Wireless Security

Windows Wireless Vulnerabilities & Attack Tools


At the recent Schmoocon security conference there was a presentation by “Simple Nomad” titled “Hacking the Friendly Skies” that described attack methods against Windows systems wireless configuration (a.k.a Wireless Zero Configuration). There has been much debate about whether these attacks are new or not, and there appears to be some duplicate efforts in this space. To my knowledge, there are three different tools/methods to take advantage of the way Wireless Zero Configuration works:
1) Hottspotter – This tools takes advantage of a flaw that was fixed in Windows XP Service Pack 1 where a client has an EAP/TLS connection to an SSID, but will connect to that same SSID with no encryption if there is a profile configured for “ANY” wireless network. Hottspotter will also go beyond just this flaw and hijack a users wireless connection. When a Windows system is disconnected from the wireless network it will begin to probe for wireless networks in its preferred networks list, allowing an attacker to listen for all the SSIDs that the client is trying to connect to. With that information the attacker can then become an AP and advertise one of the SSIDs in the clients list, and disconnect the client from the real AP with spoofed dis-association packets. When the client re-connects it will be connected to the attackers network, where you can then provide the client with DNS and DHCP and take it from there with your evil doings.
2) Karma – This toolset improved upon the technique describe above by allowing the attack to respond to any probe request. Using a modified Linux MadWiFi driver they are able to own the air and force the client to connect to an attacker regardless of the SSID. There are a few other enhancements and differences with the way Karma implements the attack as well. For example, if Windows cannot connect to one of its preferred networks it attempts to connect to a 32-character random SSID, which Karma will respond to. Karma also contains some built-in tools, including a DNS, DHCP, and HTTP making it easier to attack the client.
3) The “Simple Nomad” Method – This method takes advantage of the way Windows handles ad-hoc wireless networks. Once a Windows client associates to an ad-hoc network it will create that network upon the next boot if no other clients are in range, becoming an access point. So, if you were to advertise an ad-hoc network called “linksys” a user would associate to you, and the next time they fired up their laptop they would be an AP with the SSID linksys. All of these networks use the address space and have that creepy worm-like effect.
UPDATE: One of the authors of Karma has made a posting to bugtraq that describes how Karma works and the differences between it and Simple Nomad’s resarch. He went into more detail about Mac OS X, and how it is vulnerable to the attack scenario that Karma implements. I plan to do some testing.
Protecting Yourself:

  • Disable your wireless card when not in use (easier said that done, however this has the added benefit of improving battery life)
  • Use another wireless configuration manager, such as the one that came with your wireless card. Sometimes these are good, sometimes they really stink. The Intel clients tend to be the good ones.
  • Simple Nomad describes how to prevent your wireless card from connecting to ad-hoc networks
  • Karma relies on the fact that you may have unprotected wireless networks in your preferred networks list, so be diligent about removing them when you are done


Paul Asadoorian

Paul Asadoorian is currently the Principal Security Evangelist for Eclypsium, focused on firmware and supply chain security awareness. Paul’s passion for firmware security extends back many years to the WRT54G hacking days and reverse engineering firmware on IoT devices for fun. Paul and his long-time podcast co-host Larry Pesce co-authored the book “WRTG54G Ultimate Hacking” in 2007, which fueled the firmware hacking fire even more. Paul has worked in technology and information security for over 20 years, holding various security and engineering roles in a lottery company, university, ISP, independent penetration tester, and security product companies such as Tenable. In 2005 Paul founded Security Weekly, a weekly podcast dedicated to hacking and information security. In 2020 Security Weekly was acquired by the Cyberrisk Alliance. Paul is still the host of one of the longest-running security podcasts, Paul’s Security Weekly, he enjoys coding in Python & telling everyone he uses Linux.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.