pau oliva – bypassing wifi pay-walls with android [rooted con 2014]
DESCRIPTION
TRANSCRIPT
1 Rooted CON 2014 6-7-8 Marzo // 6-7-8 March
Bypassing wifi pay-walls with Android
Pau Oliva Fora
@pof
2 Rooted CON 2014 6-7-8 Marzo // 6-7-8 March
Agenda
Typical wifi pay-wall solutions
Networking 101: understanding the weaknesses
Abusing the weaknesses with a shell script
Android port (for fun and no-profit)
Attack mitigation recommendations
3 Rooted CON 2014 6-7-8 Marzo // 6-7-8 March
TYPICAL WIFI PAY-WALL SOLUTIONS
4 Rooted CON 2014 6-7-8 Marzo // 6-7-8 March
Typical wifi pay-wall solutions
Unauthenticated users redirected to a captive
portal website, asking for credentials or payment
5 Rooted CON 2014 6-7-8 Marzo // 6-7-8 March
Typical wifi pay-wall solutions
6 Rooted CON 2014 6-7-8 Marzo // 6-7-8 March
Typical wifi pay-wall solutions
7 Rooted CON 2014 6-7-8 Marzo // 6-7-8 March
Typical wifi pay-wall solutions
Gateway replies to all ARP requests with its own
MAC address (used for client isolation):
Who has 192.168.30.15?
192.168.30.15 is at 1e:a7:de:ad:be:ef
Who has 192.168.30.32?
192.168.30.32 is at 1e:a7:de:ad:be:ef
Who has 192.168.30.77?
192.168.30.77 is at 1e:a7:de:ad:be:ef
8 Rooted CON 2014 6-7-8 Marzo // 6-7-8 March
Typical wifi pay-wall solutions
iptables -
HTTP traffic
9 Rooted CON 2014 6-7-8 Marzo // 6-7-8 March
Typical wifi pay-wall solutions
iptables -
HTTP traffic
Sends a 301 to an HTTPs webserver
10 Rooted CON 2014 6-7-8 Marzo // 6-7-8 March
Typical wifi pay-wall solutions
iptables -
HTTP traffic
Sends a 301 to an HTTPs webserver
11 Rooted CON 2014 6-7-8 Marzo // 6-7-8 March
Typical wifi pay-wall solutions
12 Rooted CON 2014 6-7-8 Marzo // 6-7-8 March
Typical wifi pay-wall solutions
13 Rooted CON 2014 6-7-8 Marzo // 6-7-8 March
Typical wifi pay-wall solutions
Authenticate the user via RADIUS
14 Rooted CON 2014 6-7-8 Marzo // 6-7-8 March
Typical wifi pay-wall solutions
15 Rooted CON 2014 6-7-8 Marzo // 6-7-8 March
Typical wifi pay-wall solutions
Authenticate the user via RADIUS
Once the user is authenticated, the gateway
(NAS) knows about it by a combination of:
IP Address
MAC Address
HTTPS Cookie
Authenticated sessions
Unauthenticated sessions
16 Rooted CON 2014 6-7-8 Marzo // 6-7-8 March
Typical wifi pay-wall solutions
17 Rooted CON 2014 6-7-8 Marzo // 6-7-8 March
NETWORKING 101: UNDERSTANDING THE WEAKNESSES
18 Rooted CON 2014 6-7-8 Marzo // 6-7-8 March
Networking 101: understanding the weaknesses
MAC addresses can be spoofed
ifconfig wlan0 hw ether 00:00:8b:ad:f0:0d
ip link set dev wlan0 address 00:00:8b:ad:f0:0d
IP addresses can be spoofed
ifconfig wlan0 192.168.30.49
ip addr add 192.168.30.49 dev wlan0
19 Rooted CON 2014 6-7-8 Marzo // 6-7-8 March
Networking 101: understanding the weaknesses
MAC addresses can be spoofed
IP addresses can be spoofed
We only need to find an authenticated host
20 Rooted CON 2014 6-7-8 Marzo // 6-7-8 March
Networking 101: understanding the weaknesses
MAC addresses can be spoofed
IP addresses can be spoofed
We only need to find an authenticated host
Bonus: Sometimes APs or switches can reach the
