SlideShare a Scribd company logo
1 of 37
Download to read offline
1
Rooted CON 2014 6-7-8 Marzo // 6-7-8 March
Bypassing wifi pay-walls with
Android
Pau Oliva Fora
<pof@eslack.org>
@pof
2
Rooted CON 2014 6-7-8 Marzo // 6-7-8 March
Agenda
Typical wifi pay-wall solutions
Networking 101: understanding the weaknesses
Abusing the weaknesses with a shell script
Android port (for fun and no-profit)
Attack mitigation recommendations
3
Rooted CON 2014 6-7-8 Marzo // 6-7-8 March
TYPICAL WIFI PAY-WALL
SOLUTIONS
4
Rooted CON 2014 6-7-8 Marzo // 6-7-8 March
Typical wifi pay-wall solutions
Unauthenticated users redirected to a captive
portal website, asking for credentials or payment
5
Rooted CON 2014 6-7-8 Marzo // 6-7-8 March
Typical wifi pay-wall solutions
6
Rooted CON 2014 6-7-8 Marzo // 6-7-8 March
Typical wifi pay-wall solutions
7
Rooted CON 2014 6-7-8 Marzo // 6-7-8 March
Typical wifi pay-wall solutions
Gateway replies to all ARP requests with its own
MAC address (used for client isolation):
Who has 192.168.30.15?
192.168.30.15 is at 1e:a7:de:ad:be:ef
Who has 192.168.30.32?
192.168.30.32 is at 1e:a7:de:ad:be:ef
Who has 192.168.30.77?
192.168.30.77 is at 1e:a7:de:ad:be:ef
8
Rooted CON 2014 6-7-8 Marzo // 6-7-8 March
Typical wifi pay-wall solutions
iptables -
HTTP traffic
9
Rooted CON 2014 6-7-8 Marzo // 6-7-8 March
Typical wifi pay-wall solutions
iptables -
HTTP traffic
Sends a 301 to an HTTPs webserver
10
Rooted CON 2014 6-7-8 Marzo // 6-7-8 March
Typical wifi pay-wall solutions
iptables -
HTTP traffic
Sends a 301 to an HTTPs webserver
11
Rooted CON 2014 6-7-8 Marzo // 6-7-8 March
Typical wifi pay-wall solutions
12
Rooted CON 2014 6-7-8 Marzo // 6-7-8 March
Typical wifi pay-wall solutions
13
Rooted CON 2014 6-7-8 Marzo // 6-7-8 March
Typical wifi pay-wall solutions
Authenticate the user via RADIUS
14
Rooted CON 2014 6-7-8 Marzo // 6-7-8 March
Typical wifi pay-wall solutions
15
Rooted CON 2014 6-7-8 Marzo // 6-7-8 March
Typical wifi pay-wall solutions
Authenticate the user via RADIUS
Once the user is authenticated, the gateway
(NAS) knows about it by a combination of:
IP Address
MAC Address
HTTPS Cookie
Authenticated
sessions
Unauthenticated
sessions
16
Rooted CON 2014 6-7-8 Marzo // 6-7-8 March
Typical wifi pay-wall solutions
17
Rooted CON 2014 6-7-8 Marzo // 6-7-8 March
NETWORKING 101:
UNDERSTANDING THE
WEAKNESSES
18
Rooted CON 2014 6-7-8 Marzo // 6-7-8 March
Networking 101: understanding
the weaknesses
MAC addresses can be spoofed
ifconfig wlan0 hw ether 00:00:8b:ad:f0:0d
ip link set dev wlan0 address 00:00:8b:ad:f0:0d
IP addresses can be spoofed
ifconfig wlan0 192.168.30.49
ip addr add 192.168.30.49 dev wlan0
19
Rooted CON 2014 6-7-8 Marzo // 6-7-8 March
Networking 101: understanding
the weaknesses
MAC addresses can be spoofed
IP addresses can be spoofed
We only need to find an authenticated host
20
Rooted CON 2014 6-7-8 Marzo // 6-7-8 March
Networking 101: understanding
the weaknesses
MAC addresses can be spoofed
IP addresses can be spoofed
We only need to find an authenticated host
Bonus: Sometimes APs or switches can reach the
internet! :)
21
Rooted CON 2014 6-7-8 Marzo // 6-7-8 March
ABUSING THE WEAKNESSES
