The Doom of Client-Side Wireless Network Security

HD Moore recently announced the integration of the KARMA tools with the metasploit framework. The implications of this fusion are devastating. In an interview with Patrick Gray, HD presents the new powerful capabilities that take client-side wireless exploitation to a new level. Technically, HD rewrote parts of the original KARMA driver, included some patches, and integrated the KARMA user-land daemons into the metasploit framework.

To illustrate the new potent features of metasploit, consider the following scenario. A user opens his laptop on the plane to watch a DVD. If he ever connected to an insecure access point, it will be in his list of list of preferred wireless networks. Since the operating system attempts to connect to all known wireless networks at boot time or when waking up from hibernation, it sends out probes to look for known networks. An attacker, a couple of rows behind, responds to the probes, provides an IP address to victim by DHCP and is now rigged up to launch a multitude of client-side attacks.

Unaware of being owned, the victim’s mail client periodically tries to re-send emails laying around in the outbox. The DNS request for the SMTP server is intercepted by the attacker who returns his own address. Further, he mimics the entire SMTP connection handshake when the victim connects. Thus the victim sends his emails directly to the attacker through a fake SMTP channel. This scenario extends of course to any other plain-text protocol (HTTP, FTP, POP3, etc.). Clearly, the dominant position of the attacker yields ample opportunity for more sophisticated client-side wireless attacks, as the next examples by HD show.

Who knows what HD’s new toy features beyond the sketched scenarios? In any case, these attack vectors witness how broken the actual model of wireless security on the client-side is. While the industry tries to fix wireless encryption schemes, the actual targets, the users themselves, are not considered in the equation. These new techniques essentially render networking in any wireless environment tremendously insecure.