pau oliva – bypassing wifi pay-walls with android [rooted con 2014]
DESCRIPTION
TRANSCRIPT
![Page 1: Pau Oliva – Bypassing wifi pay-walls with Android [Rooted CON 2014]](https://reader034.vdocuments.us/reader034/viewer/2022051609/547bd399b4795959098b4e6e/html5/thumbnails/1.jpg)
1 Rooted CON 2014 6-7-8 Marzo // 6-7-8 March
Bypassing wifi pay-walls with Android
Pau Oliva Fora
@pof
![Page 2: Pau Oliva – Bypassing wifi pay-walls with Android [Rooted CON 2014]](https://reader034.vdocuments.us/reader034/viewer/2022051609/547bd399b4795959098b4e6e/html5/thumbnails/2.jpg)
2 Rooted CON 2014 6-7-8 Marzo // 6-7-8 March
Agenda
Typical wifi pay-wall solutions
Networking 101: understanding the weaknesses
Abusing the weaknesses with a shell script
Android port (for fun and no-profit)
Attack mitigation recommendations
![Page 3: Pau Oliva – Bypassing wifi pay-walls with Android [Rooted CON 2014]](https://reader034.vdocuments.us/reader034/viewer/2022051609/547bd399b4795959098b4e6e/html5/thumbnails/3.jpg)
3 Rooted CON 2014 6-7-8 Marzo // 6-7-8 March
TYPICAL WIFI PAY-WALL SOLUTIONS
![Page 4: Pau Oliva – Bypassing wifi pay-walls with Android [Rooted CON 2014]](https://reader034.vdocuments.us/reader034/viewer/2022051609/547bd399b4795959098b4e6e/html5/thumbnails/4.jpg)
4 Rooted CON 2014 6-7-8 Marzo // 6-7-8 March
Typical wifi pay-wall solutions
Unauthenticated users redirected to a captive
portal website, asking for credentials or payment
![Page 5: Pau Oliva – Bypassing wifi pay-walls with Android [Rooted CON 2014]](https://reader034.vdocuments.us/reader034/viewer/2022051609/547bd399b4795959098b4e6e/html5/thumbnails/5.jpg)
5 Rooted CON 2014 6-7-8 Marzo // 6-7-8 March
Typical wifi pay-wall solutions
![Page 6: Pau Oliva – Bypassing wifi pay-walls with Android [Rooted CON 2014]](https://reader034.vdocuments.us/reader034/viewer/2022051609/547bd399b4795959098b4e6e/html5/thumbnails/6.jpg)
6 Rooted CON 2014 6-7-8 Marzo // 6-7-8 March
Typical wifi pay-wall solutions
![Page 7: Pau Oliva – Bypassing wifi pay-walls with Android [Rooted CON 2014]](https://reader034.vdocuments.us/reader034/viewer/2022051609/547bd399b4795959098b4e6e/html5/thumbnails/7.jpg)
7 Rooted CON 2014 6-7-8 Marzo // 6-7-8 March
Typical wifi pay-wall solutions
Gateway replies to all ARP requests with its own
MAC address (used for client isolation):
Who has 192.168.30.15?
192.168.30.15 is at 1e:a7:de:ad:be:ef
Who has 192.168.30.32?
192.168.30.32 is at 1e:a7:de:ad:be:ef
Who has 192.168.30.77?
