WiFi networks areeverywhere! When we plan to visit a place or reserve ahotel for our holidays, we always check first if free WiFi is available (be honest, you do!). Oncewe connected our beloved devices to an external wireless network, they will keep trying to connect toit forever or until you clean the list of known networks. As a small test, I checked on a friend" />
You can see that the default behaviour is to remember all the networks. Your devices may not only connect to dangerous networks but also disclose interesting information about yourself. A long time ago, I wrote a script to collect SSIDs broadcasted from wireless devices present in the neighbourhood[1]. The amount of details you can learn about people close to you is just crazy: where they work, where they went on holidays, if they go to the hospital, etc...
October is the month of security awareness and its good to remind you why unknown wireless networks remain dangerous. Last week, I made a demo during a corporate event about the cyber security landscape and was authorized to deploy a rogue wireless access point for security awareness purposes. The setup was simple:
- A Pineapple[2]
- One laptop running Dofler[2]
Dofler is a dashboard of fail or a wall of sheep used, mainly in security conference (Im using it at BruCON) to raise the attendees" />
As you can imagine, many people felt into the trap and their smartphone connected to my rogue AP. An interesting finding: a smart watch connected to the honeypot butthe paired smartphone had wireless disabled! The demo was not too invasive, no SSL MitM was performed and I collected only some pictures live from the network flows. No impact for the users, except maybe for the one who was discovered playing Minecraft during the presentations.
However, things may go wrong andmore evilactions may be performed againstthe victims.Yesterday, we received a message from one of our readers, Siddhu Yetheendra[4],who implemented the same kind of attack as the one implemented by Mubix[5] a few weeks ago. Based on USB-sized computer devices, he found a way to steal users credentials from a locked Windows computer. The principle remains the same but via a rogue wireless access point, the responder[6] tool is poisoning the network and collect credentials hashes (NTLM responses). If many computers are vulnerable to this attack, they are hopefully limitations. The victim computer:
- must be a corporate device joined to a Windows domain
- must be running Windows 7+
- must have the option Connect automatically enabled
Note that the vulnerability has been fixed by Microsoft (MS16-112[7]).
Basically, only open networks will work because computers will always try to reconnect to known networks transparently. Corporate wireless networks are not affected. But the risk comes, as always, from the end user. How to prevent him/herconnecting to the local Starbucksnetwork while drinking his/her morning coffee?
To mitigate this attack, the classic advices are: Patch your systems (MS16-112 has been released in September), do not use the connect automatically feature and do not use wireless networks in public areas. Stay safe!
[1]https://blog.rootshell.be/2012/01/12/show-me-your-ssids-ill-tell-who-you-are/
[2] https://www.wifipineapple.com/
[3] https://github.com/SteveMcGrath/DoFler
[4]https://zone13.io/post/Snagging-credentials-over-WiFi-Part1/
[5]https://room362.com/post/2016/snagging-creds-from-locked-machines/
[6]https://github.com/SpiderLabs/Responder
[7]https://technet.microsoft.com/en-us/library/security/ms16-112.aspx?f=255MSPPError=-2147217396
Xavier Mertens (@xme)
ISC Handler - Freelance Security Consultant
PGP Key