks in PNL, host will associate to KARMA Access Point.
How do you like them Apples? MacOS X AirPort (but not AirPort Extreme) has similar issues MacOS X maintains list of trusted wireless networks User can’t edit it, it’s an XML file base64-encoded in another XML file When user logs in or system wakes from sleep, a probe is sent for each network Only sent once, list isn’t continuously sent out Attacker has less of a chance of observing it If none are found, card’s SSID is set to a dynamic SSID With 40-bit WEP enabled … but to a static key After waking from sleep, SSID is set to “dummy SSID” Will associate as plaintext or 40-bit WEP with above key MacOS X 10.4 (“Tiger”) apparently has GUI to edit list of trusted wireless networks
A Tool to Automate the Attack Track clients by MAC address Identify state: scanning/associated Record preferred networks by capturing Probe Requests Display signal strength of packets from client Target specific clients and create a network they will automatically associate to Compromise client and let them rejoin original network Connect back out over Internet to attacker Launch worm inside corporate network Etc. “ Kismet” for wireless clients
KARMA Attacks Radioed Machines Automatically
More Dirty Pictures… A few minutes later…
L1: Creating An ALL SSIDs Network Can we attack multiple clients at once? Want a network that responds to Probe Requests for any SSID PrismII HostAP mode handles Probe Requests in firmware, doesn’t pass them to driver Atheros has no firmware, and HAL has been reverse engineered for a fully open-source “firmware” capable of Monitor mode, Host AP This is where it gets interesting…
L2: Creating a FishNet Want a network where we can observe clients in a “fishbowl” environment Once victims associate to wireless network, will acquire a DHCP address We run our own DHCP server We are also the DNS server and router
FishNet Services When wireless link becomes active, client software activates and attempts to connect, reconnect, etc. without requiring user action Our custom DNS server replies with our IP address for every query We also run “trap” web, mail, chat services Fingerprint client software versions Steal credentials Exploit client-side application vulnerabilities
Fingerprinting FishNet Clients Automatic DNS queries wpad. domain -> Windows _isatap -> Windows XP SP 0 isatap. domain -> Windows XP SP 1 teredo.ipv6.microsoft.com -> XP SP 2 Automatic HTTP Requests windowsupdate.com, etc. User-Agent String reveals OS version Passive OS fingerprinting (p0f) DNS queries reveal Windows Domain membership (redmond.corp.microsoft.com, anyone?)
L5: Exploiting FishNet Clients Fake services steal credentials Mail and chat protocols (IMAP, POP3, AIM, YIM, MSN) Reject authentication attempts using non-cleartext commands Many clients automatically resort to cleartext when non-cleartext is not supported Attack VPN clients
Transparent HTTP Proxy Exploit Server Acts as transparent proxy based on HTTP Host header Exploits mounted as servlets on “Karma” virtual host Redirections to exploits are injected into proxied content Insert hidden frame, window, etc. Can infect existing Java class files with LiveConnect exploit
Client-Side Exploits Recent client-side vulnerabilities Microsoft JPG Processing (GDI+) Internet Explorer Animated Cursors Vuln Sun Java Plugin LiveConnect Arbitrary Package Access (Windows, Linux, MacOS X) … Exploits can make use of fingerprinting info to target attack
Attacking Application Auto Updates No supported interface Lack of consistency causes home-brew solutions API or protocol for doing this? (Un)signed CAB? ZIP? EXE? Infinite Monkey Protocol Implementation weaknesses Confused user Assumes “Windows Update” updates their computer’s software
Boron Client-Side Agent Payloads in client-side exploits install semi-persistent agent Monitors networks host connects to Host is inherently mobile, agent takes advantage of this Examines network configuration (domain, trust relationships, etc.) Periodically phones home HTTPS through configured proxy DNS Reports networks user connected to Detect laptop mobility policy violations
DEMO

More Related Content

Attacking Automatic Wireless Network Selection

