Using Rogue Access Point to Compromise Client Systems

At the moment, rogue wireless access points are generally considered a threat to corporate networks (as in: creating backdoors) and to the reckless users who don't encrypt their traffic and happily send information, including passwords, in clear. But the opportunities are not limited to that. This is an example of using rogue/malicious access point for mounting an attack against client systems.

In this example, the victim has a Windows XP Service Pack 2 system.

One opportunity for the attacker is to use its network determination behaviour and the "Prohibit use of Internet Connection Firewall on your DNS domain network" group policy setting in particular. The setting is recommended by Microsoft for managed environments (see Using Windows XP Professional with Service Pack 2 in a Managed Environment: Controlling Communication with the Internet). However, if used, this feature can be used to disable Windows Firewall. This is how it works: if you receive your corporate DNS suffix from DHCP server, the firewall is off.

That means - any DHCP server.

The attacker is in full control of DNS and DHCP; also they can see the victim's unencrypted traffic. In many Windows XP happens to be quite chatty upon network connection, broadcasting (among other things) information about corporate DNS names. Because of that the attacker has all the information and control all the infrastructure that is required to disable Windows Firewall on the victim's system.

The next step would be to spoof the assigned default Web site in Internet Explorer (captured as a part of the victim's computer connectivity analysis) that will likely to be a part of the Local Intranet, or Trusted Sites security zone and therefore will have relaxed security settings. The victim doesn't need to click on a link, or go to a particular Web site to run a script of the attacker's choice - they just need to start browser. The attacker can also redirect the victim to any Web page by intercepting HTTP request and spoofing the response.

Then things can go really bad.

The infiltration is not exactly like a smoke through a fly screen, and has a lot of dependencies on particular settings on the client system. However, the modified technique can be used to attack different types of clients. Almost all of the tools that are required to mount an attack can be found in Captive Portal packages. Proliferation of community and metropolitan wireless networks will make the attack easier due to the users' expectation of having wireless access everywhere and implied trust to the wireless access point nearby. Don't take security for granted.

Author: Svyatoslav Pidgorny (sl at mvps dot org)
Version: 1.01 - 19 June 2006