NIGHTSTAND: NSA Exploit of the Day

Today’s device from the NSA’s Tailored Access Operations (TAO) group implant catalog:

NIGHTSTAND

(TS//SI//REL) An active 802.11 wireless exploitation and injection tool for payload /exploit delivery into otherwise denied target space. NIGHTSTAND is typically used in operations where wired access to the target is not possible.

(TS//SI//REL) NIGHTSTAND – Close Access Operations • Battlefield Tested • Windows Exploitation • Standalone System

System Details

  • (U//FOUO) Standalone tool currently running on an x86 laptop loaded with Linux Fedora Core 3.
  • (TS//SI//REL) Exploitable Targets include Win2k, WinXP, WinXPSP1, WINXPSP2 running Internet Explorer versions 5.0-6.0.
  • (TS//SI//REL) NS packet injection can target one client or multiple targets on a wireless network.
  • (TS//SI//REL) Attack is undetectable by the user.

(TS//SI//REL) Use of external amplifiers and antennas in both experimental and operational scenarios have resulted in successful NIGHTSTAND attacks from as far away as eight miles under ideal environmental conditions.

Unit Cost: Varies from platform to platform

Status: Product has been deployed in the field. Upgrades to the system continue to be developed.

Page, with graphics, is here. General information about TAO and the catalog is here.

Presumably, the NSA can use this “injection tool” in all the same ways it uses QUANTUM. For example, it can redirect users to FOXACID servers in order to attack their computers.

In the comments, feel free to discuss how the exploit works, how we might detect it, how it has probably been improved since the catalog entry in 2008, and so on.

Tags: , , , , , , , ,

Posted on January 22, 2014 at 2:15 PM24 Comments

Comments

Carpe January 22, 2014 2:52 PM

IE 5 and 6? I’m confused at the limited scope admitted here. If the injection is particular to those systems it makes me think of a 0-day, which could easily be replaced by a newer, more effective, wider scope 0-day by now. Also, am I missing something or is there no mention of WPA2 etc?

Benni January 22, 2014 3:15 PM

After one employee has bought his handy in to the room with the wireless network, google may know the wlan password, and the nsa sits on googles dark fibers, thereby getting the wlan password, and then they connect into the wireless lan of the victim, finally using Nightstand. Perhaps this is how they circumvent wpa2

BJ January 22, 2014 6:01 PM

There have been presentations at BlackHat and/or DefCon where it has been reported that many wireless vendor’s drivers are full of security holes.

Perhaps this system exploits those holes.

Steve January 22, 2014 6:19 PM

Even if you were to have separate shielded devices for Tx and Rx on 802.11, you’re still dealing with other devices competing for the SNR and the inverse square for the Rx. Shielding would work very effectively, as would turning down the transmit power of your airport. You could also use layer 1 link aggregation to mask part of your transmissions in another medium. There was also http://web.mit.edu/newsoffice/2011/secure-wifi-0822.html, in which they use gaps in the transmit frames as a viable mechanism for authentication that implicitly blocks traditional “overpowering the signal” based attacks.

There are some pretty interesting things you could do with a large phased antenna array for steering a directional and high gain beam towards the target on Tx.

@ Carpe While this looks like it was written by a layperson for another layperson, I agree it’s misleading technically.

Clifford January 22, 2014 8:59 PM

It doesn’t seem likely that their receivers can dig deep enough into the noise floor for this to work from 8 miles away, even under ideal environmental conditions. Most WiFi has only tens of metres of range, and the inverse square law applies. You can’t dig into the noise floor without losing bit-rate anyhow, so even if the deep space network can dig this deep, it’s not at WiFi data rates.

David January 22, 2014 9:21 PM

The NIGHTSTAND page is a bit old. It’s mention of particular, especially older Windows OS versions causes one to suspect that it may simply present itself as a wifi access point and then perform CNE, as Bruce suggests, in FOXACID-like manner. Nowhere near as insidious as MITMing or packet-injecting WPA2-PSK or WPA2-RADIUS sessions.

Somewhere along the way Microsoft added a check-box to disable the WZCSVC deamon (Wireless Zero Configuration) behavior “Automatically connect to non-preferred networks,” but it’s buried deeply in the “Advanced” button dialog off the “Wireless Networks” tab in the “Wireless Properties” dialog found in the “Properties” right-click off of “My network Places”.

