All about WLAN issues
Configuration Vulnerabilities
Ad-hoc Station Detected
AP Broadcasting SSID
AP Configuration Changed
AP Operating in Bridged Mode Detected
AP Using Default Configuration
Device Vulnerable to Hotspot Attack Tools
Exposed Wireless Station Detected
LEAP Vulnerability Detected
IDS—Denial of Service Attack
Denial of Service Attack against AP
DoS: Association Flood
DoS: Association Table Overflow
DoS: Authentication Flood
DoS: EAP ID Flood Attack
DoS: EAPOL-Start Attack
DoS: PS Poll Flood Attack
DoS: Unauthenticated Association
Denial of Service Attack against Infrastructure
DoS: CTS Flood
DoS: Queensland University of Technology Exploit
DoS: RF Jamming Attack
DoS: Virtual Carrier Attack
Denial of Service Attack against Station
DoS: Authentication-Failure Attack
DoS: De-Authentication Broadcast
DoS: De-Authentication Flood
DoS: Disassociation Broadcast
DoS: Disassociation Flood
DoS: EAPOL-Logoff Attack
DoS: FATA-Jack Tool Detected
DoS: Premature EAP-Failure Attack
DoS: Premature EAP-Success Attack
IDS—Security Penetration
Airsnarf Attack Detected
Device Probing for APs
Dictionary Attack on EAP Methods
EAP Attack Against 802.1x Authentication
Fake APs Detected
Fake DHCP Server Detected
Hotspotter Tool Detected
Illegal 802.11 Packets Detected
Man-in-the-Middle Attack Detected
NetStumbler Detected
Potential ASLEAP Attack Detected
Potential Honey Pot AP Detected
Publicly Secure Packet Forwarding (PSPF) Violation
Soft AP or Host AP Detected
Spoofed MAC Address Detected
Unauthorized Association Detected
Wellenreiter Detected
Fast WEP Crack (ARP Replay) Detected
Rogue AP and Station Identification
Rogue AP
Rogue AP by Channel
Rogue AP by IEEE ID (OUI
Rogue AP by MAC Address (ACL)
Rogue AP by SSID
Rogue AP by Wireless Media Type
Rogue AP Traced on Enterprise Wired Network
Rogue Station
Rogue Station by Channel
Rogue Station by IEEE ID (OUI)
Rogue Station by MAC Address (ACL)
Rogue Station by SSID
Rogue Station by Wireless Media Type
Authentication and Encryption Issues
Static WEP Encryption issues
AP with Encryption Disabled
Client with Encryption Disabled
Crackable WEP IV Key Used
Device Using Open Authentication
Device Using Shared Key Authentication
WEP IV Key Reused
VPN
Device Unprotected by VPN
WPA and 802.11i issues
802.1x Rekey Timeout Too Long
802.1x Unencrypted Broadcast or Multicast
Device Unprotected by 802.1x
Device Unprotected by EAP-FAST
Device Unprotected by PEAP
Device Unprotected by TKIP
WPA or 802.11i Pre-Shared Key Used
Device Unprotected by IEEE 802.11i/AES
Other Encryption and Authentication Methods
Device Unprotected by Other Encryption
Device Unprotected by Fortress Encryption
Performance Violation Alarms
Channel or Device Overload
AP Association Capacity Full
AP Overloaded by Stations
AP Overloaded by Utilization
Excessive Bandwidth Usage
Excessive Multicast/Broadcast
Deployment and Operation Error
Configuration Errors
Ad-Hoc Node Using AP’s SSID
Conflicting AP Configuration
Higher Speed Not Supported
Missing Performance Options
Simultaneous PCF and DCF Operation
Unassociated Station Detected
Device Down or Malfunctions
AP System or Firmware Reset
AP with Flawed Power-Save Implementation
IEEE 802.11g Issues
802.11g AP Beacons Wrong Protection
802.11g AP with Short Time Slot
802.11g Protection Mechanism Not Implemented
802.11g Protection Mechanism Overhead
Device Thrashing Between 802.11g and 11b
802.11g Device Using Non-Standard Data Rate
802.11g Pre-Standard Device
IEEE 802.11e and VoWLAN Issues
AP Overloaded by Voice Traffic
Channel Overloaded by Voice Traffic
Power-Save DTIM Setting Not Optimized for Voice
VoWLAN Multicast Traffic Detected
Excessive Roaming Detected on Wireless Phones
Voice Quality Degradation by Interfering APs
Problematic Traffic Pattern
Excessive Fragmentation Degrading Performance
Excessive Frame Retries
Excessive Low Speed Transmission
Excessive Missed AP Beacons
Excessive Packet Errors
Excessive Roaming or Re-Associations
