From Rexploit

Hotspotter - Automatic wireless client penetration

About:

Hotspotter passively monitors the network for probe request frames to identify the preferred networks of Windows XP clients, and will compare it to a supplied list of common hotspot network names. If the probed network name matches a common hotspot name, Hotspotter will act as an access point to allow the client to authenticate and associate. Once associated, Hotspotter can be configured to run a command, possibly a script to kick off a DHCP daemon and other scanning against the new victim.


Download:

hotspotter-0.4.tar.gz To verify the sources, here is the md5-hash: 1fa7f4822732c8798832f8ce2f4fb703


Hotspotter-0.3.tar.gz To verify the sources, here is the md5-hash: feec6badc45994a29e73630cb0c6825d


History:

During a wireless assessment some time ago, I discovered a strange characteristic of the Microsoft Windows XP wireless client. It was possible to bring the client from a secure EAP/TLS network to an insecure one without any warnings from the operating system. I discovered this was due to the configuration of multiple wireless profiles. One profile was established for the EAP/TLS network, and a second for the "ANY" network, using an empty network name (SSID). To evaluate this configuration, I established my own access point using the same SSID as the EAP/TLS network, without the privacy bit set (no encryption). Due to the configuration of the Windows XP client, I was able to force the client to switch to my network with a single deauthenticate frame; at which point the client reconnected to my "rogue" access point. The victim station did not receive a warning from the operating system to indicate they left their production network, only a small indicator for temporary wireless signal. With this attack, I was able to force a client to leave their secure wireless network and reconnect to my rogue network, albeit at a loss of network connectivity. This allowed me to evaluate the host-based security of the victim host, without the protection of the EAP/TLS network. This behaviour seems to be fixed in Windows XP Service Pack 1. I was unable to locate any documentation in the Microsoft Knowledge Base that indicated the resolution of this flaw, but there is a remaining vulnerability that can also be exploited based configured wireless profiles. A Windows XP client will probe for all the preferred network names listed in the wireless client configuration during startup, powersave-wakeup and when the driver reports signal loss for the current network name. Many coporate wireless users configure Windows XP with a business profile (secure network profile) and several other network names including commercial hotspots and home networks (insecure network profiles). Due to this configuration, it is possible to force a client to disclose the list of configured profiles, and then establish a connection to a rogue network using one of the preferred network names. Depending on the configuration of the wireless client, the client will display a bubble message indicating it has joined a different wireless network name. Once the associates to the rogue network, it is possible to interact with the client directly. This may include port scanning the victim, exploiting Windows-based vulnerabilities or simulating an otherwise "real" network using faked services and intercepted DNS queries. Note that the Apple OS X client exhibits similar behaviour, although it has not been thoroughly tested at this time.

Support us by making a donation using the button below. Please contact us using email. For other payment methods.