Download - Attacking Automatic Wireless Network Selection

8/10/2019 Attacking Automatic Wireless Network Selection

1/10

Attacking Automatic Wireless Network Selection

Dino A. Dai Zovi, Shane A. [email protected], [email protected]

March 20, 2005

Abstract

Wireless 802.11 networking is becoming so prevalentthat many users have become accustomed to havingavailable wireless networks in their workplace, home,and many public places such as airports and coffeeshops. Modern client operating systems implement

automatic wireless network discovery and known net-work identication to facilitate wireless networkingfor the end-user. In order to implement known net-work discovery, client operating systems rememberpast wireless networks that have been joined and au-tomatically look for these networks (referred to asPreferred or Trusted Networks) whenever the wire-less network adapter is enabled. By examining theseimplementations in detail, we have discovered previ-ously undisclosed vulnerabilities in the implementa-tion of these algorithms under the two most prevalentclient operating systems, Windows XP and MacOSX. With custom base station software, an attackermay cause clients within wireless radio range to asso-ciate to the attackers wireless network without userinteraction or notication. This will occur even if theuser has never connected to a wireless network beforeor they have an empty Preferred/Trusted NetworksList. We describe these vulnerabilities as well as theirimplementation and impact.

1 Introduction

IEEE 802.11 wireless networking has demonstrated

explosive growth and popularity, especially in denseurban areas. This has resulted in commercial offer-ings of public access wireless networks ( hotspots ) inmany airports, hotels, coffee shops, and even someparks. Large hotspot providers include T-Mobile andVerizon. There are even community-based projects toprovide free hotspots in community areas like Man-hattan parks [1].

The prevalence of these hotspots has had an unan-

ticipated effect on the mechanisms in client operatingsystems for selecting wireless networks. It has been aknown problem that an attacker can provide a rogueaccess point with a common name (such as the de-fault SSID of a popular home-office access point, suchas linksys ). If a nearby wireless client has associatedto a similarly-named access point in the past, theymay mistake the rogue access point for their trustedaccess point. The prescribed solution to this is toensure that all networks connected to are encrypted.While this is possible when the only networks con-nected to are at the home or workplace, the use of hotspots (which must be unencrypted to provide pub-lic access) means that users are more likely to haveconnected to unencrypted networks in the past.

According to a Gartner research report (quoted in[2]), Microsoft Windows and Apple MacOS are thetwo most prevalent desktop operating systems, with96% and 2.8% market share, respectively. Our re-

search examined the latest releases of these desktopoperating system families, Windows XP Service Pack2 and MacOS X 10.3.8. We describe in detail themechanisms used by the latest releases of these op-erating systems for automatic network selection andhow they may be attacked. Our research in this areahas also uncovered vulnerabilities in the implemen-tation of these algorithms. Namely, the implementa-tions set the wireless network adapter in a parkedmode when the user is not associated to a network.In this mode, the cards desired SSID setting isset to a value that the implementor has expected tonever exist as an available network. When a net-work by this name does exist (or at least appearsto), however, the wireless network card will automat-ically associate. This occurs without user interactionor notication.

This paper is organized as follows. Section 2 pro-vides an overview of the concepts involved in 802.11wireless networking and describes related work in802.11 client security research. Section 3 documents

1


2/10

in detail how Windows XP and MacOS X implementautomatic wireless network selection. Section 4 de-scribes vulnerabilities in the implementations of au-tomatic wireless network selection and weaknesses inthe algorithms they use. In section 5, we describe theimplementation of a customized software access pointdriver to exploit the previously described vulnerabil-ities. Section 6 discusses the ramications of thesevulnerabilities and describes future work in this areaof research.

2 Background

The IEEE 802.11 standard [3] species medium ac-cess control (MAC) and physical layer (PHY) opera-tion for local area wireless networking. It is now themost common standard for wireless networking and

most laptops now include integrated wireless networkcards using the 802.11 standard.The 802.11 standard denes two entities in a wire-

less network, the Station (STA) and Access Point(AP). A wireless network, or Basic Service Set (BSS)as it is referred to in the standard, may be createdin two congurations: the Independent Basic ServiceSet (IBSS) and the Extended Service Set (ESS). Ev-ery IBSS or ESS is named by a Service Set Identier(SSID), usually a 7-bit ASCII string with a lengthnot exceeding 32 characters. An IBSS, or Ad-Hoc network , is created by any number of stations with-out requiring any Access Points. The more commonnetwork conguration, an ESS or Infrastructure net-work , is created with one or more Access Points creat-ing a Distribution System (DS) that clients may join.The most common conguration is an Infrastructurenetwork with one Access Point.

