Monday, June 16, 2008

Using Broadcast Data as an Attack Vector...

By Boni Bruno, Chief Technology & Security Officer, Data Systems Worldwide

It's amazing how much information you can gather from computers via the data they openly broadcast on the network. This article discusses how such information can be used as an attack vector to compromise data security and other informational assets.

First, let me begin with a true story that I was personally involved with. I was working on a new project as a network architect for a large organization that has 18B in assets and listed on the NYSE. This particular organization had a working area for consultants to use, and since I was on-site for several months, I was privy to the other projects and the other consulting companies also working for said organization. As you would expect, SOX compliance is a big deal for organizations that have their stocks traded on the NYSE, and yep, they had one of the big four accounting firms on-site with a audit team that grew to 12 auditors, 2 project managers, and 1 supervisor handling a SOX audit while I was there.

To make a long story short, the consulting area could not accommodate all the consultants so certain liberties were taken. This team of auditors had the audacity to set up their own wireless access point (open - no encryption) without telling the client. They used this AP to extend access to the team so everyone could access my client's network as well as share resources among themselves. I told upper management about this, but to my dismay, no immediate action was taken, apparently the team convinced them it was a necessity and the AP remained on the network - WOW!

Day in day out, the team would come in the morning, turn on their laptops, and proceed with their daily routines. I use various network tools to conduct my work, while using my tools I began to observe various broadcast data coming from the audit team laptops in the consulting area.

First, I saw ARP/DHCP broadcasts which exposed MAC addresses, previously used IP leases, routing information, etc. (There is a handy tool for you Unix/Linux enthusiasts called Passifist available at ) that clearly shows how much one can gather from broadcast traffic.

Anyway, in the mornings, when the audit team came in and booted their laptops, I was able to see the DHCP request of their previous IP addresses - interestingly enough, many of these addresses came from the DHCP servers located in their corporate office. I know this by the IP addresses and NETBIOS information. In this case, some of the team members were last connected to the network back in their corporate office and I was able to learn various IP specifications just by observing their broadcast traffic. Hence, not only did they expose my clients network by installing that damn wireless AP, but the broadcast data clearly exposed information about their corporate network as well. (Mental note here - Broadcast data can tell you about multiple environments you have been connected to.)

Furthermore, NETBIOS/SMB broadcasts disclosed the teams NETBIOS names, login IDs, and various server information they typically used back in there own office. Many people I know consider broadcast traffic as harmless bits and bytes that are just part of normal day to day network communications - you should now be aware that there is more to it than that!

You should also be aware that Startup Applications can also cause additional broadcast information to be sent out on the network. Some of the team members had IM accounts that were broadcasted. I saw VPN related broadcasts, iTunes broadcasts and even virus software broadcast data for signature updates. There is definitely more to broadcast data than many people understand, and this so called audit team was just clueless...
When I turned on my wireless sniffer, I was able to see even more information. I saw all the wireless access points that were cached in the audit teams laptops being broadcasted, including the one the team put up in the consulting area. I couldn't help but imagine computer hackers sitting in airports, hotels, internet cafes collecting this kind of broadcast data.

There are a slew of tools available on the net that can easily take advantage of such broadcast information to the point that traffic can be diverted to spying machines with little effort. If you get the chance, try playing with a little tool called DSNIFF available at This tool allows you to redirect traffic to your machine so you can easily inspect data.

Another interesting tool that specifically takes advantage of broadcast data is a tool called Karma available at With this tool you can impersonate a wireless AP, DHCP/DNS servers, email and chat servers, etc.

With tools like these available on the net, it should be very clear that broadcast data can be used as an attack vector for hackers, and with the slew of exploits available with Metasploit - see, you simply need to protect yourself and enforce good security practices!

Anyway, getting back to the story, my immediate concern was to shutdown the AP since any nearby resident could hop on the network and see what was going on. Running packet captures gave me visibility into a lot of the data that was being accessed by the audit team. I ran a wireless site survey showing the range of this rogue AP (yeah, it extended to the public streets) and hit management over the head with all of the information I obtained. They finally took down the AP, but only after I had install a new switch with more ports for these clowns in the consulting area! ;)

It still amazes me how many risks you have to manage on a day to day basis and how little senior managers know and understand information security. I hope you enjoyed this article and that your information security awareness has increased as a result of reading this and the associated web links provided.

Stay well and stay secure...