Can Windows connect to 2x separate SSIDs with 2x WLAN NICs?

Discussion in 'Networking, Telephony & Internet' started by benjagan91, Jan 23, 2020.

  1. benjagan91

    benjagan91 Member

    Joined:
    Jun 18, 2009
    Messages:
    906
    Location:
    QLD
    Good morning,

    I'm currently having a security discussion with a colleague about a hypothetical "how could an employee circumvent our firewall and gain remote access". The employees in question use desktops connected via WLAN and have local administrative rights for certain legacy software which requires it. The typical VPN and VLC/RDP/Teamviewer ports are blocked by the company firewall.

    One idea which was tossed around: An employee installs a USB PCI-E card into his desktop which provides internal (inside case) USB ports - or just uses one of the spare front panel headers to install an internal USB ports. - This just makes it easier to hide the following step.

    The employee then connects a USB WLAN adaptor and one of those portable 4G hotspots to the internal USB ports - to provide a second WLAN NIC and keep the 4G hotspot charged. The 4G hotspot is configured with a hidden SSID or something inconspicuous like 'Android AP'.

    The employee then sets up one WLAN NIC as the default gateway via the 4G hotspot SSID and connects the other WLAN NIC to the company's SSID. The employee then sets up their local Windows routing table to push any local company LAN IPs over the WLAN NIC connected to the company's SSID - ensuring the metrics and interfaces are configured correctly via CMD's route.exe or netsh.exe.

    The employee can then remote in via Teamviewer over the 4G hotspot to their local workstation and navigate around the local company network/RDP to the terminal server etc via the second WLAN NIC connected to the company SSID.

    Now the question is... can Windows even connect to 2 different SSIDs if you've got 2 different WLAN NICs installed? We reckon this scenario would work for the employee if the desktops were connected to the company network via ethernet to start with - only one SSID would need to be connected.

    Apparently we're moving to thin clients and replacing the legacy software soon so that should hopefully close this potential security hole - but it's still an interesting question.

    Thanks
     
  2. power

    power Member

    Joined:
    Apr 20, 2002
    Messages:
    66,693
    Location:
    brisbane
    I love my MTC's get them with built in LTE modems ;)

    Windows natively will not connect to two wireless networks at the same time. Hell it won't even connect to wired and wireless or wired and a modem.

    One adaptor has a priority which is adjustable that's it.

    Your employee would be doing well to get it working and you'd want to be worried about them if they go to those lengths.

    To be clear they "connect" but cannot be utilised at the same time.
     
    Last edited: Jan 23, 2020
  3. bcann

    bcann Member

    Joined:
    Feb 26, 2006
    Messages:
    6,095
    Location:
    NSW
    What are you trying to stop, there are a dozen ways the potential dodgy employee could do this. Serial modem, usb to ethernet adaptor to ethernet 4g modem. One way to stop USB attacks is to stop windows from allowing USB access using GP, yeah some people might mope about being unable to use USB sticks, but boohoo.
     
  4. power

    power Member

    Joined:
    Apr 20, 2002
    Messages:
    66,693
    Location:
    brisbane
    the fun thing for you OP is you can lock alllllll this shit down on a thin client, unless you are getting people to connect to outside wifi networks??
     
  5. OP
    OP
    benjagan91

    benjagan91 Member

    Joined:
    Jun 18, 2009
    Messages:
    906
    Location:
    QLD
    I don't believe that's correct. Perhaps have a look at this:


    Route different traffic through different network interfaces (in Windows)

    Excerpt from the above link:
    Additionally, I suppose if both WLAN NICs can't be connected at the same time on one Windows host, one WLAN NIC could be assigned to a VM running another Windows guest installation for the purpose of connecting to the second SSID.
     
  6. power

    power Member

    Joined:
    Apr 20, 2002
    Messages:
    66,693
    Location:
    brisbane
    the end user will find that he won't be able to traverse both networks easily at the same time, he'd connect his hotspot the other one will just drop out.

    end user will have buckley's of doing what you are afraid of is my point.

    just try it yourself, then imagine you are a noob.
     
