Pau Oliva – Bypassing wifi pay-walls with Android [Rooted CON 2014]

1,602 views
1,484 views

Published on

Published in: Technology
0 Comments
1 Like
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total views
1,602
On SlideShare
0
From Embeds
0
Number of Embeds
5
Actions
Shares
0
Downloads
43
Comments
0
Likes
1
Embeds 0
No embeds

No notes for slide

Pau Oliva – Bypassing wifi pay-walls with Android [Rooted CON 2014]

  1. 1. 1 Rooted CON 2014 6-7-8 Marzo // 6-7-8 March Bypassing wifi pay-walls with Android Pau Oliva Fora <pof@eslack.org> @pof
  2. 2. 2 Rooted CON 2014 6-7-8 Marzo // 6-7-8 March Agenda Typical wifi pay-wall solutions Networking 101: understanding the weaknesses Abusing the weaknesses with a shell script Android port (for fun and no-profit) Attack mitigation recommendations
  3. 3. 3 Rooted CON 2014 6-7-8 Marzo // 6-7-8 March TYPICAL WIFI PAY-WALL SOLUTIONS
  4. 4. 4 Rooted CON 2014 6-7-8 Marzo // 6-7-8 March Typical wifi pay-wall solutions Unauthenticated users redirected to a captive portal website, asking for credentials or payment
  5. 5. 5 Rooted CON 2014 6-7-8 Marzo // 6-7-8 March Typical wifi pay-wall solutions
  6. 6. 6 Rooted CON 2014 6-7-8 Marzo // 6-7-8 March Typical wifi pay-wall solutions
  7. 7. 7 Rooted CON 2014 6-7-8 Marzo // 6-7-8 March Typical wifi pay-wall solutions Gateway replies to all ARP requests with its own MAC address (used for client isolation): Who has 192.168.30.15? 192.168.30.15 is at 1e:a7:de:ad:be:ef Who has 192.168.30.32? 192.168.30.32 is at 1e:a7:de:ad:be:ef Who has 192.168.30.77? 192.168.30.77 is at 1e:a7:de:ad:be:ef
  8. 8. 8 Rooted CON 2014 6-7-8 Marzo // 6-7-8 March Typical wifi pay-wall solutions iptables - HTTP traffic
  9. 9. 9 Rooted CON 2014 6-7-8 Marzo // 6-7-8 March Typical wifi pay-wall solutions iptables - HTTP traffic Sends a 301 to an HTTPs webserver
  10. 10. 10 Rooted CON 2014 6-7-8 Marzo // 6-7-8 March Typical wifi pay-wall solutions iptables - HTTP traffic Sends a 301 to an HTTPs webserver
  11. 11. 11 Rooted CON 2014 6-7-8 Marzo // 6-7-8 March Typical wifi pay-wall solutions
  12. 12. 12 Rooted CON 2014 6-7-8 Marzo // 6-7-8 March Typical wifi pay-wall solutions
  13. 13. 13 Rooted CON 2014 6-7-8 Marzo // 6-7-8 March Typical wifi pay-wall solutions Authenticate the user via RADIUS
  14. 14. 14 Rooted CON 2014 6-7-8 Marzo // 6-7-8 March Typical wifi pay-wall solutions
  15. 15. 15 Rooted CON 2014 6-7-8 Marzo // 6-7-8 March Typical wifi pay-wall solutions Authenticate the user via RADIUS Once the user is authenticated, the gateway (NAS) knows about it by a combination of: IP Address MAC Address HTTPS Cookie Authenticated sessions Unauthenticated sessions
  16. 16. 16 Rooted CON 2014 6-7-8 Marzo // 6-7-8 March Typical wifi pay-wall solutions
  17. 17. 17 Rooted CON 2014 6-7-8 Marzo // 6-7-8 March NETWORKING 101: UNDERSTANDING THE WEAKNESSES
  18. 18. 18 Rooted CON 2014 6-7-8 Marzo // 6-7-8 March Networking 101: understanding the weaknesses MAC addresses can be spoofed ifconfig wlan0 hw ether 00:00:8b:ad:f0:0d ip link set dev wlan0 address 00:00:8b:ad:f0:0d IP addresses can be spoofed ifconfig wlan0 192.168.30.49 ip addr add 192.168.30.49 dev wlan0
  19. 19. 19 Rooted CON 2014 6-7-8 Marzo // 6-7-8 March Networking 101: understanding the weaknesses MAC addresses can be spoofed IP addresses can be spoofed We only need to find an authenticated host