So like, 0.001% of users thought to themselves “that’s kinda risky” and disabled it.

The NSA and legions of black-hats certainly have Microsoft to thank for making many aspects of their job incredibly easy. “Vulnerable by default” as the saying goes.

I find it consoling is that for the most part the revelations demonstrate the NSA has no deep mysterious magic going for them–just the usual nefariousness of spies. They throw unlimited resources and persistence at all those “hypothetical” vulnerabilities, playing the same game as security researchers have since days when the l0pht crew pulled down Microsoft’s pants with the L0phtCrack NTLM password sniffer/cracker tool.

But what we’ve learned certainly validates the old saw “Just because you’re paranoid doesn’t mean they’re not out get you.”

demon January 22, 2014 9:52 PM

(TS//SI//REL) Exploitable Targets include Win2k, WinXP, WinXPSP1, WINXPSP2 running Internet Explorer versions 5.0-6.0.

Again. Who of sound mind (and up to no good) would use Bill Gates’s crap if this world class shyster refuses to do so at Redmond himself?

Figureitout January 22, 2014 10:35 PM

I find it consoling is that for the most part the revelations demonstrate the NSA has no deep mysterious magic going for them
David
–Yep, just the criminality, basically paid people to sit and wait for you to go to work/school/etc. Become neighbors, maybe exchange house keys so you don’t even need to put a gun to a locksmith’s head.

Eerie how my mom comes home to the door inside the garage door wide open today when she comes home just after I described an easy attack (I was the last to leave and I closed it and that never happens) and last night just after I posted about wifi attacks my entire telephone service goes down, no dial tone, no cable, no internet. Just when everyone besides me goes to sleep so I sound crazy describing the attack. Can’t make this stuff up, losers are attached to me; go do something productive. I know who you are, seriously, you gave me your identities and you need a new job, and I don’t care about you.

Figureitout January 22, 2014 10:38 PM

David
–Oh and I forgot…an old monitor in the garage, just “happened” to get shattered, and again my mom comes home to pieces of it outside the garage when it was inside and the garage door was closed.

ATN January 23, 2014 3:54 AM

Presumably, the NSA can use this “injection tool”

Well, the NSA and anybody who can break into Fedora Core 3 (released on November 8, 2004) while they are conducting their attack – or anybody who can leave a trojan into FC3 to collect the info later.

65535 January 23, 2014 4:37 AM

“Presumably, the NSA can use this “injection tool” in all the same ways it uses QUANTUM. For example, it can redirect users to FOXACID servers in order to attack their computers.” -Bruce

It looks that way. “NS packet injection” may indicate Name Server packet spoofing to redirect traffic to drive-by site.

“Successful NIGHTSTAND attacks from as far away as eight miles…” – NSA

It’s possible with Long-range Wi-Fi:

“Long-range Wi-Fi… through use of directional antennas, can be extended with many kilometers between stations…Specially shaped directional antennas can increase the range of a Wi-Fi transmission without a drastic increase in transmission power. High gain antenna may be of many designs, but all allow transmitting a narrow signal beam over greater distance than a non-directional antenna… The longest unamplified Wi-Fi link is a 304 km link achieved by CISAR (Italian Center for Radio Activities)… link first established on 2007-06-16… it appears to be permanent from Monte Amiata (Tuscany) to Monte Limbara (Sardinia)… frequency: 5765 MHz… IEEE 802.11a (Wi-Fi), bandwidth 5 MHz…Radio: Ubiquiti Networks XR5… Wireless routers: MikroTik RouterBOARD with RouterOS, NStreme optimization enabled… Length: 304 km (189 mi)… Antenna is 120 cm with handmade waveguide. 35 dBi estimated.”

http://en.wikipedia.org/wiki/Long-range_Wi-Fi

@carpe

Yes, it an old document. The target systems is Win 2000 Pro, XP [no service pack], XP SP1, XP SP2 [that would be late 2004 with IE6]. WPA/WPA2 came in around 2010. And, XP SP3 was around 2010.