internet! :)
21 Rooted CON 2014 6-7-8 Marzo // 6-7-8 March
ABUSING THE WEAKNESSES WITH A SHELL SCRIPT
22 Rooted CON 2014 6-7-8 Marzo // 6-7-8 March
Abusing the weaknesses with a shell script
Loop through all IP addresses
23 Rooted CON 2014 6-7-8 Marzo // 6-7-8 March
Abusing the weaknesses with a shell script
Loop through all IP addresses
Get the MAC address for each IP
If MAC == Gateway MAC: use arping and discard the
24 Rooted CON 2014 6-7-8 Marzo // 6-7-8 March
Abusing the weaknesses with a shell script
Loop through all IP addresses
Get the MAC address for each IP
If MAC == Gateway MAC: use arping and discard the
host IP/MAC
25 Rooted CON 2014 6-7-8 Marzo // 6-7-8 March
Abusing the weaknesses with a shell script
Loop through all IP addresses
Get the MAC address for each IP
If MAC == Gateway MAC: use arping and discard the
host IP/MAC
Test for internet access (eg: ping 8.8.8.8)
26 Rooted CON 2014 6-7-8 Marzo // 6-7-8 March
Abusing the weaknesses with a shell script
27 Rooted CON 2014 6-7-8 Marzo // 6-7-8 March
ANDROID PORT (FOR FUN AND NO-PROFIT)
28 Rooted CON 2014 6-7-8 Marzo // 6-7-8 March
Android port (for fun and no-profit)
29 Rooted CON 2014 6-7-8 Marzo // 6-7-8 March
Android port (for fun and no-profit)
30 Rooted CON 2014 6-7-8 Marzo // 6-7-8 March
Android port (for fun and no-profit)
31 Rooted CON 2014 6-7-8 Marzo // 6-7-8 March
ATTACK MITIGATION RECOMMENDATIONS
32 Rooted CON 2014 6-7-8 Marzo // 6-7-8 March
Attack mitigation recommendations
1. Use a proper layer 2 user isolation (eg: PSPF on Cisco gear)
2. Use switchport on Cisco gear)
33 Rooted CON 2014 6-7-8 Marzo // 6-7-8 March
Attack mitigation recommendations
1. Use a proper layer 2 user isolation (eg: PSPF on Cisco gear)
2. Use switchport on Cisco gear)
Extra protection (sniff wlan traffic): Do not allow traffic from the same MAC address on different
switchport port- causes
34 Rooted CON 2014 6-7-8 Marzo // 6-7-8 March
Attack mitigation recommendations
1. Use a proper layer 2 user isolation (eg: PSPF on Cisco gear)
2. Use switchport on Cisco gear)
Extra protection (sniff wlan traffic): Do not allow traffic from the same MAC address on different
switchport port- causes
All major WISP in Spain are vulnerable to this attack (*except one)
35 Rooted CON 2014 6-7-8 Marzo // 6-7-8 March
Attack mitigation recommendations
1. Use a proper layer 2 user isolation (eg: PSPF on Cisco gear)
2. Use switchport on Cisco gear)
Extra protection (sniff wlan traffic): Do not allow traffic from the same MAC address on different
switchport port- causes
All major WISP in Spain are vulnerable to this attack (*except one)
36 Rooted CON 2014 6-7-8 Marzo // 6-7-8 March
Attack mitigation recommendations
1. Use a proper layer 2 user isolation (eg: PSPF on Cisco gear)
2. Use switchport on Cisco gear)
Extra protection (sniff wlan traffic): Do not allow traffic from the same MAC address on different
switchport port- causes
All major WISP in Spain are vulnerable to this attack (*except one)
37 Rooted CON 2014 6-7-8 Marzo // 6-7-8 March
Contact: @pof | <[email protected]> | github.com/poliva