Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Pau Oliva – Bypassing wifi pay-walls with Android [Rooted CON 2014]

2,634 views

Published on

Published in: Technology
  • Be the first to comment

Pau Oliva – Bypassing wifi pay-walls with Android [Rooted CON 2014]

  1. 1. 1 Rooted CON 2014 6-7-8 Marzo // 6-7-8 March Bypassing wifi pay-walls with Android Pau Oliva Fora <pof@eslack.org> @pof
  2. 2. 2 Rooted CON 2014 6-7-8 Marzo // 6-7-8 March Agenda Typical wifi pay-wall solutions Networking 101: understanding the weaknesses Abusing the weaknesses with a shell script Android port (for fun and no-profit) Attack mitigation recommendations
  3. 3. 3 Rooted CON 2014 6-7-8 Marzo // 6-7-8 March TYPICAL WIFI PAY-WALL SOLUTIONS
  4. 4. 4 Rooted CON 2014 6-7-8 Marzo // 6-7-8 March Typical wifi pay-wall solutions Unauthenticated users redirected to a captive portal website, asking for credentials or payment
  5. 5. 5 Rooted CON 2014 6-7-8 Marzo // 6-7-8 March Typical wifi pay-wall solutions
  6. 6. 6 Rooted CON 2014 6-7-8 Marzo // 6-7-8 March Typical wifi pay-wall solutions
  7. 7. 7 Rooted CON 2014 6-7-8 Marzo // 6-7-8 March Typical wifi pay-wall solutions Gateway replies to all ARP requests with its own MAC address (used for client isolation): Who has 192.168.30.15? 192.168.30.15 is at 1e:a7:de:ad:be:ef Who has 192.168.30.32? 192.168.30.32 is at 1e:a7:de:ad:be:ef Who has 192.168.30.77? 192.168.30.77 is at 1e:a7:de:ad:be:ef
  8. 8. 8 Rooted CON 2014 6-7-8 Marzo // 6-7-8 March Typical wifi pay-wall solutions iptables - HTTP traffic
  9. 9. 9 Rooted CON 2014 6-7-8 Marzo // 6-7-8 March Typical wifi pay-wall solutions iptables - HTTP traffic Sends a 301 to an HTTPs webserver
  10. 10. 10 Rooted CON 2014 6-7-8 Marzo // 6-7-8 March Typical wifi pay-wall solutions iptables - HTTP traffic Sends a 301 to an HTTPs webserver
  11. 11. 11 Rooted CON 2014 6-7-8 Marzo // 6-7-8 March Typical wifi pay-wall solutions
  12. 12. 12 Rooted CON 2014 6-7-8 Marzo // 6-7-8 March Typical wifi pay-wall solutions
  13. 13. 13 Rooted CON 2014 6-7-8 Marzo // 6-7-8 March Typical wifi pay-wall solutions Authenticate the user via RADIUS
  14. 14. 14 Rooted CON 2014 6-7-8 Marzo // 6-7-8 March Typical wifi pay-wall solutions
  15. 15. 15 Rooted CON 2014 6-7-8 Marzo // 6-7-8 March Typical wifi pay-wall solutions Authenticate the user via RADIUS Once the user is authenticated, the gateway (NAS) knows about it by a combination of: IP Address MAC Address HTTPS Cookie Authenticated sessions Unauthenticated sessions
  16. 16. 16 Rooted CON 2014 6-7-8 Marzo // 6-7-8 March Typical wifi pay-wall solutions
  17. 17. 17 Rooted CON 2014 6-7-8 Marzo // 6-7-8 March NETWORKING 101: UNDERSTANDING THE WEAKNESSES
  18. 18. 18 Rooted CON 2014 6-7-8 Marzo // 6-7-8 March Networking 101: understanding the weaknesses MAC addresses can be spoofed ifconfig wlan0 hw ether 00:00:8b:ad:f0:0d ip link set dev wlan0 address 00:00:8b:ad:f0:0d IP addresses can be spoofed ifconfig wlan0 192.168.30.49 ip addr add 192.168.30.49 dev wlan0
  19. 19. 19 Rooted CON 2014 6-7-8 Marzo // 6-7-8 March Networking 101: understanding the weaknesses MAC addresses can be spoofed IP addresses can be spoofed We only need to find an authenticated host
  20. 20. 20 Rooted CON 2014 6-7-8 Marzo // 6-7-8 March Networking 101: understanding the weaknesses MAC addresses can be spoofed IP addresses can be spoofed We only need to find an authenticated host Bonus: Sometimes APs or switches can reach the internet! :)
