lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  PHC 
Open Source and information security mailing list archives
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
From: mmo at (Max Moser)
Subject: Automated wireless client penetration tool "hotspotter" released.

I would like to announce the availability of a proof of concept tool 
release. Hotspotter automates a method of penetration against wireless 
clients, independent of the encryption mechanism used. Get it at now.

Feel free to provide feedback, below you will find some further 
information copied from the README file.


Max Moser

During a wireless assessment for a customer some time ago, I discovered 
strange characteristic of the Microsoft Windows XP wireless client. It 
possible to bring the client from a secure EAP/TLS network to an 
insecure one
without any warnings from the operating system.  I discovered this was 
due to
the configuration of multiple wireless profiles. One profile was 
for the EAP/TLS network, and a second for the "ANY" network, using an 
network name (SSID).

To evaluate this configuration, I established my own access point using 
same SSID as the EAP/TLS network, without the privacy bit set (no 
Due to the configuration of the Windows XP client, I was able to force 
client to switch to my network with a single deauthenticate frame; at 
point the client reconnected to my "rogue" access point. The victim 
station did
not receive a warning from the operating system to indicate they left 
production network, only a small indicator for temporary wireless 

With this attack, I was able to force a client to leave their secure 
network and reconnect to my rogue network, albeit at a loss of network
connectivity.  This allowed me to evaluate the host-based security of 
victim host, without the protection of the EAP/TLS network.

This behaviour seems to be fixed in Windows XP Service Pack 1.  I was 
unable to
locate any documentation in the Microsoft Knowledge Base that indicated 
resolution of this flaw, but there is a remaining vulnerability that 
can also
be exploited based configured wireless profiles.

A Windows XP client will probe for all the preferred network names 
listed in
the wireless client configuration during startup, powersave-wakeup and 
when the
driver reports signal loss for the current network name.  Many coporate
wireless users configure Windows XP with a business profile (secure 
profile) and several other network names including commercial hotspots 
and home
networks (insecure network profiles).  Due to this configuration, it is
possible to force a client to disclose the list of configured profiles, 
then establish a connection to a rogue network using one of the 
network names.  Depending on the configuration of the wireless client, 
client will display a bubble message indicating it has joined a 
wireless network name.

Once the associates to the rogue network, it is possible to interact 
with the
client directly.  This may include port scanning the victim, exploiting
Windows-based vulnerabilities or simulating an otherwise "real" network 
faked services and intercepted DNS queries.

Note that the Apple OS X client exhibits similar behaviour, although it 
has not
been thoroughly tested at this time.

Automated penetration using Hotspotter
Hotspotter was written to exploit this weakness in the Windows XP Wlan 
system.  Hotspotter passively monitors the network for probe request 
frames to
identify the preferred networks of Windows XP clients, and will compare 
it to a
supplied list of common hotspot network names.  If the probed network 
matches a common hotspot name, Hotspotter will act as an access point 
to allow
the client to authenticate and associate.  Once associated, Hotspotter 
can be
configured to run a command, possibly a script to kick off a DHCP 
daemon and
other scanning against the new victim.

Powered by blists - more mailing lists