In order to understand the attacks introduced inthis paper, we must detail the 802.11 frame typesused for locating and joining networks. In order toannounce its presence, each AP in an ESS broadcastsBeacon frames containing the SSID and various char-acteristics of the ESS, including supported data ratesas well as whether encryption is enabled. Stations

may locate nearby networks by observing these Bea-con frames or by sending Probe Request frames. TheProbe Request frame contains the SSID the STA islooking for as well as the transfer rates supported bythe STA. The SSID may be an empty string indi-cating that the frame is a broadcast Probe Request.Access Points within signal range typically respond toboth broadcast Probe Requests and Probe Requestscontaining their SSID with a Probe Response frame

containing the networks SSID 1 , supported rates, andwhether the network is encrypted. If encryption isenabled, the STA must authenticate prior to associ-ating to the network. This is performed through asequence of Authentication frames. If the STA hasproperly authenticated itself or the network does notrequire authentication, the STA will send an Associa-tion Request frame to which the AP responds with anAssociation Response frame. At this point the STAmay begin to participate on the wireless network.

It is important to point out that while the stan-dard species how a STA joins a ESS, how the ESSis chosen is unspecied. The specication allows forroaming between base stations with the same SSID,but there is no mention of whether the base stationshould be authenticated or simply trusted. The spec-ication also does not address how a wireless clientis to select an available network, and this has been

left up to implementation by hardware and operatingsystem software vendors.Although the security of wireless networks has been

the subject of much research, the security of wirelessclients has not had the same level of focus. There hasbeen some level of research and related work that wehave been able to build upon which we will brieydescribe.

Vulnerabilities in the 802.11 MAC layer have beendiscovered that allow nearby attackers to launcha denial-of-service attack against nearby wirelessclients, effectively jamming the wireless network[5].

The Wireless LAN 802.11b Security FAQ [6] de-scribes several attacks against wireless clients. TheFAQ mentions how a cloned base station ( Evil Twin )can produce a stronger signal than the legitimate basestation and divert unsuspecting clients away fromthe original base station. The FAQ also mentionsthat nearby wireless attacker can target vulnerableTCP/IP services or perform denial-of-service attacksagainst a nearby wireless client.

Max Mosers Hotspotter [7] is an automated wire-less client penetration tool for Linux. Hotspotterplaces the attackers wireless network card in moni-

tor mode to passively listen for Probe Request frames.For each Probe Request frame received, the requestedSSID is compared to a list of known hotspot names.If there is a match, the wireless network card is re-congured to act as an access point with that name.

1 In response to a well-publicized practice called Wardriving [4] many Access Points support an option to ignore broadcastProbe Requests and not broadcast the SSID in Beacon frames.Such access points are referred to as a closed or hidden .

2


3/10

3 Wireless Network Selection

3.1 Microsoft Windows XP WirelessAuto Conguration

Microsoft Windows XP and Windows Server 2003

were the rst Microsoft operating systems to fullysupport 802.11 wireless networking on the client andserver, respectively. Under these operating systems,wireless network conguration and detection is per-formed through a process called Wireless Auto Con-guration.

Central to the conguration and operation of Wire-less Auto Conguration are the Preferred Networks List (PNL) and Available Networks List (ANL). ThePNL is an ordered list of the networks that the userhas connected to in the past. The ANL is an or-dered list of all the Access Points that responded toa broadcast Probe Request in the last wireless net-work scan. Whenever the user connects to a newnetwork, that networks name (SSID) is added to thehead of the PNL. Windows provides user interfacesfor viewing the Available Networks List, managingthe Preferred Networks List, and conguring the be-havior of the Wireless Auto Conguration algorithm,described below.

The Windows XP and Server 2003 Wireless AutoConguration algorithm [8] is presented in a pseu-docode notation in Figure 1 but will also be presentedin narrative and a network trace in order to fully il-lustrate its behavior.

The algorithm begins by building the AvailableNetworks List by sending a scan request to the wire-less network card. This results in a broadcast 802.11Probe Request with an empty SSID being sent overevery channel. Probe Responses are collected by thecard in the order they are received and this list of networks along with conguration details such as en-cryption status and available rates is returned to theoperating system. The algorithm then traverses thePreferred Networks List in order and if a preferrednetwork is found in the Available Networks List, Win-dows attempts to connect to the wireless network. A

connection is attempted to each preferred networkfound in the Available Networks List until there is asuccessful connection.

If no preferred networks were found in the Avail-able Networks List or no connection attempts weresuccessful, Windows attempts a second pass of thePreferred Networks List trying to connect to eachnetwork in the Preferred Networks List in order re-gardless of whether the network exists in the Avail-

Begin:State = Unconnected

// Build list of visible networks (ANL)AvailableNetworks = ScanForAvailableNetworks()

// Step through PNL in order until a network// from the ANL is found and connected toforeach n in PreferredNetworks

if AvailableNetworks contains nthen ConnectToWirelessNetwork(n)if State == Connected then return

// If unable to connect to any networks in the// intersection of the PNL and ANL, check for

// closed networks by stepping through PNL in// order and attempting each network explicitlyforeach n in PreferredNetworks

