Networking

How to prevent automatic association with ad hoc networks

Ad hoc networks can be a simple way for attackers to gain access to your mobile computer. Most people do not use or are even aware of Ad hoc mode. Yet their computers could be at risk, because MS operating systems activate Ad hoc mode by default. The purpose of this post is to describe the three simple steps required to disable Ad hoc mode and remove that attack venue.

Jason Hiner, executive editor of TechRepublic, recently wrote a well-timed and well-received post titled, “Study shows viral SSIDs could be creating a massive wireless botnet.” In a nutshell, it is about potentially malicious ad hoc networks and how easy it is for unsuspecting mobile notebook users to accidentally associate with them. This easily over-looked yet potentially serious security issue happens because the malicious ad hoc networks are broadcasting what most would consider a safe and friendly SSID.

Why even use ad hoc networks?

Ad hoc mode allows computers to communicate in a peer-to-peer fashion. An example would be of two people wanting to share a file, but could not come up with a USB flash drive or writable CD between them. So they just set up their computers to use ad hoc networking and move the file from one computer to a shared folder on the other computer. The availability of USB flash drives these days usually trumps this process as setting up an ad hoc network can be an involved and time consuming process. This is a good thing, as can be seen in Mr. Hiner’s post. Still, even just having ad hoc association enabled on a computer is inviting any computer similarly configured and within range to associate, including people who wish to do harm.

It becomes pretty obvious that there is very little need to have ad hoc association enabled and there are some very viable reasons not to have it enabled. So why not just turn it off? Mr. Hiner asked me to write a post on how to do just that and I think it’s a great idea. Especially since disabling and enabling the ability to associate with ad hoc networks is a very simple process.

One last important topic is Microsoft Windows Zero Configuration (WZC), which is the wireless client application that is integrated with Microsoft operating systems. WZC is set up to make it very simple for the user to associate with a wireless network. That simplicity also creates problems, like WZC easily attaching to malicious infrastructure or ad hoc networks without any user intervention. I typically recommend using the wireless client application that was specifically developed for the hardware. In most cases it works better and is configured to avoid this issue. In some situations that is not possible, particularly in the corporate world where Microsoft Active Directory (AD) networks are used. There are indications that not using WZC on AD networks leads to some rather unusual complications. Using WZC is not a problem in that case though, as system administrators are able to push group policies out to the notebook that mimic the same configurations that I am going to describe next.

Simple solution

To start, the WZC wireless network connection window needs to be open. The following figure depicts a portion of this window and the next step would be to click on Change Advanced Settings.

first.JPG

That will open a window similar to the one seen below after clicking on the Wireless Networks tab. The next step would be to click on the Advanced button that I have pointed out in the figure below.

second.JPG

Finally that opens a small pop-out window where three choices are displayed. The first choice allows WZC to try and connect to ad hoc networks and infrastructure networks with preference given to networks using access points. The second choice is where WZC is only allowed to connect to access point controlled networks. The third choice is used to initiate an ad hoc network. I once again have circled the choice of Access Point (infrastructure) Network Only. By selecting this button, the ability to connect to an ad hoc networks is removed, which eliminates the chance of possibly associating with a malicious ad hoc network.

Also I recommend that the Automatically Connect To Non-Preferred Networks box be unchecked. I personally do not see any advantage to allowing this, and it introduces many complications. This is especially relevant when the computer is in a location that has multiple wireless networks of equal strength. In those circumstances, WZC kind of wigs out trying to decide which network to associate with.

third.JPG

Said it was simple

Just making this simple change eliminates several attack venues. Besides most users will not notice the difference and in reality may not have even known that this was an option for them. I also wanted to give credit to “Simple Nomad” who first detailed this anomaly so aptly named, “Microsoft Windows Silent Ad hoc Network Advertisement.”

About

Information is my field...Writing is my passion...Coupling the two is my mission.

15 comments
cumpleby
cumpleby

Can this change be done via the registry or netsh?

Michael Kassner
Michael Kassner

I am curious to learn how many people use Ad hoc mode. I would appreciate learning the circumstances that are behind using it as well.

smallworld
smallworld

Use netsh wlan add filter permission=denyall networktype=adhoc to deny all ad-hoc networks. If you need to allow ad-hoc networks temporarily or at some point in future: netsh wlan del filter permission=denyall networktype=adhoc Hope this helps. Doing IT Right! http://www.thesmallworld.com

Michael Kassner
Michael Kassner

I believe if a configuration can be controlled via Group Policy it can be controlled through the registry. I am a networking type, so I am not by any means an expert in that field. I would hope a member would be able to assist you with that information. Also Mark Minasi's forum maybe of help. http://www.minasi.com/forum/

dip golf
dip golf

I have been experimenting using my Sprint Mobile Broadband connection and an ad hoc implementation to provide an internet connection for my iPod Touch. This is my first attempt in ad hoc connectivity. So far, I have been unsuccessful. The device can locate the network and the PC can initiate connectivity, yet the device can not load a test page. The connection terminates quickly also. It has to involve user error regarding static IP and DNS addresses on the device side of the equation.

Timbo Zimbabwe
Timbo Zimbabwe

ONCE! ;)I had to transfer a bunch of files from one laptop to another and decided to do this en route to the client location. Set it up, let the files transfer as I drove there, then changed the settings back once I got there. Saved me about 25 extra minutes on site.

catseverywhere
catseverywhere

We Linux users have heard all the promises, and felt the perpetual let downs of zeroconfig networking. It's buggy at best in Linux, at least the distros I use. It says it's installed, it says it's loaded and working... but as for getting hooked to a bot net without my knowing, I have nothing to worry about. It just plain doesn't work. Wish it did, an ad hoc network would be an excellent educational tool.

Michael Kassner
Michael Kassner

1. What is the device trying to attach to? 2. What do you think the reason is for the connection to drop? Do you have encryption enabled on the network? 3. It does sound like the device will not resolve FQDN's. Are you able to type in IP addresses and then get to the web page?

Photogenic Memory
Photogenic Memory

I'm semi-versed in Linux but I'm weak in wireless setups. The other day; someone asked me to join their Linux laptop running Suse to the local wireless SSID and WEP key. It failed numerous times no matter what changes were made to the iwconfig file and wireless daemon restarts. However, iwlist worked wonderfully mapping out the SSID and the channel but still no connection. The person said it did work for him under WPA though? Weird. Who knows ere the problem lay? Maybe I missed something. Anyways, this peaked my curiosity and so did this article. I found these articles on the web on creating your own AD-HOC networks.: http://www.linuxjournal.com/article/5470 and http://www.dslreports.com/faq/10923 It's just a config file but the I guess the difficulties begin with chipset driver selections such as: Orinoco_cs WLAN_NG Wavelan Atmel MadWiFi WPA_Supplicant NDIS Wrappers and maybe possible Kernal recompiles ( which I've never had to do ever, yet ). Anyways, I hope this helps. I plan on buying a wireless device this weekend and see if I can get run under my distro CentOS just as an experiment. I really don't like wireless but it'll be easier to deal with the next time someone asks me about Linux wireless problems down the line.

Michael Kassner
Michael Kassner

I am not well-versed in Linux, so I did not realize that. Do you have any information as to the process for enabling Ad hoc networks? Especially the information that does not work correctly.

Michael Kassner
Michael Kassner

What Belkin device are you using? Just to make sure you are referring to a client device? I would appreciate learning about one that did not need any special drivers as I have several clients that would more than likely use it.

silversidhe
silversidhe

Why go out and buy a device that is not compatible? I'm using a Belkin and it doesn't require ndiswrapper etc. In the future when you buy (actually spend money on - not try to make something work you were given) Don't encourage THE BAD COMPANIES buying thier products and giving them money. Your money spent is a vote and probably more valid than any of our current elections. But the point of this is there are sites that will give you the scoop on compatible/real modems, wifis, computers etc.

Michael Kassner
Michael Kassner

There is a well known WEP key issue even with MS products. There appears to be a problem with how some client applications convert a passphrase to hex code. I have seen it where a passphrase was entered and it would not work. Then if the hex code was entered it would work. Also thanks for the links, I hope to take a look this weekend if the networks of the world be good.

Michael Kassner
Michael Kassner

Thank you as well. I enjoyed your posts and hope to have some time to research that a bit more.

catseverywhere
catseverywhere

Ad-hoc relies on zeroconfig to work, and the zeroconfig modules in my distribution (Mandriva) simply haven't worked for me. To be honest I've never looked at it all too hard, being busy with "everything else," but I could pop into the forums over at Mandriva and find out what I'm (probably) doing wrong. Avahi is the package that's supposed to enable zeroconfig, a package called lisa is a LAN browser that utilizes zeroconf. I suppose I should try again, last time was the 2005 release. But as it is now, I did have those packages installed and running, and it was still no-go. Thanks for peaking my interest..