Your SlideShare is downloading. ×
Pau Oliva – Bypassing wifi pay-walls with Android [Rooted CON 2014]
Upcoming SlideShare
Loading in...5
×

Thanks for flagging this SlideShare!

Oops! An error has occurred.

×

Saving this for later?

Get the SlideShare app to save on your phone or tablet. Read anywhere, anytime - even offline.

Text the download link to your phone

Standard text messaging rates apply

Pau Oliva – Bypassing wifi pay-walls with Android [Rooted CON 2014]

679
views

Published on

Published in: Technology

0 Comments
1 Like
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total Views
679
On Slideshare
0
From Embeds
0
Number of Embeds
3
Actions
Shares
0
Downloads
25
Comments
0
Likes
1
Embeds 0
No embeds

Report content
Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
No notes for slide

Transcript

  • 1. 1 Rooted CON 2014 6-7-8 Marzo // 6-7-8 March Bypassing wifi pay-walls with Android Pau Oliva Fora <pof@eslack.org> @pof
  • 2. 2 Rooted CON 2014 6-7-8 Marzo // 6-7-8 March Agenda Typical wifi pay-wall solutions Networking 101: understanding the weaknesses Abusing the weaknesses with a shell script Android port (for fun and no-profit) Attack mitigation recommendations
  • 3. 3 Rooted CON 2014 6-7-8 Marzo // 6-7-8 March TYPICAL WIFI PAY-WALL SOLUTIONS
  • 4. 4 Rooted CON 2014 6-7-8 Marzo // 6-7-8 March Typical wifi pay-wall solutions Unauthenticated users redirected to a captive portal website, asking for credentials or payment
  • 5. 5 Rooted CON 2014 6-7-8 Marzo // 6-7-8 March Typical wifi pay-wall solutions
  • 6. 6 Rooted CON 2014 6-7-8 Marzo // 6-7-8 March Typical wifi pay-wall solutions
  • 7. 7 Rooted CON 2014 6-7-8 Marzo // 6-7-8 March Typical wifi pay-wall solutions Gateway replies to all ARP requests with its own MAC address (used for client isolation): Who has 192.168.30.15? 192.168.30.15 is at 1e:a7:de:ad:be:ef Who has 192.168.30.32? 192.168.30.32 is at 1e:a7:de:ad:be:ef Who has 192.168.30.77? 192.168.30.77 is at 1e:a7:de:ad:be:ef
  • 8. 8 Rooted CON 2014 6-7-8 Marzo // 6-7-8 March Typical wifi pay-wall solutions iptables - HTTP traffic
  • 9. 9 Rooted CON 2014 6-7-8 Marzo // 6-7-8 March Typical wifi pay-wall solutions iptables - HTTP traffic Sends a 301 to an HTTPs webserver
  • 10. 10 Rooted CON 2014 6-7-8 Marzo // 6-7-8 March Typical wifi pay-wall solutions iptables - HTTP traffic Sends a 301 to an HTTPs webserver
  • 11. 11 Rooted CON 2014 6-7-8 Marzo // 6-7-8 March Typical wifi pay-wall solutions
  • 12. 12 Rooted CON 2014 6-7-8 Marzo // 6-7-8 March Typical wifi pay-wall solutions
  • 13. 13 Rooted CON 2014 6-7-8 Marzo // 6-7-8 March Typical wifi pay-wall solutions Authenticate the user via RADIUS
  • 14. 14 Rooted CON 2014 6-7-8 Marzo // 6-7-8 March Typical wifi pay-wall solutions
  • 15. 15 Rooted CON 2014 6-7-8 Marzo // 6-7-8 March Typical wifi pay-wall solutions Authenticate the user via RADIUS Once the user is authenticated, the gateway (NAS) knows about it by a combination of: IP Address MAC Address HTTPS Cookie Authenticated sessions Unauthenticated sessions
  • 16. 16 Rooted CON 2014 6-7-8 Marzo // 6-7-8 March Typical wifi pay-wall solutions
  • 17. 17 Rooted CON 2014 6-7-8 Marzo // 6-7-8 March NETWORKING 101: UNDERSTANDING THE WEAKNESSES
  • 18. 18 Rooted CON 2014 6-7-8 Marzo // 6-7-8 March Networking 101: understanding the weaknesses MAC addresses can be spoofed ifconfig wlan0 hw ether 00:00:8b:ad:f0:0d ip link set dev wlan0 address 00:00:8b:ad:f0:0d IP addresses can be spoofed ifconfig wlan0 192.168.30.49 ip addr add 192.168.30.49 dev wlan0