ConnectToWirelessNetwork(n)if State == Connected then return

// If unable to connect to any network in the// PNL and the PNL contains an Ad-Hoc network,// configure card for the first Ad-Hoc network// in the PNL. Otherwise, if the configuration// setting "Connect to Non-preferred Networks"// is enabled, step through ANL in order and// attempt to connect to each one.if PreferredNetworks contains an Ad-Hoc network

then ConfigureAdHocNetworkelse

if ConnectToNonPreferredNetworks == Truethen foreach n in AvailableNetorks

ConnectToWirelessNetwork(n)if State == Connected then return

// If not connected thus far, generate a// random SSID, wait, and restart algorithmSetSSID(GenerateRandomSSID())SleepForOneMinute()

Goto Begin

Figure 1: Pseudocode for Wireless Auto Congura-tion Algorithm

3


4/10

1) 03:11:39.266743 BSSID:ff:ff:ff:ff:ff:ffDA:ff:ff:ff:ff:ff:ff SA:00:02:2d:2b:a5:35Probe Request (^]^V^KÂ^T^B^TÂ^XÊ^Y^V...)

[1.0 2.0 5.5 11.0 Mbit]2) 03:11:39.400194 BSSID:ff:ff:ff:ff:ff:ff

DA:ff:ff:ff:ff:ff:ff SA:00:02:2d:2b:a5:35

Probe Request () [1.0 2.0 5.5 11.0 Mbit]3) 03:11:40.426391 BSSID:ff:ff:ff:ff:ff:ff

DA:ff:ff:ff:ff:ff:ff SA:00:02:2d:2b:a5:35Probe Request (^]^V^KÂ^T^B^TÂ^XÊ^Y^V...)[1.0 2.0 5.5 11.0 Mbit]

4) 03:11:42.377495 BSSID:ff:ff:ff:ff:ff:ffDA:ff:ff:ff:ff:ff:ff SA:00:02:2d:2b:a5:35Probe Request (aye) [1.0 2.0 5.5 11.0 Mbit]

5) 03:11:44.432180 BSSID:ff:ff:ff:ff:ff:ffDA:ff:ff:ff:ff:ff:ff SA:00:02:2d:2b:a5:35Probe Request (bee) [1.0 2.0 5.5 11.0 Mbit]

6) 03:11:46.485148 BSSID:ff:ff:ff:ff:ff:ffDA:ff:ff:ff:ff:ff:ff SA:00:02:2d:2b:a5:35Probe Request (sea) [1.0 2.0 5.5 11.0 Mbit]

7) 03:11:48.500975 BSSID:ff:ff:ff:ff:ff:ffDA:ff:ff:ff:ff:ff:ff SA:00:02:2d:2b:a5:35Probe Request (^D^F^R^_^]^R^^^\^G^H^J^F...)[1.0 2.0 5.5 11.0 Mbit]

Figure 2: Wireless Auto Conguration Algorithmpacket trace

able Networks List. This second pass is performed

in case any of the networks are closed networks, acommon deviation from the standard where the SSIDis not placed in 802.11 Beacon frames and broadcastProbe Requests are not responded to.

If the wireless network card is not connected andthere are one or more Ad-Hoc networks in the Pre-ferred Networks List, Wireless Auto Congurationwill congure the card for the most preferred Ad-Hoc network available. If none are available, Wire-less Auto Conguration will create the most preferredAd-Hoc network and the algorithm terminates.

If there have been no connections thus far and there

are no Ad-Hoc networks in the Preferred NetworksList, the algorithm examines the Connect To Non-preferred Networks ag. If the ag is enabled (it isdisabled by default), Windows will attempt to con-nect to each network in the Available Networks Listin order. If the ag is not set, the network card isparked in Infrastructure mode with a randomlygenerated SSID for 60 seconds at which point thealgorithm restarts.

When analyzing the algorithm from an attackerspoint of view, it is most helpful to examine it at the802.11 protocol layer. Figure 2 is a packet trace of a single iteration of the Wireless Auto Congurationalgorithm running on a laptop with a fresh installof Windows XP with Service Pack 2. The networktrace was recorded on a nearby laptop with its wire-less network card in monitor mode, a special op-erating mode where all received 802.11 frames arereturned to the operating system. The output hasbeen edited slightly for cleaner presentation by num-bering frames, removing duplicate frames, wrappinglines cleanly, and abbreviating long random SSIDs.

Frames 1-3 show the rst phase of the algorithmwhere the network card is parked with a randomSSID, but sends a broadcast Probe Request framewhen Wireless Auto Conguration initiates a scan re-quest. Frames 4-6 result from the second phase of the

algorithm where a connection to each of the networksin the Preferred Networks List is attempted in order.We observe that the networks in the Preferred Net-works List are (in order): aye, bee, and sea.Since none of these networks were found, Frame 7shows the wireless card being parked with anotherrandom SSID. In the full trace, 16 Probe Requests forthe last random SSID were observed over one minutebefore the algorithm on the observed wireless clientrestarted.