192.168.30.77 is at 1e:a7:de:ad:be:ef
![Page 8: Pau Oliva – Bypassing wifi pay-walls with Android [Rooted CON 2014]](https://reader034.vdocuments.us/reader034/viewer/2022051609/547bd399b4795959098b4e6e/html5/thumbnails/8.jpg)
8 Rooted CON 2014 6-7-8 Marzo // 6-7-8 March
Typical wifi pay-wall solutions
iptables -
HTTP traffic
![Page 9: Pau Oliva – Bypassing wifi pay-walls with Android [Rooted CON 2014]](https://reader034.vdocuments.us/reader034/viewer/2022051609/547bd399b4795959098b4e6e/html5/thumbnails/9.jpg)
9 Rooted CON 2014 6-7-8 Marzo // 6-7-8 March
Typical wifi pay-wall solutions
iptables -
HTTP traffic
Sends a 301 to an HTTPs webserver
![Page 10: Pau Oliva – Bypassing wifi pay-walls with Android [Rooted CON 2014]](https://reader034.vdocuments.us/reader034/viewer/2022051609/547bd399b4795959098b4e6e/html5/thumbnails/10.jpg)
10 Rooted CON 2014 6-7-8 Marzo // 6-7-8 March
Typical wifi pay-wall solutions
iptables -
HTTP traffic
Sends a 301 to an HTTPs webserver
![Page 11: Pau Oliva – Bypassing wifi pay-walls with Android [Rooted CON 2014]](https://reader034.vdocuments.us/reader034/viewer/2022051609/547bd399b4795959098b4e6e/html5/thumbnails/11.jpg)
11 Rooted CON 2014 6-7-8 Marzo // 6-7-8 March
Typical wifi pay-wall solutions
![Page 12: Pau Oliva – Bypassing wifi pay-walls with Android [Rooted CON 2014]](https://reader034.vdocuments.us/reader034/viewer/2022051609/547bd399b4795959098b4e6e/html5/thumbnails/12.jpg)
12 Rooted CON 2014 6-7-8 Marzo // 6-7-8 March
Typical wifi pay-wall solutions
![Page 13: Pau Oliva – Bypassing wifi pay-walls with Android [Rooted CON 2014]](https://reader034.vdocuments.us/reader034/viewer/2022051609/547bd399b4795959098b4e6e/html5/thumbnails/13.jpg)
13 Rooted CON 2014 6-7-8 Marzo // 6-7-8 March
Typical wifi pay-wall solutions
Authenticate the user via RADIUS
![Page 14: Pau Oliva – Bypassing wifi pay-walls with Android [Rooted CON 2014]](https://reader034.vdocuments.us/reader034/viewer/2022051609/547bd399b4795959098b4e6e/html5/thumbnails/14.jpg)
14 Rooted CON 2014 6-7-8 Marzo // 6-7-8 March
Typical wifi pay-wall solutions
![Page 15: Pau Oliva – Bypassing wifi pay-walls with Android [Rooted CON 2014]](https://reader034.vdocuments.us/reader034/viewer/2022051609/547bd399b4795959098b4e6e/html5/thumbnails/15.jpg)
15 Rooted CON 2014 6-7-8 Marzo // 6-7-8 March
Typical wifi pay-wall solutions
Authenticate the user via RADIUS
Once the user is authenticated, the gateway
(NAS) knows about it by a combination of:
IP Address
MAC Address
HTTPS Cookie
Authenticated sessions
Unauthenticated sessions
![Page 16: Pau Oliva – Bypassing wifi pay-walls with Android [Rooted CON 2014]](https://reader034.vdocuments.us/reader034/viewer/2022051609/547bd399b4795959098b4e6e/html5/thumbnails/16.jpg)
16 Rooted CON 2014 6-7-8 Marzo // 6-7-8 March
Typical wifi pay-wall solutions
![Page 17: Pau Oliva – Bypassing wifi pay-walls with Android [Rooted CON 2014]](https://reader034.vdocuments.us/reader034/viewer/2022051609/547bd399b4795959098b4e6e/html5/thumbnails/17.jpg)
17 Rooted CON 2014 6-7-8 Marzo // 6-7-8 March
NETWORKING 101: UNDERSTANDING THE WEAKNESSES
![Page 18: Pau Oliva – Bypassing wifi pay-walls with Android [Rooted CON 2014]](https://reader034.vdocuments.us/reader034/viewer/2022051609/547bd399b4795959098b4e6e/html5/thumbnails/18.jpg)
18 Rooted CON 2014 6-7-8 Marzo // 6-7-8 March
Networking 101: understanding the weaknesses
MAC addresses can be spoofed
ifconfig wlan0 hw ether 00:00:8b:ad:f0:0d
ip link set dev wlan0 address 00:00:8b:ad:f0:0d
IP addresses can be spoofed
ifconfig wlan0 192.168.30.49
ip addr add 192.168.30.49 dev wlan0
![Page 19: Pau Oliva – Bypassing wifi pay-walls with Android [Rooted CON 2014]](https://reader034.vdocuments.us/reader034/viewer/2022051609/547bd399b4795959098b4e6e/html5/thumbnails/19.jpg)
19 Rooted CON 2014 6-7-8 Marzo // 6-7-8 March
Networking 101: understanding the weaknesses
MAC addresses can be spoofed
IP addresses can be spoofed
We only need to find an authenticated host
![Page 20: Pau Oliva – Bypassing wifi pay-walls with Android [Rooted CON 2014]](https://reader034.vdocuments.us/reader034/viewer/2022051609/547bd399b4795959098b4e6e/html5/thumbnails/20.jpg)
20 Rooted CON 2014 6-7-8 Marzo // 6-7-8 March
Networking 101: understanding the weaknesses
MAC addresses can be spoofed
IP addresses can be spoofed
We only need to find an authenticated host
Bonus: Sometimes APs or switches can reach the
internet! :)
![Page 21: Pau Oliva – Bypassing wifi pay-walls with Android [Rooted CON 2014]](https://reader034.vdocuments.us/reader034/viewer/2022051609/547bd399b4795959098b4e6e/html5/thumbnails/21.jpg)
21 Rooted CON 2014 6-7-8 Marzo // 6-7-8 March
ABUSING THE WEAKNESSES WITH A SHELL SCRIPT
![Page 22: Pau Oliva – Bypassing wifi pay-walls with Android [Rooted CON 2014]](https://reader034.vdocuments.us/reader034/viewer/2022051609/547bd399b4795959098b4e6e/html5/thumbnails/22.jpg)
22 Rooted CON 2014 6-7-8 Marzo // 6-7-8 March
Abusing the weaknesses with a shell script
Loop through all IP addresses
![Page 23: Pau Oliva – Bypassing wifi pay-walls with Android [Rooted CON 2014]](https://reader034.vdocuments.us/reader034/viewer/2022051609/547bd399b4795959098b4e6e/html5/thumbnails/23.jpg)
23 Rooted CON 2014 6-7-8 Marzo // 6-7-8 March
Abusing the weaknesses with a shell script
Loop through all IP addresses
Get the MAC address for each IP
If MAC == Gateway MAC: use arping and discard the
![Page 24: Pau Oliva – Bypassing wifi pay-walls with Android [Rooted CON 2014]](https://reader034.vdocuments.us/reader034/viewer/2022051609/547bd399b4795959098b4e6e/html5/thumbnails/24.jpg)
24 Rooted CON 2014 6-7-8 Marzo // 6-7-8 March
Abusing the weaknesses with a shell script
Loop through all IP addresses
Get the MAC address for each IP
If MAC == Gateway MAC: use arping and discard the
host IP/MAC
![Page 25: Pau Oliva – Bypassing wifi pay-walls with Android [Rooted CON 2014]](https://reader034.vdocuments.us/reader034/viewer/2022051609/547bd399b4795959098b4e6e/html5/thumbnails/25.jpg)
25 Rooted CON 2014 6-7-8 Marzo // 6-7-8 March
Abusing the weaknesses with a shell script
Loop through all IP addresses
Get the MAC address for each IP
If MAC == Gateway MAC: use arping and discard the
host IP/MAC
Test for internet access (eg: ping 8.8.8.8)
![Page 26: Pau Oliva – Bypassing wifi pay-walls with Android [Rooted CON 2014]](https://reader034.vdocuments.us/reader034/viewer/2022051609/547bd399b4795959098b4e6e/html5/thumbnails/26.jpg)
26 Rooted CON 2014 6-7-8 Marzo // 6-7-8 March
Abusing the weaknesses with a shell script
![Page 27: Pau Oliva – Bypassing wifi pay-walls with Android [Rooted CON 2014]](https://reader034.vdocuments.us/reader034/viewer/2022051609/547bd399b4795959098b4e6e/html5/thumbnails/27.jpg)
27 Rooted CON 2014 6-7-8 Marzo // 6-7-8 March
ANDROID PORT (FOR FUN AND NO-PROFIT)
![Page 28: Pau Oliva – Bypassing wifi pay-walls with Android [Rooted CON 2014]](https://reader034.vdocuments.us/reader034/viewer/2022051609/547bd399b4795959098b4e6e/html5/thumbnails/28.jpg)
28 Rooted CON 2014 6-7-8 Marzo // 6-7-8 March
Android port (for fun and no-profit)
![Page 29: Pau Oliva – Bypassing wifi pay-walls with Android [Rooted CON 2014]](https://reader034.vdocuments.us/reader034/viewer/2022051609/547bd399b4795959098b4e6e/html5/thumbnails/29.jpg)
29 Rooted CON 2014 6-7-8 Marzo // 6-7-8 March
Android port (for fun and no-profit)
![Page 30: Pau Oliva – Bypassing wifi pay-walls with Android [Rooted CON 2014]](https://reader034.vdocuments.us/reader034/viewer/2022051609/547bd399b4795959098b4e6e/html5/thumbnails/30.jpg)
30 Rooted CON 2014 6-7-8 Marzo // 6-7-8 March
Android port (for fun and no-profit)
![Page 31: Pau Oliva – Bypassing wifi pay-walls with Android [Rooted CON 2014]](https://reader034.vdocuments.us/reader034/viewer/2022051609/547bd399b4795959098b4e6e/html5/thumbnails/31.jpg)
31 Rooted CON 2014 6-7-8 Marzo // 6-7-8 March
ATTACK MITIGATION RECOMMENDATIONS
![Page 32: Pau Oliva – Bypassing wifi pay-walls with Android [Rooted CON 2014]](https://reader034.vdocuments.us/reader034/viewer/2022051609/547bd399b4795959098b4e6e/html5/thumbnails/32.jpg)
32 Rooted CON 2014 6-7-8 Marzo // 6-7-8 March
Attack mitigation recommendations
1. Use a proper layer 2 user isolation (eg: PSPF on Cisco gear)
2. Use switchport on Cisco gear)
![Page 33: Pau Oliva – Bypassing wifi pay-walls with Android [Rooted CON 2014]](https://reader034.vdocuments.us/reader034/viewer/2022051609/547bd399b4795959098b4e6e/html5/thumbnails/33.jpg)
33 Rooted CON 2014 6-7-8 Marzo // 6-7-8 March
Attack mitigation recommendations
1. Use a proper layer 2 user isolation (eg: PSPF on Cisco gear)
2. Use switchport on Cisco gear)
Extra protection (sniff wlan traffic): Do not allow traffic from the same MAC address on different
switchport port- causes
![Page 34: Pau Oliva – Bypassing wifi pay-walls with Android [Rooted CON 2014]](https://reader034.vdocuments.us/reader034/viewer/2022051609/547bd399b4795959098b4e6e/html5/thumbnails/34.jpg)
34 Rooted CON 2014 6-7-8 Marzo // 6-7-8 March
Attack mitigation recommendations
1. Use a proper layer 2 user isolation (eg: PSPF on Cisco gear)
2. Use switchport on Cisco gear)
Extra protection (sniff wlan traffic): Do not allow traffic from the same MAC address on different
switchport port- causes
All major WISP in Spain are vulnerable to this attack (*except one)
![Page 35: Pau Oliva – Bypassing wifi pay-walls with Android [Rooted CON 2014]](https://reader034.vdocuments.us/reader034/viewer/2022051609/547bd399b4795959098b4e6e/html5/thumbnails/35.jpg)
35 Rooted CON 2014 6-7-8 Marzo // 6-7-8 March
Attack mitigation recommendations
1. Use a proper layer 2 user isolation (eg: PSPF on Cisco gear)
2. Use switchport on Cisco gear)
Extra protection (sniff wlan traffic): Do not allow traffic from the same MAC address on different
switchport port- causes
All major WISP in Spain are vulnerable to this attack (*except one)
![Page 36: Pau Oliva – Bypassing wifi pay-walls with Android [Rooted CON 2014]](https://reader034.vdocuments.us/reader034/viewer/2022051609/547bd399b4795959098b4e6e/html5/thumbnails/36.jpg)
36 Rooted CON 2014 6-7-8 Marzo // 6-7-8 March
Attack mitigation recommendations
1. Use a proper layer 2 user isolation (eg: PSPF on Cisco gear)
2. Use switchport on Cisco gear)
Extra protection (sniff wlan traffic): Do not allow traffic from the same MAC address on different
switchport port- causes
All major WISP in Spain are vulnerable to this attack (*except one)
![Page 37: Pau Oliva – Bypassing wifi pay-walls with Android [Rooted CON 2014]](https://reader034.vdocuments.us/reader034/viewer/2022051609/547bd399b4795959098b4e6e/html5/thumbnails/37.jpg)
37 Rooted CON 2014 6-7-8 Marzo // 6-7-8 March
Contact: @pof | <[email protected]> | github.com/poliva