Wireless Hotel Network Security
I spend lots of time on the road, both professionally and personally. Generally I have no problems connecting to a hotel or lounge access point and opening an SSH tunnel to a personal server.
From there I open up a SOCKS proxy and tunnel all of my web connections. If you've read my Twitter feed, you know that I recently went on a trip to Southeastern Colorado. While I was there, I connected to the wireless network at the hotel.
I immediately noted the connection monitor showing a large number of inbound packets. Curious, I launched TCPDump to monitor those incoming packets.
I had more incoming packets than I could possibly keep up with. Most of the packets came from two hosts on the network. These two hosts were trying to connect to my machine on common Microsoft ports. After a few moments, the connection attempts stopped, only to resume a few minutes later. These attempts slowed the network to a crawl - it was just not worth using the connection to build my tunnel.
Instead I fired up Nepenthes, a honeypot I regularly use for botnet and malware research. Nepenthes dutifully responded to the probe attempts, and quickly started gobbling up shellcode.
A number of attempts were made to download malware from a third server, which appeared down or could not be reached due to the poor network connectivity.
I quickly plugged in my broadband card, and attempted to "wget" the binary. No such luck - the remote server was in fact down. A quick look through my Shadowserver archive shows this IP was related to hostile activity several years ago.
I followed the email threads and found similar internal network denial of service statements. Without the actual binaries I can only assume that these are the same bots. If that is the case, this stager was pulled offline over a year ago. Even though the C&C didn't continue to spew commands, the bot continued to scan the network. Had the payload been slightly different, it could have continued to spread, and machines that had not been patched to this exploit would have been infected.
While it was unlikely that this host would have infected anyone in the hotel - I still felt obligated to contact the front desk. I gave them the IP and let them know that the machine was trying to attack my laptop. Of course the desk clerk reiterated the wireless terms of service, stating that they are not responsible for attacks from others on their network. I can't blame them. How many guests report that their firewall just identified a hacker every couple of hours?
As I left, he started complaining to a co-worker that the network was extremely slow; "Google wont even come up fast," he said.
Oh my... That will be the last time I stay at that hotel - who knows how many people have compromised their reservation system because its on the same network as their wireless customers? Who on Earth would surf from the same PC they use for storing customer data? Certainly none of you -- right?
Nicholas
From there I open up a SOCKS proxy and tunnel all of my web connections. If you've read my Twitter feed, you know that I recently went on a trip to Southeastern Colorado. While I was there, I connected to the wireless network at the hotel.
I immediately noted the connection monitor showing a large number of inbound packets. Curious, I launched TCPDump to monitor those incoming packets.
I had more incoming packets than I could possibly keep up with. Most of the packets came from two hosts on the network. These two hosts were trying to connect to my machine on common Microsoft ports. After a few moments, the connection attempts stopped, only to resume a few minutes later. These attempts slowed the network to a crawl - it was just not worth using the connection to build my tunnel.
Instead I fired up Nepenthes, a honeypot I regularly use for botnet and malware research. Nepenthes dutifully responded to the probe attempts, and quickly started gobbling up shellcode.
A number of attempts were made to download malware from a third server, which appeared down or could not be reached due to the poor network connectivity.
I quickly plugged in my broadband card, and attempted to "wget" the binary. No such luck - the remote server was in fact down. A quick look through my Shadowserver archive shows this IP was related to hostile activity several years ago.
I followed the email threads and found similar internal network denial of service statements. Without the actual binaries I can only assume that these are the same bots. If that is the case, this stager was pulled offline over a year ago. Even though the C&C didn't continue to spew commands, the bot continued to scan the network. Had the payload been slightly different, it could have continued to spread, and machines that had not been patched to this exploit would have been infected.
While it was unlikely that this host would have infected anyone in the hotel - I still felt obligated to contact the front desk. I gave them the IP and let them know that the machine was trying to attack my laptop. Of course the desk clerk reiterated the wireless terms of service, stating that they are not responsible for attacks from others on their network. I can't blame them. How many guests report that their firewall just identified a hacker every couple of hours?
As I left, he started complaining to a co-worker that the network was extremely slow; "Google wont even come up fast," he said.
Oh my... That will be the last time I stay at that hotel - who knows how many people have compromised their reservation system because its on the same network as their wireless customers? Who on Earth would surf from the same PC they use for storing customer data? Certainly none of you -- right?
Nicholas
Labels: Hotels, Nepenthes, Network Security, Wifi
posted by Nicholas at
22:17
3 Comments:
Nicholas, I love reading your blog.
I learn so much.
One time years ago when I first started using wifi in the local library, someone accessed my .Mac account and deleted one of my email accounts and replaced it with another one.
Doesn't a firewall on a computer stop what happened to you?
I thought if I had a good firewall or a good app like Intego NetBarrier, I would be safe.
What's the solution to bad wifi security in public places for the average person who has no clue?
A firewall will block attacks coming in (which it did) - however the attack frequency was so large that the network slowed to a crawl. They were causing a denial of service attack.
The solution to insecure wireless networks is a mobile broadband card. In cases where they is host prohibitive or too slow, smart surfing is the only solution.
Post a Comment
Subscribe to Post Comments [Atom]
<< Home