  20. 20. 20 Rooted CON 2014 6-7-8 Marzo // 6-7-8 March Networking 101: understanding the weaknesses MAC addresses can be spoofed IP addresses can be spoofed We only need to find an authenticated host Bonus: Sometimes APs or switches can reach the internet! :)
  21. 21. 21 Rooted CON 2014 6-7-8 Marzo // 6-7-8 March ABUSING THE WEAKNESSES WITH A SHELL SCRIPT
  22. 22. 22 Rooted CON 2014 6-7-8 Marzo // 6-7-8 March Abusing the weaknesses with a shell script Loop through all IP addresses
  23. 23. 23 Rooted CON 2014 6-7-8 Marzo // 6-7-8 March Abusing the weaknesses with a shell script Loop through all IP addresses Get the MAC address for each IP If MAC == Gateway MAC: use arping and discard the
  24. 24. 24 Rooted CON 2014 6-7-8 Marzo // 6-7-8 March Abusing the weaknesses with a shell script Loop through all IP addresses Get the MAC address for each IP If MAC == Gateway MAC: use arping and discard the host IP/MAC
  25. 25. 25 Rooted CON 2014 6-7-8 Marzo // 6-7-8 March Abusing the weaknesses with a shell script Loop through all IP addresses Get the MAC address for each IP If MAC == Gateway MAC: use arping and discard the host IP/MAC Test for internet access (eg: ping 8.8.8.8)
  26. 26. 26 Rooted CON 2014 6-7-8 Marzo // 6-7-8 March Abusing the weaknesses with a shell script
  27. 27. 27 Rooted CON 2014 6-7-8 Marzo // 6-7-8 March ANDROID PORT (FOR FUN AND NO-PROFIT)
  28. 28. 28 Rooted CON 2014 6-7-8 Marzo // 6-7-8 March Android port (for fun and no-profit)
  29. 29. 29 Rooted CON 2014 6-7-8 Marzo // 6-7-8 March Android port (for fun and no-profit)
  30. 30. 30 Rooted CON 2014 6-7-8 Marzo // 6-7-8 March Android port (for fun and no-profit)
  31. 31. 31 Rooted CON 2014 6-7-8 Marzo // 6-7-8 March ATTACK MITIGATION RECOMMENDATIONS
  32. 32. 32 Rooted CON 2014 6-7-8 Marzo // 6-7-8 March Attack mitigation recommendations 1. Use a proper layer 2 user isolation (eg: PSPF on Cisco gear) 2. Use switchport on Cisco gear)
  33. 33. 33 Rooted CON 2014 6-7-8 Marzo // 6-7-8 March Attack mitigation recommendations 1. Use a proper layer 2 user isolation (eg: PSPF on Cisco gear) 2. Use switchport on Cisco gear) Extra protection (sniff wlan traffic): Do not allow traffic from the same MAC address on different switchport port- causes
  34. 34. 34 Rooted CON 2014 6-7-8 Marzo // 6-7-8 March Attack mitigation recommendations 1. Use a proper layer 2 user isolation (eg: PSPF on Cisco gear) 2. Use switchport on Cisco gear) Extra protection (sniff wlan traffic): Do not allow traffic from the same MAC address on different switchport port- causes All major WISP in Spain are vulnerable to this attack (*except one)
  35. 35. 35 Rooted CON 2014 6-7-8 Marzo // 6-7-8 March Attack mitigation recommendations 1. Use a proper layer 2 user isolation (eg: PSPF on Cisco gear) 2. Use switchport on Cisco gear) Extra protection (sniff wlan traffic): Do not allow traffic from the same MAC address on different switchport port- causes All major WISP in Spain are vulnerable to this attack (*except one)
  36. 36. 36 Rooted CON 2014 6-7-8 Marzo // 6-7-8 March Attack mitigation recommendations 1. Use a proper layer 2 user isolation (eg: PSPF on Cisco gear) 2. Use switchport on Cisco gear) Extra protection (sniff wlan traffic): Do not allow traffic from the same MAC address on different switchport port- causes All major WISP in Spain are vulnerable to this attack (*except one)
  37. 37. 37 Rooted CON 2014 6-7-8 Marzo // 6-7-8 March Contact: @pof | <pof@eslack.org> | github.com/poliva

×