  • 1. “ All your layer are belong to us” Attacking Automatic Wireless Network Selection Dino A. Dai Zovi and Shane A. Macaulay {ddaizovi,smacaulay1}@bloomberg.com
  • 2. Agenda Windows XP Wireless Auto Configuration (WZCSVC) Attacking Wireless Auto Configuration Mac OS X AirPort KARMA: Wireless Client Attack Toolkit Demo All your layer are belong to us
  • 3. Wireless Auto Configuration Algorithm First, Client builds list of available networks Send broadcast Probe Request on each channel
  • 4. Wireless Auto Configuration Algorithm Access Points within range respond with Probe Responses
  • 5. Wireless Auto Configuration Algorithm If Probe Responses are received for networks in preferred networks list: Connect to them in preferred networks list order Otherwise, if no available networks match preferred networks: Specific Probe Requests are sent for each preferred network in case networks are “hidden”
  • 6. Wireless Auto Configuration Algorithm If still not associated and there is an ad-hoc network in preferred networks list, create the network and become first node Use self-assigned IP address (169.254.Y.Z)
  • 7. Wireless Auto Configuration Algorithm Finally, if “Automatically connect to non-preferred networks” is enabled ( disabled by default ), connect to networks in order they were detected Otherwise, wait for user to select a network or preferred network to appear Set card’s SSID to random 32-char value, Sleep for minute, and then restart algorithm
  • 8. Attacking Wireless Auto Configuration Attacker spoofs disassociation frame to victim Client sends broadcast and specific Probe Requests again Attacker discovers networks in Preferred Networks list (e.g. linksys, MegaCorp, t-mobile)
  • 9. Attacking Wireless Auto Configuration Attacker creates a rogue access point with SSID MegaCorp
  • 10. Attacking Wireless Auto Configuration Victim associates to attacker’s fake network Even if preferred network was WEP (XP SP 0) Attacker can supply DHCP, DNS, …, servers
  • 11. Wireless Auto Configuration Attacks Join ad-hoc network created by target Sniff network to discover self-assigned IP (169.254.Y.Z) and attack Create a more Preferred Network Spoof disassociation frames to cause clients to restart scanning process Sniff Probe Requests to discover Preferred Networks Create a network with SSID from Probe Request Create a stronger signal for currently associated network While associated to a network, clients sent Probe Requests for same network to look for stronger signal
  • 12. Wireless Auto Configuration 0day Remember how SSID is set to random value? The card sends out Probe Requests for it We respond w/ Probe Response Card associates Host brings interface up, DHCPs an address, etc. Verified on Windows XP SP2 w/ PrismII and Orinoco (Hermes) cards Fixed in Longhorn
  • 13. Packet trace of Windows XP associating using random SSID 00:49:04.007115 BSSID:ff:ff:ff:ff:ff:ff DA:ff:ff:ff:ff:ff:ff SA:00:e0:29:91:8e:fd Probe Request (^J^S^V^K^U^L^R^E^H^V^U...) [1.0* 2.0* 5.5* 11.0* Mbit] 00:49:04.008125 BSSID:00:05:4e:43:81:e8 DA:00:e0:29:91:8e:fd SA:00:05:4e:43:81:e8 Probe Response (^J^S^V^K^U^L^R^E^H^V^U...) [1.0* 2.0* 5.5 11.0 Mbit] CH: 1 00:49:04.336328 BSSID:00:05:4e:43:81:e8 DA:00:05:4e:43:81:e8 SA:00:e0:29:91:8e:fd Authentication (Open System)-1: Succesful 00:49:04.337052 BSSID:00:05:4e:43:81:e8 DA:00:e0:29:91:8e:fd SA:00:05:4e:43:81:e8 Authentication (Open System)-2: 00:49:04.338102 BSSID:00:05:4e:43:81:e8 DA:00:05:4e:43:81:e8 SA:00:e0:29:91:8e:fd Assoc Request (^J^S^V^K^U^L^R^E^H^V^U...) [1.0* 2.0* 5.5* 11.0* Mbit] 00:49:04.338856 BSSID:00:05:4e:43:81:e8 DA:00:e0:29:91:8e:fd SA:00:05:4e:43:81:e8 Assoc Response AID(1) :: Succesful
  • 14. “ First of all, there is no ‘we’…”
  • 15. Vulnerable PNL Configurations If there are no networks in the Preferred Networks List, random SSID will be joined If all networks in PNL are encrypted, random SSID will have left-over WEP configuration (attacker will have to guess key) We supply the challenge, victim replies with challenge XOR RC4 keystream Our challenge is 000000000000000000… We get first 144 bytes of keystream If there are any unencrypted networks in PNL, host will associate to KARMA Access Point.