3.2 Apple MacOS X AirPort

Apples MacOS X operating system supports wire-less networking with Apples AirPort and AirPortExtreme 802.11 wireless networking products for802.11b and 802.11g, respectively.

MacOS X allows the user to select three wirelessnetwork selection modes: always connecting to a spe-cic wireless network, connecting to the most re-cently associated network or automatically connect-ing to the unencrypted network with the strongestsignal. The user may also manually select an alter-nate available network or enter the name of a closednetwork. In December 2003, a vulnerability was pub-

lished whereby if an attacker can get a MacOS X userto join their wireless network, the attackers DHCPserver may provide an DHCP option specifying a di-rectory server that the users machine will use as anauthentication server. MacOS X 10.3.3 addressedthis vulnerability by modifying the system to main-tain a list of trusted wireless networks.

The MacOS X trusted wireless networks is asystem-wide list of networks the user has connected to

4


5/10

and opted to add to the list. No user interface is pro-vided to view or modify this list. The list, in fact, iseven fairly difficult to nd. It is stored as an XML lewhich is base-64 encoded and stored within anotherXML le containing basic wireless network adaptersettings. Cursory Internet searches reveal that theexistence of this list is completely undocumented, yetmany have discovered that they can delete the entirele to clear the list of trusted wireless networks.

MacOS X begins the search for trusted wireless net-works when a user logs in or the machine awakes fromsleep. The search begins with the network the ma-chine was most recently associated with. If this net-work is not found, each network in the trusted net-work is attempted in order. If none of these networksare found, a dialog is presented to the user statingthat none of their trusted wireless networks could befound and asking whether they would like to join the

unencrypted network with the strongest signal andoptionally remember the network as a trusted wire-less network. If the user opts not to connect to the se-lected network, the wireless network card is parkedawaiting user interaction. In this state, the wirelessnetwork card remains in Infrastructure mode, how-ever, it is assigned a either a constant dummy SSIDor a dynamic SSID that is chosen when the driver isinitialized (system boot or resume). Both settingshave been seen, although the dummy SSID appearsto be set at system boot and when awakening fromsleep, but the dynamic SSID is only set when theuser logs in. Broadcast Probe Requests are sent oneach channel roughly every two minutes or when theavailable networks need to be presented to the user.

4 Attacking Wireless NetworkSelection

Through the detailed examination and documenta-tion of the processes used by the two most prevalentdesktop operating systems, a number of vulnerabili-ties in these processes were uncovered. The specicvulnerabilities in each implementation is detailed be-low and the attacks are summarized in terms of whichcongurations are vulnerable in section 4.3.

4.1 Microsoft Windows Wireless AutoConguration

Windows Wireless Auto Conguration has severalserious weaknesses: all networks and their precedence

in the Preferred Networks List are revealed, ad-hocnetworks are automatically created, and parkingwith a random SSID does not prevent associating toan Access Point with custom rmware modications.Moreover, this association may occur without user in-teraction or notication. Through these weaknesses,the wireless client is most vulnerable when it is notassociated to a surrounding network.

When no preferred networks are discovered in theAvailable Networks List built in the rst phase of the Wireless Auto Conguration algorithm, the al-gorithm attempts to connect to each network in thePreferred Networks List in order. An attacker withinsignal range (potentially assisted by high-gain anten-nae and signal boosters) may passively monitor a sin-gle wireless channel and observe the Probe Requestsfor each network connection attempted. The attackermay use this information to recreate the victims Pre-ferred Networks List. However, only the names andprecedence of the networks are revealed, their encryp-tion status is not. With this knowledge, the attackermay create a software Access Point with the SSIDof one of the networks in the victims Preferred Net-work List. If the client is expecting the network to beencrypted, the connection will fail and the attackermay simply attempt the next network in their recre-ated copy of the victims Preferred Networks List. If any of the networks in the Preferred Networks Listare not encrypted, the attacker will have an oppor-tunity to create a look-alike network that the client

will join.If there are any Ad-Hoc networks in the Preferred

Networks List and none are found in the AvailableNetworks List, the client will become the rst nodein the Ad-Hoc network. If this network is not cong-ured to be encrypted, any other client within wirelesssignal range may join this network. If the network iscongured with WEP encryption, any of the knownWEP attacks may be performed against it. Severalof these attacks are facilitated by the fact that thenetwork interface is congured using Windows Au-tomatic Private IP Addressing whereby the interface

is given an automatically selected IP address fromthe link local IP address space 169.254.0.0/16 doc-umented in RFC 3330 [9]. Because the interface iscongured, Windows will periodically send NetBIOSbroadcasts, continually supplying the attacker withWEP encrypted data packets. Once the network is joined by the attacker, they can proceed to discoverthe self-assigned IP address used by the victims wire-less network interface. This may be done by sniffing

5


6/10

the network for the previously mentioned NetBIOSbroadcasts or brute-forcing the link local IP addressspace with Address Resolution Protocol (ARP) re-quests for each possible IP address.

