[unisog] XP silently configuring ad-hoc wifi networks

Dean De Beer ddb at plazacollege.edu
Fri Sep 23 18:19:07 GMT 2005

Windows XP wireless clients are configured to associate with  the wireless
network based either on your preferences or on default settings. This
includes automatically selecting and connecting to a more preferred wireless
network when it becomes available. It will attempt to connect to the
strongest signal being broadcast by the AP or wireless device. Often most
users home access points have the SSID set to the default and so XP will
attempt to associate with any AP with the same SSID (based on signal
strength) when they are on campus or in a coffee shop, etc...

Are all the rogue SSIDs the same on the different computers? If this is the
case it is entirely possible that they were subject to a MITM attack. It is
relatively easy to set up and force users to connect to a rogue ap and fake
web login screen to capture passwords or even upload malicious code onto the
users computer. As other posts have mentioned the ISC has some info about a
possible worm speading via wireless. It would be interesting to see how the
worm is speading. Is it using the firmware of the cards to spread??? (I
believe this was proposed as a possible avenue of attack a while back by the
guys at SANS, whether it's possible or not yet I'm not sure)It makes sense
that in this case the infected device would attempt to create an ad-hoc
network with it's victim to exploit windows file sharing or unpatched
windows boxes.

Any possiblity of some packet captures?



-----Original Message-----
From: unisog-bounces at lists.sans.org [mailto:unisog-bounces at lists.sans.org]
On Behalf Of Frank Sweetser
Sent: Thursday, September 22, 2005 10:55 PM
To: unisog at lists.sans.org
Subject: [unisog] XP silently configuring ad-hoc wifi networks

As all of the students wander onto campus this year, we've been noticing
that a lot of them have common ad-hoc SSIDs configured as a preferred
network.  So far, none of them admit to having any idea how those networks
got configured or where they came from.  While it's quite possible that the
users told Windows to connect without realizing or just without remembering,
this has made me curious.

Does anyone know of any circumstances under which an XP system might attempt
to connect to a previously unconfigured ad-hoc SSID without any user

Frank Sweetser fs at wpi.edu  |  For every problem, there is a solution that
WPI Network Engineer          |  is simple, elegant, and wrong. - HL Mencken
    GPG fingerprint = 6174 1257 129E 0D21 D8D4  E8A3 8E39 29E3 E2E8 8CEC
unisog mailing list
unisog at lists.sans.org http://www.dshield.org/mailman/listinfo/unisog

More information about the unisog mailing list