High Management Traffic Overhead
Streaming Traffic from Wireless Device
RF Management
Channel with High Noise Level
Channel with Overloaded APs
Hidden Station Detected
Insufficient RF Coverage
Interfering APs Detected
RF Regulatory Rule Violation
Diagnostic Alarms
Mismatched SSID
Wildcard SSID
Mismatched Channel
Mismatched Privacy
Authentication Failure
Re-associartion Failure
Equipment Failure
Mismatched Speed or Network
AP Signal Too Weak
Mismatched WEP Key
Higher Layer Protocol Problem
802.1x Authentication Failure
Unanswered RTS
Hotspotter – Automatic wireless client penetration
Author: Max Moser
About:
Hotspotter passively monitors the network for probe request frames to identify the preferred networks of Windows XP clients, and will compare it to a supplied list of common hotspot network names. If the probed network name matches a common hotspot name, Hotspotter will act as an access point to allow the client to authenticate and associate. Once associated, Hotspotter can be configured to run a command, possibly a script to kick off a DHCP daemon and other scanning against the new victim.
History:
During a wireless assessment some time ago, I discovered a strange characteristic of the Microsoft Windows XP wireless client. It was possible to bring the client from a secure EAP/TLS network to an insecure one without any warnings from the operating system.
I discovered this was due to the configuration of multiple wireless profiles. One profile was established for the EAP/TLS network, and a second for the “ANY” network, using an empty network name (SSID). To evaluate this configuration, I established my own access point using the same SSID as the EAP/TLS network, without the privacy bit set (no encryption). Due to the configuration of the Windows XP client, I was able to force the client to switch to my network with a single deauthenticate frame; at which point the client reconnected to my “rogue” access point.
The victim station did not receive a warning from the operating system to indicate they left their production network, only a small indicator for temporary wireless signal. With this attack, I was able to force a client to leave their secure wireless network and reconnect to my rogue network, albeit at a loss of network connectivity. This allowed me to evaluate the host-based security of the victim host, without the protection of the EAP/TLS network. This behaviour seems to be fixed in Windows XP Service Pack 1.
I was unable to locate any documentation in the Microsoft Knowledge Base that indicated the resolution of this flaw, but there is a remaining vulnerability that can also be exploited based configured wireless profiles. A Windows XP client will probe for all the preferred network names listed in the wireless client configuration during startup, powersave-wakeup and when the driver reports signal loss for the current network name. Many coporate wireless users configure Windows XP with a business profile (secure network profile) and several other network names including commercial hotspots and home networks (insecure network profiles). Due to this configuration, it is possible to force a client to disclose the list of configured profiles, and then establish a connection to a rogue network using one of the preferred network names.
Depending on the configuration of the wireless client, the client will display a bubble message indicating it has joined a different wireless network name. Once the target associates to the rogue network, it is possible to interact with the client directly. This may include port scanning the victim, exploiting Windows-based vulnerabilities or simulating an otherwise “real” network using faked services and intercepted DNS queries. Note that the Apple OS X client exhibits similar behaviour, although it has not been thoroughly tested at this time.
Downloand:hotspotter-0.4.tar.gz
from Remote-Exploit.org
leave a comment