At the recent Schmoocon security conference there was a presentation by "Simple Nomad" titled "Hacking the Friendly Skies" that described attack methods against Windows systems wireless configuration (a.k.a Wireless Zero Configuration). There has been much debate about whether these attacks are new or not, and there appears to be some duplicate efforts in this space. To my knowledge, there are three different tools/methods to take advantage of the way Wireless Zero Configuration works:
1) Hottspotter - This tools takes advantage of a flaw that was fixed in Windows XP Service Pack 1 where a client has an EAP/TLS connection to an SSID, but will connect to that same SSID with no encryption if there is a profile configured for "ANY" wireless network. Hottspotter will also go beyond just this flaw and hijack a users wireless connection. When a Windows system is disconnected from the wireless network it will begin to probe for wireless networks in its preferred networks list, allowing an attacker to listen for all the SSIDs that the client is trying to connect to. With that information the attacker can then become an AP and advertise one of the SSIDs in the clients list, and disconnect the client from the real AP with spoofed dis-association packets. When the client re-connects it will be connected to the attackers network, where you can then provide the client with DNS and DHCP and take it from there with your evil doings.
2) Karma - This toolset improved upon the technique describe above by allowing the attack to respond to any probe request. Using a modified Linux MadWiFi driver they are able to own the air and force the client to connect to an attacker regardless of the SSID. There are a few other enhancements and differences with the way Karma implements the attack as well. For example, if Windows cannot connect to one of its preferred networks it attempts to connect to a 32-character random SSID, which Karma will respond to. Karma also contains some built-in tools, including a DNS, DHCP, and HTTP making it easier to attack the client.
3) The "Simple Nomad" Method - This method takes advantage of the way Windows handles ad-hoc wireless networks. Once a Windows client associates to an ad-hoc network it will create that network upon the next boot if no other clients are in range, becoming an access point. So, if you were to advertise an ad-hoc network called "linksys" a user would associate to you, and the next time they fired up their laptop they would be an AP with the SSID linksys. All of these networks use the 169.254.0.0/16 address space and have that creepy worm-like effect.
UPDATE: One of the authors of Karma has made a posting to bugtraq that describes how Karma works and the differences between it and Simple Nomad's resarch. He went into more detail about Mac OS X, and how it is vulnerable to the attack scenario that Karma implements. I plan to do some testing.
- Disable your wireless card when not in use (easier said that done, however this has the added benefit of improving battery life)
- Use another wireless configuration manager, such as the one that came with your wireless card. Sometimes these are good, sometimes they really stink. The Intel clients tend to be the good ones.
- Simple Nomad describes how to prevent your wireless card from connecting to ad-hoc networks
- Karma relies on the fact that you may have unprotected wireless networks in your preferred networks list, so be diligent about removing them when you are done