Windows 7 boasts of a new feature known as the wireless hosted network, available on all Windows 7 and Windows Server 2008 R2 systems with an installed wireless LAN. The MSDN developer resource documentation for hosted networks can be read here.
With the hosted network feature, using a single Wi-Fi adapter on a Windows 7 machine, a software-based access point (AP) can be created by virtualizing the physical adapter, making it possible to host multiple interfaces on the same physical adapter. The hosted network works with all wireless cards that are Windows 7 ready, with no extra installation.
Figure 1: Active hosted network and client interface
In a hosted network setup, one would be designated as the regular client interface, and the second as a software-based access point. The device can operate in both modes simultaneously (access point as well as client). One obvious advantages of this hosted network setup is Internet connection sharing (ICS) through Wi-Fi. Windows 7 systems can thus effectively act as Wi-Fi relays or share connectivity from a wired interface. While this is a legitimate feature, it has the potential of becoming a Windows 7 exploit.
Figure 2: Aerodump-ng monitoring for available networks
To study this scenario we shall use the following setup: Windows 7 PC with built-in or external Wi-Fi adaptor, Wi-Fi adaptor with packet injection capability, and Backtrack 5 running in VirtualBox. This demo is conducted using a Windows 7 system that is up to date as of August 2011. We will monitor the air using a utility called aerodump-ng.
We first connect to a regular AP and create a soft AP or hosted network on the same Windows 7 machine by issuing the following command:
Netsh wlan set hostednetwork mode=allow ssid=”YourHostedNetwork” key =YourHostedNetworkKey
A soft AP under Windows 7 must be at least WPA2 PSK secured. The hosted network needs to be explicitly enabled by issuing the following command:
Netsh wlan start YourHostedNetwork
The hosted network can be disabled by substituting ‘start’ in the previous command with ‘stop’. Note that the client connection to the client network “OfficeNetworkAP” is still up (Figure 1). Secondly, unlike regular wireless connections that are reported via a blurb, the OS gives no indication whatsoever that a network profile has been created or that a hosted network is up and running.
Figure 3: Virtual interface created under network connections
Aerodump-ng shows that the hosted network is up and running in conjunction with the active client interface (Figure 2). This simultaneous functioning is the most important aspect of this feature, but adds to the exploitability of Windows 7, since the lack of any warning/blurb coupled with the fact that there is no loss of connectivity means that the user would be completely unaware of what is happening. All that is needed is shell access to the system to turn the hosted network feature on.
Note that the hosted network is started on the same channel as the client device. This is because the Wi-Fi adapter has only one radio interface, which enables it to tune into one channel at a time. It might be possible to multiplex between two channels at a very fast rate, akin to multi-processing with a single CPU. This adversely affects factors like switching-time and throughput.
The key take-away from this exercise is that the client aspect of the device is totally unaffected by the soft AP aspect of the same device. The only indication of a hosted network could possibly be the creation of a virtual wireless miniport interface that handles the soft AP portion of the hosted network (Figure 3). This is passive at best, considering the user would not be prompted. This is possibly because the user is expected to explicitly enable the hosted network. It becomes a problem when a system gets targeted. This feature thus becomes a Windows 7 exploit.
Since the hosted network ships with its own DHCP server, as soon as a network is available one can connect and get assigned a DHCP generated IP. No alerts are received even when a device connects to a hosted network.
From the perspective of a malware author, there are full-blown APIs to do all this. If an attacker is able to activate the soft AP and install a backdoor on the system, this Windows 7 exploit will enable complete remote access, and rogue APs can be created. Each node has a client and AP functionality, and is a potential Wi-Fi repeater. Nodes can be daisy chained by hopping from one machine to another once one machine is compromised. Rogue APs are the bane of every network administrator; considerable effort goes into finding and protecting against them.
Since the attacker connects to the victim over a private wireless network when used as a Windows 7 exploit, there are no wired-side network logs for firewall, IPS or IDS. As a Windows 7 exploit, this is difficult to detect even during an ongoing attack. The stealth factor could be further increased with tools such as Metasploit.
If the attacker can obtain the network key for a corporate network from the victim — this is possible since WPA2-PSK keys can be decrypted — the hosted network feature can also be used to impersonate the legitimate AP with this Windows 7 exploit to lure other Windows 7 systems into connecting to the compromised system. Since this is an abuse of a legitimate feature, a worm using this Windows 7 exploit to propagate over a private Wi-Fi network will not be detected by anti-virus or anti-malware programs.
Disclaimer: This tip is based exclusively on inputs from Vivek Ramachandran’s talk at SecurityByte 2011, held in Bangalore last month. This is purely a proof-of-concept and is not intended to encourage criminal abuse of this feature.
About the author: Vivek Ramachandran is the founder of SecurityTube.net, and has been working with Wi-Fi Security for eight years. He is the discoverer of the Caffe Latte attack, and is also credited with breaking WEP Cloaking, a WEP protection schema publicly at Defcon 2007. Vivek has recently authored a book titled: “Wireless Penetration Testing using BackTrack 5" released by Packt publications in September.
(As told to Varun Haran)
Please send your feedback to vharan at techtarget dot com. You can follow our Twitter feed at @SearchSecIN