@Benni
“…employee has bought his handy in to the room with the wireless network, google may know the wlan password, and the nsa sits on googles dark fibers, thereby getting the wlan password, and then they connect into the wireless lan of the victim, finally using Nightstand. Perhaps this is how they circumvent wpa2

Yes, that is logical.

@ David
‘Somewhere along the way Microsoft added a check-box to disable the WZCSVC deamon (Wireless Zero Configuration) behavior “Automatically connect to non-preferred networks,” but it’s buried deeply in the “Advanced” button dialog off the “Wireless Networks” tab in the “Wireless Properties” dialog found in the “Properties” right-click off of “My network Places”… So, 0.001% of users thought to themselves “that’s kinda risky” and disabled it. The NSA and legions of black-hats certainly have Microsoft to thank for making many aspects of their job incredibly easy… what we’ve learned certainly validates the old saw “Just because you’re paranoid doesn’t mean they’re not out get you.”’

I agree.

I think XP SP2 had the WZCSVC service [MS term for daemon] and KB918977 added a bunch of dll’s to adjust it (before XP SP3). In Windows 7 it is called WLAN AutoConfig… so it’s not gone and probably needs fixing.

@ Figureitout
“Yep, just the criminality, basically paid people to sit and wait for you to go to work/school/etc.”

I have that same feeling. If you hire criminals it rubs off. The NSA jumped in the sewer and is now swimming with the big turds. They are not to be trusted – especially after “the least un-truthful” answer to Congress.

Cant-Figureitout January 23, 2014 6:01 AM

@Figureitout have you considered going to see a mental health professional? The things you’re describing sound like the classic sorts of paranoid thoughts and persecution complex that would be brought on by some forms of mental illness, perhaps bipolar disorder/manic depression?

Clive Robinson January 23, 2014 6:21 AM

@ 65536,

    It’s possible with Long-range Wi-Fi

Yes the distance you quoted was for what is in effect unmodified WiFi.

It’s actually not that difficult to take the output of a 2GHz low power WiFi unit and feed it into a balanced mixer that bi-directionaly converts it to 11GHz (where there are licenced “outside broadcast” frequencies for point-to-point links where modulation type is open). Into a couple of 1.5meter dishes you can get reliable mpeg video over 100miles (working out of Gib to a mountain in Spain).

Also when I looked at the kit in the picture I had a sense of De Ju vue, it looks a lot like a bit of kit that appeared on a US program where people bid for “lost luggage”…

Which made me re-read the spec, this kit looks like it’s for attacking “air gapped” networks at “Mil/Gov Command and Control” centers that have been seen around the Middle East.

The chances are with the poor state of Android iOS and other Smart Phone WiFi stacks it’s got a very new lease of life especialy in busines BOD environments (and in the Android case any required keys will be up on Giigles servers… and probably the same for Apple).

Nobody January 23, 2014 12:45 PM

Provides automatic configuration for the 802.11 adapters.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WZCSVC

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\WZCSVC
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\WZCSVC
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WZCSVC

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Network\WZCSVC
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Control\SafeBoot\Network\WZCSVC
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\WZCSVC

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Eventlog\System\WZCSVC
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\Eventlog\System\WZCSVC
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Eventlog\System\WZCSVC

Wireless Zero Configuration (WZCSVC.ndi)

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Network\
{4D36E974-E325-11CE-BFC1-08002BE10318}\
{F05F7944-A92D-465A-98BD-942285E13781}

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Control\Network\
{4D36E974-E325-11CE-BFC1-08002BE10318}\
{F05F7944-A92D-465A-98BD-942285E13781}

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Network\
{4D36E974-E325-11CE-BFC1-08002BE10318}\
{F05F7944-A92D-465A-98BD-942285E13781}

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\
CurrentVersion\NetworkCards\12\
{0FF5D562-B062-472A-BA01-5427BA75A24F}

Dell Wireless 1505 Draft 802.11n WLAN Mini-Card

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\
{4D36E972-E325-11CE-BFC1-08002bE10318}\0011

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Control\Class\
{4D36E972-E325-11CE-BFC1-08002bE10318}\0011

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class\
{4D36E972-E325-11CE-BFC1-08002bE10318}\0011

Figureitout January 23, 2014 7:05 PM

65535
–Yeah…why would anyone trust agencies that have a legal right to lie? You know citizens can’t lie under oath, it’s called perjury; people living above the law don’t live forever and the systems collapse from within.