As described above, when the Wireless Auto Con-guration algorithm sleeps for 60 seconds beforerestarting, the wireless network card is parked byplacing the card in Infrastructure mode with a ran-dom SSID. Other card settings such as authentica-tion mode or encryption are not changed. When thecard is placed in this state, it assumes its normal be-havior attempting to connect to a network with thatname. If there are no entries in the Preferred Net-works List or the last entry is an unencrypted net-work, the network adapter will attempt to connectto an unencrypted network with this random SSID.If an attacker can provide a network with that name,the wireless client will automatically associate to the

attackers wireless network.This attack may be performed by modifying thermware of an Access Point to respond with ProbeResponses to Probe Requests for any SSID . This at-tack is facilitated by using the newer rmware-lesswireless network cards (such as those using Atheroschipsets). We describe the necessary driver modica-tions and implementation of this attack in Section 5.As this network is joined without the Wireless AutoConguration Services knowledge, the user interfacedoes not inform the user that they have associated toa network. In this case, the client may associate, re-ceive an IP address from a DHCP server, and becomereachable on the network all while the interface in-forms the user that they are not currently connectedto a network.

4.2 MacOS X AirPort

MacOS Xs AirPort implementation shares severalof the pitfalls identied in the Windows WirelessAuto Conguration implementation but avoids oth-ers. Similar to the vulnerabilities described above,MacOS X AirPort reveals the list of trusted wire-less networks and machines using the 802.11b AirPort

hardware may associate to a specially-congured ac-cess point without user interaction or notication.Like Microsoft Windows Wireless Auto Congu-

ration, MacOS X AirPort reveals the list of trustedwireless networks when the system is looking for anetwork to associate to. This is, however, an impor-tant difference because MacOS X AirPort does notcontinually look for the users trusted wireless net-works, only when a user logs in or the system re-

sumes from sleep. This makes it more difficult for anattacker to cause the user to join their rogue accesspoint as it adds temporal constraints, requiring theattacker to be in the right place at the right time.

The drivers for the older 802.11b AirPort hardware,like Wireless Auto Conguration, also keep the wire-less card up in a parked state when not actively as-sociated. As described above, the cards desired SSIDis set to either a dynamic value or a static dummySSID. In order to further prevent unintended asso-ciates, the card is set with WEP enabled, requiring arogue Access Point to know this WEP key in order tocause the client to join automatically. This WEP key,however, is the hard-coded, static 40-bit key (in hex-adecimal) 0x0102030405. Our custom Access Pointsoftware congured with this WEP key in Shared Keyauthentication mode successfully causes nearby Air-Port cards to automatically associate without requir-

ing any user interaction or providing any user noti-cation. The AirPort menu applet will, however, lightup, and if the user clicks on it, it will indicate that theuser is connected to a network. It should be notedthat the newer AirPort Extreme hardware and driversdo not leave the card in a parked state vulnerableto this attack. When the card is not associated nowireless traffic is sent unless the user requests a scanfor visible networks.

4.3 Summary of Attacks

The attacks described above focus on the ability of the attacker to provide a network that the wirelessclient will automatically join. The attacker may per-form this by either discovering the networks that theclient prefers or by using a special software accesspoint that masquerades as any SSID. We describethe construction of such a software AP in section5. Either way, the attacker must make this networkpresent when the victim is looking for a wireless net-work to join.

If the victim is running MacOS X, the attackermust be present when the user logs in or the systemwakes from sleep. Regardless of the operating system,

however, if the user is currently associated to a nearbynetwork, the attacker may forcibly cause the victimto restart the search for available networks. The at-tacker may achieve this by spoong 802.11 Disasso-ciation frames from the base station that the victimis associated to. These frames are always sent in theclear, even if the network is encrypted, and the onlyinformation the attacker requires to forge them is thehardware address of the base station, which is read-

6


7/10

ily available from the Beacon frames the base stationis required to continuously transmit. If the targetedclient is currently congured in Ad-Hoc mode, thereis no known way to cause it to restart the search fora preferred network.

At this point, the attacker may learn the victimspreferred or trusted networks as they attempt to re- join an available network or respond that they arethe base station for every requested SSID. If the tar-geted client looks for one or more unencrypted net-works, they will automatically join the attackers ac-cess point.

As a special case that was mentioned above, if anearby Windows XP client is not currently associ-ated to a network, it may still associate to a networkwith a random SSID. When this is the case, this con-nection will occur without notifying the user and theuser interface will still report that the machine is not

currently connected to any wireless networks.The attacks detailed above have been observed andveried against a Windows XP laptop with PCMCIAPrismII and Orinoco Hermes-based 802.11b wirelessnetwork cards as well as against a G4 Macintoshwith an internal AirPort 802.11b wireless card. Wealso tested a Windows XP SP2 laptop with an inter-nal 802.11a/b/g card based on the Atheros chipsetand found that while it still did send out Probe Re-quests for randomly-generated SSIDs, it would not join these networks automatically. By testing a newerG4 Powerbook, we found that the newer Apple Air-Port Extreme 802.11b/g cards did not probe for thedynamic SSID and dummy SSIDs described above.We hypothesize that the newer generation of wirelessnetwork cards that perform more of the 802.11 han-dling in software are more exible and robust thantheir rmware-based predecessors.

5 Attack Implementation

Implementation of attacks against 802.11 networksand clients are often hampered by the limitations im-posed by wireless network card rmware. For ex-

ample, certain frame types may be handled directlyby the rmware and will not be made available tothe host operating system. This behavior preventsmany commercial off-the-shelf 802.11 wireless net-work cards from being used as an arbitrary attackplatform. Initial implementations of the attacks pre-sented in this paper were attempted using wirelessnetwork cards based on the PrismII chipset. Thesechipsets feature a HostAP operating mode allowing

1) 00:49:04.007115 BSSID:ff:ff:ff:ff:ff:ffDA:ff:ff:ff:ff:ff:ff SA:00:e0:29:91:8e:fdProbe Request (^J^S^V^KÛ^L^RÊ^H^VÛ...)[1.0* 2.0* 5.5* 11.0* Mbit]

2) 00:49:04.008125 BSSID:00:05:4e:43:81:e8DA:00:e0:29:91:8e:fd SA:00:05:4e:43:81:e8

Probe Response (^J^S^V^KÛ^L^RÊ^H^VÛ...)[1.0* 2.0* 5.5 11.0 Mbit] CH: 1

3) 00:49:04.336328 BSSID:00:05:4e:43:81:e8DA:00:05:4e:43:81:e8 SA:00:e0:29:91:8e:fdAuthentication (Open System)-1: Succesful

4) 00:49:04.337052 BSSID:00:05:4e:43:81:e8DA:00:e0:29:91:8e:fd SA:00:05:4e:43:81:e8Authentication (Open System)-2:

5) 00:49:04.338102 BSSID:00:05:4e:43:81:e8DA:00:05:4e:43:81:e8 SA:00:e0:29:91:8e:fdAssoc Request (^J^S^V^KÛ^L^RÊ^H^VÛ...)[1.0* 2.0* 5.5* 11.0* Mbit]

6) 00:49:04.338856 BSSID:00:05:4e:43:81:e8DA:00:e0:29:91:8e:fd SA:00:05:4e:43:81:e8Assoc Response AID(1) :: Succesful

Figure 3: Windows XP host associating to randomSSID

the card to act as an Access Point. Other cardsbased on the Orinoco Hermes chipset, for example,require an alternate rmware to provide this func-

tionality. This operating mode makes managementframes, including Authentication and Association Re-quest frames, available to the operating system to al-low the operating system or a running user processto provide station authentication and managementservices. Notably missing, however, are the ProbeRequest frames necessary to implement our attacks.Due to the real-time requirements on Probe Requesthandling, Probe Request frames are handled inter-nally by the card rmware. This limited our attackto sniffing for Probe Requests and immediately re-conguring the card to serve as an access point forthe requested SSID, serializing the attack to target-ing one wireless client at a time.

The newer generation of rmware-less wireless net-work cards allow signicantly more exibility inthe implementation of attacks against IEEE 802.11.Wireless network cards based on chipsets manufac-tured by Atheros Communications, for example, donot include a traditional rmware providing stationand/or access point functionality. Instead, all of this

7


8/10

1) 14:14:18.778980 BSSID:ff:ff:ff:ff:ff:ffDA:ff:ff:ff:ff:ff:ff SA:00:30:65:00:e9:65Probe Request (00-30-1e-37-7a-44-7f49c08d)[1.0 2.0 5.5 11.0 Mbit]

2) 14:14:18.779845 BSSID:00:05:4e:43:81:e8DA:00:30:65:00:e9:65 SA:00:05:4e:43:81:e8

Probe Response (00-30-1e-37-7a-44-7f49c08d)[1.0* 2.0* 5.5 11.0 Mbit] CH: 1, PRIVACY

3) 14:14:18.837813 BSSID:ff:ff:ff:ff:ff:ffDA:ff:ff:ff:ff:ff:ff SA:00:30:65:00:e9:65Probe Request (00-30-1e-37-7a-44-7f49c08d)[1.0 2.0 5.5 11.0 Mbit]

4) 14:14:18.906312 BSSID:00:05:4e:43:81:e8DA:00:05:4e:43:81:e8 SA:00:30:65:00:e9:65Authentication (Shared Key)-1: Succesful

5) 14:14:18.907962 BSSID:00:05:4e:43:81:e8DA:00:30:65:00:e9:65 SA:00:05:4e:43:81:e8Authentication (Shared Key)-2 [Challenge]