  • 16. How do you like them Apples? MacOS X AirPort (but not AirPort Extreme) has similar issues MacOS X maintains list of trusted wireless networks User can’t edit it, it’s an XML file base64-encoded in another XML file When user logs in or system wakes from sleep, a probe is sent for each network Only sent once, list isn’t continuously sent out Attacker has less of a chance of observing it If none are found, card’s SSID is set to a dynamic SSID With 40-bit WEP enabled … but to a static key After waking from sleep, SSID is set to “dummy SSID” Will associate as plaintext or 40-bit WEP with above key MacOS X 10.4 (“Tiger”) apparently has GUI to edit list of trusted wireless networks
  • 17. A Tool to Automate the Attack Track clients by MAC address Identify state: scanning/associated Record preferred networks by capturing Probe Requests Display signal strength of packets from client Target specific clients and create a network they will automatically associate to Compromise client and let them rejoin original network Connect back out over Internet to attacker Launch worm inside corporate network Etc. “ Kismet” for wireless clients
  • 18. KARMA Attacks Radioed Machines Automatically
  • 19. More Dirty Pictures… A few minutes later…
  • 20. L1: Creating An ALL SSIDs Network Can we attack multiple clients at once? Want a network that responds to Probe Requests for any SSID PrismII HostAP mode handles Probe Requests in firmware, doesn’t pass them to driver Atheros has no firmware, and HAL has been reverse engineered for a fully open-source “firmware” capable of Monitor mode, Host AP This is where it gets interesting…
  • 21. L2: Creating a FishNet Want a network where we can observe clients in a “fishbowl” environment Once victims associate to wireless network, will acquire a DHCP address We run our own DHCP server We are also the DNS server and router
  • 22. FishNet Services When wireless link becomes active, client software activates and attempts to connect, reconnect, etc. without requiring user action Our custom DNS server replies with our IP address for every query We also run “trap” web, mail, chat services Fingerprint client software versions Steal credentials Exploit client-side application vulnerabilities
  • 23. Fingerprinting FishNet Clients Automatic DNS queries wpad. domain -> Windows _isatap -> Windows XP SP 0 isatap. domain -> Windows XP SP 1 teredo.ipv6.microsoft.com -> XP SP 2 Automatic HTTP Requests windowsupdate.com, etc. User-Agent String reveals OS version Passive OS fingerprinting (p0f) DNS queries reveal Windows Domain membership (redmond.corp.microsoft.com, anyone?)
  • 24. L5: Exploiting FishNet Clients Fake services steal credentials Mail and chat protocols (IMAP, POP3, AIM, YIM, MSN) Reject authentication attempts using non-cleartext commands Many clients automatically resort to cleartext when non-cleartext is not supported Attack VPN clients
  • 25. Transparent HTTP Proxy Exploit Server Acts as transparent proxy based on HTTP Host header Exploits mounted as servlets on “Karma” virtual host Redirections to exploits are injected into proxied content Insert hidden frame, window, etc. Can infect existing Java class files with LiveConnect exploit
  • 26. Client-Side Exploits Recent client-side vulnerabilities Microsoft JPG Processing (GDI+) Internet Explorer Animated Cursors Vuln Sun Java Plugin LiveConnect Arbitrary Package Access (Windows, Linux, MacOS X) … Exploits can make use of fingerprinting info to target attack
  • 27. Attacking Application Auto Updates No supported interface Lack of consistency causes home-brew solutions API or protocol for doing this? (Un)signed CAB? ZIP? EXE? Infinite Monkey Protocol Implementation weaknesses Confused user Assumes “Windows Update” updates their computer’s software
  • 28. Boron Client-Side Agent Payloads in client-side exploits install semi-persistent agent Monitors networks host connects to Host is inherently mobile, agent takes advantage of this Examines network configuration (domain, trust relationships, etc.) Periodically phones home HTTPS through configured proxy DNS Reports networks user connected to Detect laptop mobility policy violations
  • 29. DEMO