  21. 21. 21 Rooted CON 2014 6-7-8 Marzo // 6-7-8 March ABUSING THE WEAKNESSES WITH A SHELL SCRIPT
  22. 22. 22 Rooted CON 2014 6-7-8 Marzo // 6-7-8 March Abusing the weaknesses with a shell script Loop through all IP addresses
  23. 23. 23 Rooted CON 2014 6-7-8 Marzo // 6-7-8 March Abusing the weaknesses with a shell script Loop through all IP addresses Get the MAC address for each IP If MAC == Gateway MAC: use arping and discard the
  24. 24. 24 Rooted CON 2014 6-7-8 Marzo // 6-7-8 March Abusing the weaknesses with a shell script Loop through all IP addresses Get the MAC address for each IP If MAC == Gateway MAC: use arping and discard the host IP/MAC
  25. 25. 25 Rooted CON 2014 6-7-8 Marzo // 6-7-8 March Abusing the weaknesses with a shell script Loop through all IP addresses Get the MAC address for each IP If MAC == Gateway MAC: use arping and discard the host IP/MAC Test for internet access (eg: ping 8.8.8.8)
  26. 26. 26 Rooted CON 2014 6-7-8 Marzo // 6-7-8 March Abusing the weaknesses with a shell script
  27. 27. 27 Rooted CON 2014 6-7-8 Marzo // 6-7-8 March ANDROID PORT (FOR FUN AND NO-PROFIT)
  28. 28. 28 Rooted CON 2014 6-7-8 Marzo // 6-7-8 March Android port (for fun and no-profit)
  29. 29. 29 Rooted CON 2014 6-7-8 Marzo // 6-7-8 March Android port (for fun and no-profit)
  30. 30. 30 Rooted CON 2014 6-7-8 Marzo // 6-7-8 March Android port (for fun and no-profit)
  31. 31. 31 Rooted CON 2014 6-7-8 Marzo // 6-7-8 March ATTACK MITIGATION RECOMMENDATIONS
  32. 32. 32 Rooted CON 2014 6-7-8 Marzo // 6-7-8 March Attack mitigation recommendations 1. Use a proper layer 2 user isolation (eg: PSPF on Cisco gear) 2. Use switchport on Cisco gear)
  33. 33. 33 Rooted CON 2014 6-7-8 Marzo // 6-7-8 March Attack mitigation recommendations 1. Use a proper layer 2 user isolation (eg: PSPF on Cisco gear) 2. Use switchport on Cisco gear) Extra protection (sniff wlan traffic): Do not allow traffic from the same MAC address on different switchport port- causes
  34. 34. 34 Rooted CON 2014 6-7-8 Marzo // 6-7-8 March Attack mitigation recommendations 1. Use a proper layer 2 user isolation (eg: PSPF on Cisco gear) 2. Use switchport on Cisco gear) Extra protection (sniff wlan traffic): Do not allow traffic from the same MAC address on different switchport port- causes All major WISP in Spain are vulnerable to this attack (*except one)
  35. 35. 35 Rooted CON 2014 6-7-8 Marzo // 6-7-8 March Attack mitigation recommendations 1. Use a proper layer 2 user isolation (eg: PSPF on Cisco gear) 2. Use switchport on Cisco gear) Extra protection (sniff wlan traffic): Do not allow traffic from the same MAC address on different switchport port- causes All major WISP in Spain are vulnerable to this attack (*except one)
  36. 36. 36 Rooted CON 2014 6-7-8 Marzo // 6-7-8 March Attack mitigation recommendations 1. Use a proper layer 2 user isolation (eg: PSPF on Cisco gear) 2. Use switchport on Cisco gear) Extra protection (sniff wlan traffic): Do not allow traffic from the same MAC address on different switchport port- causes All major WISP in Spain are vulnerable to this attack (*except one)
  37. 37. 37 Rooted CON 2014 6-7-8 Marzo // 6-7-8 March Contact: @pof | <pof@eslack.org> | github.com/poliva

×