Can’t-Figureitout
–Nice original name. No, actually my mind is more clearer than ever before; I’ve really found my niche in what I want to do (I joke, after I get a degree, I finally find what I want to do). If you would like to arrange a meeting, so you can “diagnose” me, or I can show you the dried bloodstains on my sheets, the broken monitor in my garage that, or let me stick one of my USB sticks in your computer. Otherwise, please don’t make those accusations. It’s warning signs for what future victims should be expecting to see as these people abuse the tools and authority WAY too much.

Figureitout January 23, 2014 7:06 PM

Can’t-Figureitout
–I can also take a stroll and point out some agent’s houses if you wish. I’ve received prior intel wayyy back when; there’s underground intel networks in case you didn’t know.

Scottie January 24, 2014 5:07 AM

When you hear all this stuff comming out of washinton about things like the Obama Care scandle and then you realise how the Federal Reserve is actually held afloat with bankers and bailouts, “Ron Paul” did a good talk about it on youtube and his book called End the Fed and when people start talking about the NSA they forget they have plenty of projects, some of which dribble into the public eye and others that dont. One project that stuck out and got me actually thinking was called: Quantum where people speculated the use Radio waves to get into computers much like this article about exploiting wireless vulnerabilities. But everybody seem’s to forget they also the one’s heavily influencing NIST standards and your basic mobile telephone at the end of the day operates on the same frequency as a Weapon. Yeap thats right those RF – Transmitters are nothing more than a Microwave engine, so over loading your WiFi could and would in theory, do far more than just cause net-work error’s “It would literally fry the eyeballs out of your head!”. Cyber Warfare, perhaps it’s time for people to contemplate what that means.

Scottie January 24, 2014 7:27 AM

Breaking into all these computers designing standards to bypass security so they can do what they like, at the same time telling every other computer engineer how it’s done.. Marvelous, you brain fuing brain dead moron’s, your leading the way towards teaching every other nation on earth how to Kill millions of people without even leaving the comfort of your own Chair! Look at that we wiped out an entire nation and didnt have to fire a single Bullet! **Bling-Bling “It’s for you!”

Clifford January 31, 2014 3:44 PM

Sorry to revisit this old topic, but eight miles is only possible when you have high-gain antennae at both ends. Clearly that’s not the case at these targets.

Clive Robinson February 1, 2014 1:00 PM

@ Clifford,

    Sorry to revisit this old topic, but eight miles is only possible when you have high-gain antennae at both ends. Clearly that’s not the case at these targets.

Err I dont’t think you are thinking about this in the right way.

Your assumption appears to be that the illuminator and receiver have to be co-located, they don’t.

In fact it’s better that they don’t for a number of reasons. The illuminator does not just push out EM radiation in the 1-2GHz band it will pushout between ~75% and upwards of 400% of the RF power as heat depending on the type of RF-PA and the filtering used (RF Power from the PA output device “plate power” should not be confused with feedline input/output powers or ERP from the antenna into freespace). Such heat has certain charecteristics that enable it to be identified with modern thermal imaging equipment which makes “nailing it’s location” over the last 100yards or so relativly easy.

Another disadvantage of having a “close in” to the target illuminator is that it significantly reduces the “base line” required by a counter surveilance team to determin the range from them to the illuminator.

As in the case of the “Berlin Embassy” thermal image it is quite likely that one or more long range illuminators working in the 3-12GHz EM spectrum are mounted on the roof where in theory it could be argued that they “are under the protection of the mission status” and thus not be subject to local laws etc (unlikely to succeede if the “host nation” is sufficiently more powerfull).

As for the receiver yes this has to be close in to the target device (ie less than 100ft) but as it does not –intentionaly– emit EM energy it also has a very small thermal image (considerably less than an operator) it is not going to be anywhere as easy to find.

Leave a comment

Login

Allowed HTML <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre> Markdown Extra syntax via https://michelf.ca/projects/php-markdown/extra/

Sidebar photo of Bruce Schneier by Joe MacInnis.