  7. cvidler

    cvidler Member

    Joined:
    Jun 29, 2001
    Messages:
    15,189
    Location:
    Canberra

    If someone is going to the trouble of (in the OPs story) purchasing, installing in a hidden manner a 4G connection, they're not a noob user.

    As for Windows being able to connect to two networks at once, hell yes it can. surprised people think it can't*. Two WiFi SSIDs makes it difficult but not impossible (just don't use the GUI like a noob), use a USB 4G dongle instead, no dual SSID hassle.

    Having access to both networks is then just a matter of simple route table manipulation.

    The OPs story is possible, but unlikely - there's easier ways to get network access. And you should be locking down USB access anyway, users stealing data (or just being users and losing a USB stick full of data) is a more real risk.


    *Windows can run as a hotspot for a wireless network it creates, while providing internet from another interface, which could also be wireless. I've done this - frequently as it make it easy to demo IoT devices without having to go through the effort of joining them to someone elses network first. And this is available through the noob GUI no CLI wizardry required.
     
  8. power

    power Member

    Joined:
    Apr 20, 2002
    Messages:
    66,693
    Location:
    brisbane
    out of the box behaviour means that said user would have to be very determined.

    someone with that level of skill is probably not going to be stopped by most things you will try.
     
    Last edited: Jan 23, 2020
  9. evilasdeath

    evilasdeath Member

    Joined:
    Jul 24, 2004
    Messages:
    5,003
    Yeah you can i do it all the time. You can only have 1 default route at a time which makes most things difficult, however you can put specific routes on different interfaces.

    I use it to talk to the lab network and the work network at the same time, i keep the default on the WLAN, (or vice versa) and manually apply the routes for the lab my laptop with the cmd line route ADD cmd.

    Can a noob do it, probably not. But someone determined to get around it could. I used it myself with a laptop in the middle so i could do some lab testing from my desk on a host that was in another segregated network. Getting routes correct is tricky as you need to think about BOTH directions, and i'd have to think carefully how you could make it work for public addressing, (mine was all private and discrete)
     
    Last edited: Jan 25, 2020
  10. Primüs

    Primüs Member

    Joined:
    Apr 1, 2003
    Messages:
    3,437
    Location:
    CFS
    Won't even take much skill or manipulation. What you describe as the other network 'dropping off' isn't correct, one network just takes the priority 'DEFAULT' route only, which to an effective sense means yes that is the used network, but consider this:

    LAN is plugged in, has 192.168.0.100/24 on the NIC, the specialised resource is on 192.168.0.50/24, so same subnet. User connects to their hotspot, that takes over default route, but uses 192.168.50.0/24 so separate subnet to their LAN, but now Teamviewer etc can work so someone remotes in and can still access 192.168.0.0/24 as that's still in the route table as a connected route.

    Very simple case of just connecting to the 2nd network so very possible to do without a huge amount of knowledge.

    There are other factors that could stop this specific situation from occurring but this is a very basic hypothetical to show that it could be a low skilled attack.
     
  11. power

    power Member

    Joined:
    Apr 20, 2002
    Messages:
    66,693
    Location:
    brisbane
    if you have someone smart enough to do that on staff i'd be a bit concerned, most general users are flat out knowing which end is their arse and which one is their head - that's why they use things like teamviewer to start with.

    Your idea of trivial is beyond 95% of users. Not that this is an excuse to be slack, but yeah.
     
    Last edited: Jan 28, 2020
  12. Primüs

    Primüs Member

    Joined:
    Apr 1, 2003
    Messages:
    3,437
    Location:
    CFS
    Depends what attack vector your thinking - a rogue employee? yeah maybe too advanced for them to have an idea on how to do it. An external bad actor, using social engineering to make them connect to their phone hotspot - entirely possible without having to guide them through anything too advanced.
     

Share This Page

Advertisement: