Wi-Fu! Attacking the 802.11 Client

March 17, 2008 – 11:14 AM

Wi-Fu! More than just a statement, it reflects you wireless security skill set from knowledge and practical experience. This covers everything from using the tools out there to profile and attack your wireless network, to checking the security of your client devices yourself. If you feel your Wi-Foo is slipping, young Grasshopper, I’ll try to catch you up to speed (for what I feel are the 2 most important events that happened in the last 2 years). As of late, the focus has shifted from breaking your WEP/WPA keys to attacking the wireless client. With all of the news and press of hackers being caught outside of the facilities of their victims, attackers will now want to distance themselves from their targeted victims. What better than to attack the mobile workforce? You know, the wireless clients!

Wireless client authentication attacks are on the rise. Tools such as KARMA and Hotspotter are just some of the simple demonstrations of what can be achieved by focusing on the client. These tools demonstrate, on an overly simplistic explanation, attacks on wireless network client profile configurations and utilities. If I were to create a network SSID of “Linksys” and tally the number of solicitations and automatic connections made to this network, I would not be shocked to find a substantial list of connected devices. Now, automate this to create the network SSID based on clients soliciting the airwaves, offer network services and you’ve got a valuable tool for mass infection.

Unfortunately, these attacks are already on the rise. Two of the more documented locations for beginners of testing the waters of these attacks are, surprise surprise, coffee shops and airports. So, Grasshopper, are you testing your clients for these configuration vulnerabilities? Test your wireless client’s configurations for two common mistakes: allowing clients to choose their wireless networks (remove all those default/automatic network association profiles), and make sure the client is notified when connecting to a wireless network that is not trusted.

But what about those pesky attackers who are still focused on the wireless network infrastructure? Well, WEP isn’t good enough, plain and simple. It’s a shame that businesses will still use it. Yes, there is equipment out there that needs legacy support; however at what point does the security control loose its value as a useful security control? When do you separate those legacy devices out into their own infrastructure, or hold the vendor accountable for not upgrading them! So is WPA any better? Yes and no, there are different grades of “better” with this implementation, as in it’s more difficult to break into the network in the matter of days to hours versus minutes. Yes, WPA has fallen to the use of rainbow tables to discover the keys of your encrypted network (but, it’s really only practical against pre-shared keys).

So why are these two related? Let us have a quick “roll-playing” game; if I’m targeting your organization I may scoop out your wireless network to determine how difficult it may be to break in. But I don’t want to spend too much time drawing attention to myself, or want to risk leaving a device behind doing the dirty work for me (more on this in the next post). The next vulnerable device to attack is the client. If I can get the device and user to connect to me, I now can gain the credentials to gain access into your organization.

But let’s have a quick reality check. Attackers these days seem to target organizations if there is money to be made (TJ-Max), you know that whole thing about risk versus reward. But what are the other attack vectors? “Spray and pray”, as I call it, is one approach that seems to be working. There are two forms of this approach: set up a fake network and harvest collected information, or broadcast packets with payloads attached (“Linksys” on Channel 6 with an UDP vulnerability to 192.168.1.255 with a nasty payload). In other words, the “spray and pray” attacks are the equivalent of “wireless phishing”. These, in my opinion, are the methods your organization should already have addressed these concerns with tested and hardened defenses.

Grasshopper, you’re catching up quite nicely. You still have some challenges ahead of you. Convince your vendors and leadership that WEP doesn’t cut it anymore, and conjure a plan to increase your wireless security encryption’s posture. Oh, while you’re at it, lock down those pesky mobile devices that will blindly connect to any wireless network: laptops, hand held scanners, VoIP phones, and the rest of the devices you’ve got. The previous instructions of convincing your management and vendors to fix their products apply (yes, easier said than done).

Extra Resources:

The Real “Wi-Foo” : http://www.wi-foo.com/

Kismet : http://www.kismetwireless.net/

KARMA : http://www.theta44.org/karma/index.html

Hotspotter : http://www.remote-exploit.org/codes_hotspotter.html

Source: BlogInfoSec