COMMSEC: Lure10: Exploiting Windows Automatic Wireless Association Algorithm

PRESENTATION SLIDES (PDF)

For the past ten years the KARMA attack has been the industry standard for causing a Wi-Fi client to automatically connect to an attacker-controlled Access Point.

In the KARMA attack the attacker introduces an access point that bares the same characteristics as a (open) network which the client has connected to in the past (and will continue to connect to if given the chance, due to automatic association rules). Information about such networks were leaked to nearby stations during the Wi-Fi network discovery process. However, modern network managers have adopted effective countermeasures, including probing for previously associated networks only after receiving the correct beacon frame, or probing to the broadcast address (with no ESSID leak). These mitigations have hampered the usefulness of  the KARMA attack in Wi-Fi assessments.

This presentation will introduce a new technique, named “Lure10”, that enables an attacker to automatically achieve a man-in-the-middle position against wireless devices running Windows. The attack requires no user interaction and exploits a feature in the wireless network association algorithm on the latest version of the Windows platform. Microsoft has been informed about this issue and has acknowledged its impact, but as of yet has taken no steps to mitigate the related risk.

The presentation will explain the details of this attack and demonstrate how to conduct such an attack during a Wi-Fi assessment using a new feature of the Wifiphisher tool. Furthermore, it will provide information regarding the automatic association behavior of network managers across operating systems and finally, will present  man-in-the-middle case studies and countermeasures.

A new version of Wifiphisher, incorporating the above functionality, will be released on the day of the presentation.

COMMSEC
Location: Track 4 / CommSec Date: April 13, 2017 Time: 3:30 pm - 4:00 pm George Chatzisofroniou