6) 14:14:18.909513 BSSID:00:05:4e:43:81:e8DA:00:05:4e:43:81:e8 SA:00:30:65:00:e9:65AuthenticationAuthentication (Shared-Key)-3Data IV: 0 Pad 0 KeyID 0

7) 14:14:18.910320 BSSID:00:05:4e:43:81:e8DA:00:30:65:00:e9:65 SA:00:05:4e:43:81:e8Authentication (Shared Key)-4:

8) 14:14:18.911565 BSSID:00:05:4e:43:81:e8DA:00:05:4e:43:81:e8 SA:00:30:65:00:e9:65Assoc Request (00-30-1e-37-7a-44-7f49c08d)[1.0 2.0 5.5 11.0 Mbit]

9) 14:14:18.912575 BSSID:00:05:4e:43:81:e8DA:00:30:65:00:e9:65 SA:00:05:4e:43:81:e8

Assoc Response AID(1) : PRIVACY : Succes

Figure 4: AirPort client parked with dynamic SSIDassociating

functionality is handled in software on the host anda binary-only Hardware Abstraction Layer (HAL)module is shipped to vendors and driver authors toprovide low-level functionality. This HAL moduleenforces communications regulation compliance andprovides a consistent interface to the different imple-mentations manufactured by Atheros. This binary-only HAL is also used by the open-source drivers forthis family of wireless network cards.

To implement our attacks, we have taken the open-source MADWiFi driver for Linux [10] and made sev-eral modications. We implemented several trivialmodications including disabling SSID validation andrewriting the SSID eld of incoming Probe Requests

1) 14:25:05.926870 BSSID:ff:ff:ff:ff:ff:ffDA:ff:ff:ff:ff:ff:ff SA:00:30:65:00:e9:65Probe Request (dummy SSID *{M- R^LIM-Ô...)

[1.0 2.0 5.5 11.0 Mbit]2) 14:25:05.927916 BSSID:00:05:4e:43:81:e8

DA:00:30:65:00:e9:65 SA:00:05:4e:43:81:e8

Probe Response (dummy SSID *{M-^R^LIM-Ô...)[1.0* 2.0* 5.5 11.0 Mbit] CH: 1

3) 14:25:06.095809 BSSID:00:05:4e:43:81:e8DA:00:05:4e:43:81:e8 SA:00:30:65:00:e9:65Authentication (Open System)-1: Succesful

4) 14:25:06.096565 BSSID:00:05:4e:43:81:e8DA:00:30:65:00:e9:65 SA:00:05:4e:43:81:e8Authentication (Open System)-2:

5) 14:25:06.098862 BSSID:00:05:4e:43:81:e8DA:00:05:4e:43:81:e8 SA:00:30:65:00:e9:65Assoc Request (dummy SSID *{M- R^LIM-Ô...)[1.0 2.0 5.5 11.0 Mbit]

6) 14:25:06.099773 BSSID:00:05:4e:43:81:e8DA:00:30:65:00:e9:65 SA:00:05:4e:43:81:e8Assoc Response AID(1) :: Succesful

Figure 5: AirPort client parked with dummy SSIDassociating

and Association Request frames with the conguredSSID of the software access point. Outgoing framesrequired no modication. This allowed us to easily

fool the rest of the driver into serving any SSID re-quested. This implementation allows us to create awireless network that masquerades as any networkrequested by a client within range.

Figures 3, 4, and 5 show 802.11 frame traces of ourattack driver exercising the previously detailed vul-nerabilities in wireless network selection. In each of the three cases, the wireless client associated to a net-work name that the implementation did not expectto exist but was responded to by our attack driver.This allowed us to cause the client to associate to ournetwork without any user interaction or notication.

Further work on the attack driver component willfocus on creating a network interface that will en-able reception and transmission of raw frames, evenwhile serving as an access point. This functionalitywill allow a user to utilize existing tools requiringpassive sniffing capabilities while also enabling activeattacks. In addition, it may enable true 802.11 MAC-layer man-in-the-middle attacks.

8


9/10

6 Conclusion

We have shown that there are both architectural andimplementation vulnerabilities in common wirelessnetwork selection algorithms. The broadcasting of specic Probe Request frames containing the SSID

of a users desired network allows a nearby attackerto learn the contents and precedence of the users de-sired networks. With this knowledge, the attackermay create a rogue access point with this SSID thatthe user will automatically associate to.

In addition, both implementations also leave thewireless network cards in a vulnerable state whenthey are not currently associated to a network. Win-dows XP congured the network card with a ran-domly generated SSID while MacOS X AirPort usesa dynamic, but not random, SSID. This is done as-suming that no access points will ever serve these

SSIDs. We created a special access point that re-sponded to any Probe Request, allowing us to serveany SSID requested by a client within range. Exper-iments with this driver revealed serious vulnerabili-ties in the previously mentioned driver behavior. Wediscovered that when our access point responded toprobes for these special SSIDs, we could cause clientsto associate to our network without any user inter-action and little or no user notication. Under Win-dows XP, the wireless conguration user interface willreport that the user is not associated to any wirelessnetworks. Network interface conguration elements,however, will report that the interface is connectedand congured with an IP address. MacOS X Air-Port will not request permission to join a previouslyunknown wireless network, but will correctly reportthat it is connected.

