[Dshield] Wireless networks and corporate Lans

Chris Brenton cbrenton at chrisbrenton.org
Sat Feb 28 11:41:48 GMT 2004

On Fri, 2004-02-27 at 23:40, Johannes B. Ullrich wrote:
> Worst case:
> you now have a gateway into your corporate LAN.

Even worse, someone finds it. ;-)

> By default, the wireless card will connect to the access point.
> So now you have a dual homed system. Pretty much like a router.

How bad this is depends on whether IP forwarding is enabled. I'm 70%
certain this will turn on by default, but you should check to be sure.

> Default route: depends on what the access point is telling your
> system during the DHCP negotiation.

This can get weird. Normally the first interface to initialize will
write the default route entry. The second entry *should* become a
secondary used only for fail over, provided the cost metrics are the
same. MS loves to do their own thing however so it could be different.

> This is pretty much a worst case scenario. Similar to a user
> on your LAN using a dialup modem to connect to a random ISP.
> This computer is now a gateway into your network. 

There are all sorts of other varying degrees. Could be the laptop
connects to both but does not have IP forwarding turned on so the
attacker now needs to turn it into a proxy. Could be someone has figured
out some weird UPnP hack that will cause the system to connect to an
ad-hoc network. The possibilities are endless. :) 

> In addition: This user will now takes the laptop and travel.
> They will fire it up in an airport. The wireless card will
> try to associate itself with any access point in range and
> start 'talking'... 
> I am not sure how to fix this best.

This is one of the many reasons I don't like built in Wireless cards.
The easiest solution is to just not plug in the card. Not an option if
its built in.

> It turned out that he has a wireless card, which was connected
> to the wireless conference network. In class, the sample machines
> had various host names within the 'sans.org' domain. Instead of
> scanning the class systems, he scanned our actual web servers and
> such (luckily he didn't find a hole ;-) ).

LOL! Meanwhile the SANS IT crew was probably freaking out thinking they
were under attack. Maybe example.com would be a better target next time?


More information about the list mailing list