  • 19. 19 Rooted CON 2014 6-7-8 Marzo // 6-7-8 March Networking 101: understanding the weaknesses MAC addresses can be spoofed IP addresses can be spoofed We only need to find an authenticated host
  • 20. 20 Rooted CON 2014 6-7-8 Marzo // 6-7-8 March Networking 101: understanding the weaknesses MAC addresses can be spoofed IP addresses can be spoofed We only need to find an authenticated host Bonus: Sometimes APs or switches can reach the internet! :)
  • 21. 21 Rooted CON 2014 6-7-8 Marzo // 6-7-8 March ABUSING THE WEAKNESSES WITH A SHELL SCRIPT
  • 22. 22 Rooted CON 2014 6-7-8 Marzo // 6-7-8 March Abusing the weaknesses with a shell script Loop through all IP addresses
  • 23. 23 Rooted CON 2014 6-7-8 Marzo // 6-7-8 March Abusing the weaknesses with a shell script Loop through all IP addresses Get the MAC address for each IP If MAC == Gateway MAC: use arping and discard the
  • 24. 24 Rooted CON 2014 6-7-8 Marzo // 6-7-8 March Abusing the weaknesses with a shell script Loop through all IP addresses Get the MAC address for each IP If MAC == Gateway MAC: use arping and discard the host IP/MAC
  • 25. 25 Rooted CON 2014 6-7-8 Marzo // 6-7-8 March Abusing the weaknesses with a shell script Loop through all IP addresses Get the MAC address for each IP If MAC == Gateway MAC: use arping and discard the host IP/MAC Test for internet access (eg: ping 8.8.8.8)
  • 26. 26 Rooted CON 2014 6-7-8 Marzo // 6-7-8 March Abusing the weaknesses with a shell script
  • 27. 27 Rooted CON 2014 6-7-8 Marzo // 6-7-8 March ANDROID PORT (FOR FUN AND NO-PROFIT)
  • 28. 28 Rooted CON 2014 6-7-8 Marzo // 6-7-8 March Android port (for fun and no-profit)
  • 29. 29 Rooted CON 2014 6-7-8 Marzo // 6-7-8 March Android port (for fun and no-profit)
  • 30. 30 Rooted CON 2014 6-7-8 Marzo // 6-7-8 March Android port (for fun and no-profit)
  • 31. 31 Rooted CON 2014 6-7-8 Marzo // 6-7-8 March ATTACK MITIGATION RECOMMENDATIONS
  • 32. 32 Rooted CON 2014 6-7-8 Marzo // 6-7-8 March Attack mitigation recommendations 1. Use a proper layer 2 user isolation (eg: PSPF on Cisco gear) 2. Use switchport on Cisco gear)
  • 33. 33 Rooted CON 2014 6-7-8 Marzo // 6-7-8 March Attack mitigation recommendations 1. Use a proper layer 2 user isolation (eg: PSPF on Cisco gear) 2. Use switchport on Cisco gear) Extra protection (sniff wlan traffic): Do not allow traffic from the same MAC address on different switchport port- causes
  • 34. 34 Rooted CON 2014 6-7-8 Marzo // 6-7-8 March Attack mitigation recommendations 1. Use a proper layer 2 user isolation (eg: PSPF on Cisco gear) 2. Use switchport on Cisco gear) Extra protection (sniff wlan traffic): Do not allow traffic from the same MAC address on different switchport port- causes All major WISP in Spain are vulnerable to this attack (*except one)
  • 35. 35 Rooted CON 2014 6-7-8 Marzo // 6-7-8 March Attack mitigation recommendations 1. Use a proper layer 2 user isolation (eg: PSPF on Cisco gear) 2. Use switchport on Cisco gear) Extra protection (sniff wlan traffic): Do not allow traffic from the same MAC address on different switchport port- causes All major WISP in Spain are vulnerable to this attack (*except one)
  • 36. 36 Rooted CON 2014 6-7-8 Marzo // 6-7-8 March Attack mitigation recommendations 1. Use a proper layer 2 user isolation (eg: PSPF on Cisco gear) 2. Use switchport on Cisco gear) Extra protection (sniff wlan traffic): Do not allow traffic from the same MAC address on different switchport port- causes All major WISP in Spain are vulnerable to this attack (*except one)
  • 37. 37 Rooted CON 2014 6-7-8 Marzo // 6-7-8 March Contact: @pof | <pof@eslack.org> | github.com/poliva