Trying to shut up your wireless chatty Windows

Everytime your 802.11 wireless (WiFi) card is activated on Windows XP, your system starts to disclose information about your current and past wireless activities: it tries to find all the networks it has or has had knowledge of, such as your wireless network at home, at the office, at the library, hotspots you have used... The Windows XP "Wireless Zero Configuration" (WZC) service registers every wireless network you have been connected to at any time, even if you didn't get IP connectivity, such as when the AP was not configured to provide an IP address through DHCP but the client was expecting it. The historical list of networks, called "Preferred networks", can be accessed through the client "Change advanced settings" link of the "Wireless Network Connection" screen, selecting the "Wireless Networks" tab on the "Properties" Window. The oldest WiFi networks will be found at the bottom of the list. NOTE: If you try to connect to a WEP-enabled network without the key, this WiFi network won't be registered on the list. When the wireless interface is switched on but it has not established a connection to any network yet, it continuosly generates a special type of WiFi frames, called "Probe Requests", for every network listed. It strictly follows the list order in sequence and uses all the wireless channels supported by the card, disclosing the network name (SSID) and the card bandwith supported rates (basic and extended). NOTE: This behaviour is completely independent of the connection and its settings: IP address, mask, DNS, gateway.... Besides, it doesn't matter the "Network Authentication" used: Open, Shared, WPA, WPA-PSK...; or the "Data encryption" used: Disabled, WEP, TKIP... This information could help an attacker to launch MITM attacks, setting up a rogue Access Point using any of the SSIDs requested, because your client will try to automatically connect to it. Besides, the data contained in these frames would also help an attacker to get details about the type of card you have, vendor (based on the source MAC address) and 802.11 technology (a, b, g...; based on the speed rates). NOTE: this behaviour discloses the SSID in cloaked nets (those networks that do not gnerate beacon frames, so have a hidden-SSID). NOTE: Once connected to a WiFi network it only generates "Probe Requests" for the Broadcast network (using an empty SSID; zero length). The garbage probes have also disappeared from the radio waves. If you disconnect from a wireless network double clicking on it when connected (or using the "Disconnect" button), it will be left in a "Manual" state, indicating Windows will not try to re-connect to it automatically in the future, therefore the "Probe Request" frames for this network won't be generated. You will need to select it explicitely from the list of available networks to establish a new connection to it. NOTE: The "Manual" state is only set up by Windows. It is not possible to configure it manually. NOTE: If you are connected to a cloaked network and use the "disconnect" button, it will be place in "Manual" state. NOTE: You will never be able to connect to it anymore, because it won't appear in the list of available networks (cloaked) and you cannot change the state to "Automatic" (only "Manual" or "On Demand"). You only can remove it from the list and add it again. NOTE: By default, networks manually added are configured in the "Automatic" state. However, in any other case (you loose WiFi connectivity, you disable the wireless card directly, you connect to other network...) the network will be left, by default, in the "Automatic" state, so Windows will try to find it everytime the wireless adapater is active, generating the probe frames. From a security perspective, it is recommended to set up all networks as "On Demand" (instead of "Automatic") not to generate the probe frames. This setting can be individually configured for each network going to the "Preferred network" list and selecting a specific network. Click on the "Properties" button, select the "Connection" tab and uncheck the "Connect when this network is in range" button. At the enterprise level it is possible to automate the client wireless settings through Group Policy. NOTE: The state (Automatic, Manual or On Demand) is also showed in the list of available networks near the network name. To get wireless connectivity for an "On Demand" network, if the network is configured to announce itself (it uses a special type of frames called "Beacons") then you'll visualize it on the list of available networks and you just need to double click on it to establish the connection. If the network is configured not to announce itself, hidding its SSID (also known as a cloaked network), then it won't appear on the wireless networks list. If you know the it is available, to establish the connection you need to go to the "Properties" windows for this network and check the "Connect when this network is in range" button on the "Connection" tab. NOTE: Depending on the wireless card you could need to re-enable the WiFi card in order for the connection to succeed. Unfortunately, although you follow these recommendations and configure all WiFi networks as "On Demand", Windows stills generates probe frames for the Broadcast network (using an empty SSID; zero length) and "garbage" SSIDs (32 bytes in length), still disclosing the client MAC address and the speed supported rates; not the SSID. The garbage frames would help an attacker to fingerprint all Windows XP wireless clients. NOTE: The "garbage" SSIDs are portions of memory disclosed due to a bug on the WZC service. The "Probe requests" are generated in the following order: preferred networks listed in order + Garbage + Broadcast ... (complex). The garbage cycles are: Garbage SSID X, Z, Broadcast, Z, [CHANGE (new cycle)], Garbage SSID Y, W, Broadcast, W... This two types of probes (Broadcast and garbage) are generated even when Windows is configured not to manage the wireless connections, regulated by the "Use Windows to configure my wireless network settings" option in the "Wireless Networks" tab. The garbage frames exists just in SP2 (WPA patch included) and even with the WPA2 hotfixes installed. It still continues generating the garbage SSIDs probe requests (+ broadcasts), although Windows cannot configure the wireless connection in this state. If it is disabled but there are some nets in "Automatic" mode, it does NOT send probe requests for these SSIDs, only garbage and broacast. When it is disabled, the "Wireles Zero Configuration" service is not stopped. Therefore, the security guidelines suggested are just additional defense-in-depth countermeasures trying to reduce information leakage and to get a higher control of the client wireless activities. REFERENCES: Windows XP SP2 WPA support (http://support.microsoft.com/?id=815485) or Windows XP SP1 plus "Wireless update rollup package for Windows XP" (http://support.microsoft.com/kb/826942/). Windows XP WPA2 support (http://support.microsoft.com/?id=893357). Hotspotter: http://www.remote-exploit.org/index.php/Hotspotter_main WZC algorithm: http://pacsec.jp/psj04/psj04-macaulay_zovi-e.ppt Ethereal filter to get the Probe Request packets for a given MAC address: wlan.fc.type_subtype == 4 (and wlan.sa == 00:01:02:03:04:05)