While there is a known growth of client-side at-tacks, there has been a lack of knowledge regardinghow they may be realistically used by an attacker toachieve their objectives. Frequently, client-side at-tacks are described as being a danger if the attackercan cause the victim to view a malicious web pageor e-mail. While it is evident that an adversary maysend a large number of e-mails to harvested addresses

within an organization to increase the chances of aninternal user viewing the message and possibly view-ing the malicious content within, this is in no waya stealthy attack. Similarly, coercing internal usersto view a malicious web site requires an element of social engineering. We believe that a wirelessly con-nected attacker is in the best position to deploy at-tacks against client-side applications.

We have shown that an attacker can force wire-

less clients within signal range to join an attacker-controlled network. This opens up a very viable anddangerous avenue for passively exploiting client-sidevulnerabilities using man-in-the-middle techniques.Drawing from existing cyber-warfare principles ([11]),we are calling this scenario medium-range cyber-warfare . By exploiting the vulnerabilities describedin this paper, we may cause our opponent to join awireless network where we control the entire networkenvironment. Since we control the entire network,we may leverage this to control the opponent. Wemay use this approach to attack any wireless-enabledclients within range, and we may employ strong wire-less antennas and transmitters to increase this range.

Many attacks can be easily implemented as fakeservices responding to requests by client-side ap-plications. Bare-bones emulation servers can oftenbe developed with ease [12] or existing packages

may be modied to exercise vulnerabilities in clientcode. For example, while implementing a maliciousPOP3 server is quite simple due to the simplicity of the POP3 protocol, implementing a malicious SMBserver may require modifying an existing implemen-tation such as the open-source Samba SMB/CIFSserver[13].

With a client associated to the rogue network, cre-dentials may be captured if the clients software at-tempts to automatically connect or re-connect to anetwork service. For example, rogue mail servers cancapture credentials from clients connecting to clear-

text mail services such as POP3 and IMAP.In some cases, the clients credentials may be usedagainst the client itself. Older variants of the Mi-crosoft Networking NTLM authentication mechanismare vulnerable to a man-in-the-middle attack wherethe attacker may proxy the challenge-response proto-col in order to authenticate as the client to the server.

If a host is compromised, an agent may be placedon it that yields remote control to the attacker.The agent will attempt to establish communicationwith the attacker whenever a network connection ispresent. This effectively gives the attacker access to

all the networks the wireless client has access to, ex-ploiting the inherent mobility of wireless clients. Thiseffectively makes the security of every network theclient connects to dependent upon the security of allother networks they connect to.

Our future work will further explore the vulnera-bilities in client-side functionality and client mobilityand investigate the construction of a client-side at-tack toolkit to demonstrate these risks.

9


10/10

References

[1] NYC wireless. http://www.nycwireless.net.

[2] S. Lohr, One small step in uphill ght as linuxadds a media player, The New York Times ,

June 28, 2004.[3] IEEE Computer Society LAN/MAN Standards

Committee, Wireless LAN medium access con-trol (MAC) and physical layer (PHY) specica-tions, tech. rep., ANSI/IEEE, 1999.

[4] P. Shipley, Open WLANs: Theearly results of wardriving.http://www.dis.org/lez/openlans.pdf.

[5] P. Nobles and P. A. Horrocks, Vulnerabilityof IEEE802.11 WLANs to MAC layer DoS at-tacks, in Proceedings of The 2nd IEE Secure Mobile Communications Forum , Instituion of Electrical Engineers, 2005.

[6] C. W. Klaus, Wireless LAN security FAQ.http://www.iss.net/wireless/.

[7] M. Moser, Hotspotter: Automatic wire-less client penetration. http://new.remote-exploit.org/index.php/Hotspotter main.

[8] The Cable Guy, Windows XP wireless autoconguration, Microsoft TechNet , November2002.

[9] Internet Assigned Numbers Authority,RFC 3330: Special-use IPv4 addresses.ftp://ftp.internic.net/rfc/rfc3330.txt, Septem-ber 2002.

[10] S. Leffler, Multimode atheros driver for WiFion linux. http://madwi.sourceforge.net.

[11] R. C. Parks and D. P. Duggan, Principles of cyber-warfare, Proceedings of the IEEE Work-shop on Information Assurance and Security ,pp. 122125, June 2001.

[12] N. Provos, A virtual honeypot framework, inProceedings of The 13th USENIX Security Sym-posium , (San Fransisco, CA), August 2004.

[13] The Samba Team, Samba.http://www.samba.org.

10

Download - Attacking Automatic Wireless Network Selection

Top Related