[unisog] XP silently configuring ad-hoc wifi networks

Jim Dillon Jim.Dillon at cusys.edu
Fri Sep 23 20:20:41 GMT 2005

I've run into something similar using the default Windows drivers.  I
picked up an ad-hoc type network at an auto dealer, DID NOT associate
with it, but noticed it because it was named MATT and looked like a real
source for trouble (e.g. no sophisticated intent to secure).  The next
day on campus I could not associate with the normal default AP sitting
above my head, the software had associated with MATT, despite the fact
there was no MATT signal on campus (tested by folks sitting around me.)
The signal strength meter in the Windows default interface showed a
strong signal for MATT and was prioritizing it, although there was no
signal at all.

I switched NIC cards 3 times, tried some monitoring tools, tried
deleting MATT and had no success on any of them.  Not to make MATT look
too odious, my impression was that it was a simple adhoc station that
truly existed out near the auto dealer, I could sense nothing malicious
about it - not to say there wasn't, it just didn't appear to me so.

The MATT problem continued to plague me as I moved from campus to
campus.  I finally eliminated it by either hacking the registry or a
config file or something, I could not eliminate the prioritization of
MATT over real, existing networks wherever I moved, nor could I force
windows to delete it from my list of recognized networks.  I still
believe this to have been a software problem in the WinXP client
software, but I have no proof or data to further pursue the problem.  It
did start me wondering if a sufficiently crafty individual couldn't
actually cause a redirection or similar behavior for real nefarious
purposes.  Anecdotal, but I hope it might help someone with some real
skills in this area work up some test cases or something.

Best regards,


Jim Dillon, CISA, CISSP
IT Audit Manager, CU Internal Audit
jim.dillon at cusys.edu
-----Original Message-----
From: unisog-bounces at lists.sans.org
[mailto:unisog-bounces at lists.sans.org] On Behalf Of Frank Sweetser
Sent: Thursday, September 22, 2005 8:55 PM
To: unisog at lists.sans.org
Subject: [unisog] XP silently configuring ad-hoc wifi networks

As all of the students wander onto campus this year, we've been noticing
that a
lot of them have common ad-hoc SSIDs configured as a preferred network.
far, none of them admit to having any idea how those networks got
configured or
where they came from.  While it's quite possible that the users told
Windows to
connect without realizing or just without remembering, this has made me

Does anyone know of any circumstances under which an XP system might
attempt to
connect to a previously unconfigured ad-hoc SSID without any user

Frank Sweetser fs at wpi.edu  |  For every problem, there is a solution
WPI Network Engineer          |  is simple, elegant, and wrong. - HL
    GPG fingerprint = 6174 1257 129E 0D21 D8D4  E8A3 8E39 29E3 E2E8 8CEC
unisog mailing list
unisog at lists.sans.org

More information about the unisog mailing list