It’s Midday. Do You Know Who Your Wireless Clients Are Talking To?
With the improvements to the security infrastructure of wireless networks, the major focus of wireless attacks against them is shifting from access points to the users of those access points: the wireless clients.
In the past, attacks against the infrastructure were more fruitful. A lack of encryption or authentication on private networks was commonplace and, for the ones that did attempt to protect their networks, their attempts were futile as the only available encryption option was broken and provided a false sense of security. The insecurity of Wired Equivalent Privacy, or WEP, encryption is well-known and flawed in a myriad of ways.
As awareness of the broken encryption increased and pressure mounted against the IEEE to create a more secure protocol, new and improved encryption was eventually introduced to the wireless infrastructure. Wi-Fi Protected Access, or WPA, solved most of the vulnerabilities inherent in WEP and remains the standard today with version 2.
WPA still has some minor protocol issues and some potentially major configuration issues in the form of weak pre-shared keys (PSKs) or Wi-Fi Protected Setup (WPS). But, for the most part, attacks bear little fruit when concentrating on the access points.
Most of the effort is instead switching to the manipulation of wireless clients. With the use of an “evil twin”, or a fake access point responding to any client in the vicinity calling out for an access point, an attack can become more valuable.
Most wireless clients maintain a list of access points that they will beacon out on the ether for, whether those access points are around to respond or not. The evil twin will respond to any of them and establish a connection with the client.
Once a connection is established, there are a number of options available for exploitation. With a connection established, open-source software can be utilized to respond to broadcasting Microsoft Windows packets from a client and compromise internal Windows domain passwords (which are often utilized for access in a WPA Enterprise infrastructure).
Man-in-the-middle (MiTM) attacks are also possible against Linux clients. If the focus is on compromising wireless access controls such as PSKs, a captive web portal can be created on the evil twin and clients can be fooled into handing over PSKs. Clear text enterprise credentials can also be captured this way, without having to go through the effort of trying to crack the hashes obtained through a beacon response attack. The client machines could be compromised by driving them to download and execute malware on the portal, just as a phishing attack would do.
If a client accesses the malware, the machine could be compromised and information taken (wireless keys from the registry, perhaps). In addition, certain configurations could allow a compromised client machine to become a bridge between an unintended, active wireless connection and an internal corporate wired connection. And what about the possibility for more advanced attacks, such as the exploitation of wireless driver vulnerabilities, to access clients?
Increased attention needs to be paid to the clients in a wireless environment. Solutions exist to help mitigate the kinds of attacks previously discussed, such as user awareness, the use of client-side certificates, properly patched client machines, group policies to disable wireless devices when connected to the corporate network, and implementing wireless intrusion/prevention systems.