The Doom of Client-Side Wireless Network Security
HD Moore recently announced the integration of the KARMA tools with the metasploit framework. The implications of this fusion are devastating. In an interview with Patrick Gray, HD presents the new powerful capabilities that take client-side wireless exploitation to a new level. Technically, HD rewrote parts of the original KARMA driver, included some patches, and integrated the KARMA user-land daemons into the metasploit framework.
To illustrate the new potent features of metasploit, consider the following scenario. A user opens his laptop on the plane to watch a DVD. If he ever connected to an insecure access point, it will be in his list of list of preferred wireless networks. Since the operating system attempts to connect to all known wireless networks at boot time or when waking up from hibernation, it sends out probes to look for known networks. An attacker, a couple of rows behind, responds to the probes, provides an IP address to victim by DHCP and is now rigged up to launch a multitude of client-side attacks.
Unaware of being owned, the victim’s mail client periodically tries to re-send emails laying around in the outbox. The DNS request for the SMTP server is intercepted by the attacker who returns his own address. Further, he mimics the entire SMTP connection handshake when the victim connects. Thus the victim sends his emails directly to the attacker through a fake SMTP channel. This scenario extends of course to any other plain-text protocol (HTTP, FTP, POP3, etc.). Clearly, the dominant position of the attacker yields ample opportunity for more sophisticated client-side wireless attacks, as the next examples by HD show.
Massive cookie stealing. Traditional cookie stealing presupposes that the victim actively transmits a cookie from a particular web site in order to be captured by the attacker. In contrast, this attack only requires a single HTTP request to originate from the victim to hijack all cookies from the victim’s browser. In general, only the requested site is allowed to read that particular cookie. With a malicous server responding to all client request, the attacker can bypass this restriction. When a victim sends a HTTP request, the attacker returns a chosen list of web sites (say the current top 500 sites) and the browser then tries to connect to each site with the corresponding cookie. Because all sites resolve back to the same attacker’s hostname, all cookies arrive in the hands of the attacker. Thus, by merely trying to access an arbitrary page in the Internet, the victim exposed all his cookies that correspond to entry in the attacker’s list of sites.
Web-based SMB relay exploitation. Worse, if the victim happens to use Internet Explorer, a weakness in Microsoft’s SMB file sharing authentication protocol can be exploited to own the victim’s machine completely. By including a link pointing to a network file share, the victim is forced to authenticate to the attacker’s fake SMB server. This exposes the challenge key that can in turn fed back to the client. Essentially, the victim now authenticates against himself. Once connected, the incoming connection is disconnected and the new session serves as a vehicle to execute arbitrary shellcode.
Who knows what HD’s new toy features beyond the sketched scenarios? In any case, these attack vectors witness how broken the actual model of wireless security on the client-side is. While the industry tries to fix wireless encryption schemes, the actual targets, the users themselves, are not considered in the equation. These new techniques essentially render networking in any wireless environment tremendously insecure.