WITH A SHELL SCRIPT
22
Rooted CON 2014 6-7-8 Marzo // 6-7-8 March
Abusing the weaknesses with a
shell script
Loop through all IP addresses
23
Rooted CON 2014 6-7-8 Marzo // 6-7-8 March
Abusing the weaknesses with a
shell script
Loop through all IP addresses
Get the MAC address for each IP
If MAC == Gateway MAC: use arping and discard the
24
Rooted CON 2014 6-7-8 Marzo // 6-7-8 March
Abusing the weaknesses with a
shell script
Loop through all IP addresses
Get the MAC address for each IP
If MAC == Gateway MAC: use arping and discard the
host IP/MAC
25
Rooted CON 2014 6-7-8 Marzo // 6-7-8 March
Abusing the weaknesses with a
shell script
Loop through all IP addresses
Get the MAC address for each IP
If MAC == Gateway MAC: use arping and discard the
host IP/MAC
Test for internet access (eg: ping 8.8.8.8)
26
Rooted CON 2014 6-7-8 Marzo // 6-7-8 March
Abusing the weaknesses with a
shell script
27
Rooted CON 2014 6-7-8 Marzo // 6-7-8 March
ANDROID PORT (FOR FUN
AND NO-PROFIT)
28
Rooted CON 2014 6-7-8 Marzo // 6-7-8 March
Android port (for fun and no-profit)
29
Rooted CON 2014 6-7-8 Marzo // 6-7-8 March
Android port (for fun and no-profit)
30
Rooted CON 2014 6-7-8 Marzo // 6-7-8 March
Android port (for fun and no-profit)
31
Rooted CON 2014 6-7-8 Marzo // 6-7-8 March
ATTACK MITIGATION
RECOMMENDATIONS
32
Rooted CON 2014 6-7-8 Marzo // 6-7-8 March
Attack mitigation recommendations
1. Use a proper layer 2 user isolation (eg: PSPF on
Cisco gear)
2. Use switchport
on Cisco gear)
33
Rooted CON 2014 6-7-8 Marzo // 6-7-8 March
Attack mitigation recommendations
1. Use a proper layer 2 user isolation (eg: PSPF on
Cisco gear)
2. Use switchport
on Cisco gear)
Extra protection (sniff wlan traffic):
Do not allow traffic from the same MAC address on different
switchport port- causes
34
Rooted CON 2014 6-7-8 Marzo // 6-7-8 March
Attack mitigation recommendations
1. Use a proper layer 2 user isolation (eg: PSPF on
Cisco gear)
2. Use switchport
on Cisco gear)
Extra protection (sniff wlan traffic):
Do not allow traffic from the same MAC address on different
switchport port- causes
All major WISP in Spain are vulnerable to this attack
(*except one)
35
Rooted CON 2014 6-7-8 Marzo // 6-7-8 March
Attack mitigation recommendations
1. Use a proper layer 2 user isolation (eg: PSPF on
Cisco gear)
2. Use switchport
on Cisco gear)
Extra protection (sniff wlan traffic):
Do not allow traffic from the same MAC address on different
switchport port- causes
All major WISP in Spain are vulnerable to this attack
(*except one)
36
Rooted CON 2014 6-7-8 Marzo // 6-7-8 March
Attack mitigation recommendations
1. Use a proper layer 2 user isolation (eg: PSPF on
Cisco gear)
2. Use switchport
on Cisco gear)
Extra protection (sniff wlan traffic):
Do not allow traffic from the same MAC address on different
switchport port- causes
All major WISP in Spain are vulnerable to this attack
(*except one)
37
Rooted CON 2014 6-7-8 Marzo // 6-7-8 March
Contact: @pof | <pof@eslack.org> | github.com/poliva

More Related Content

Viewers also liked

Chema Alonso - Dorking, Pentesting & Hacking con Android Apps [rootedvlc2]
Chema Alonso - Dorking, Pentesting & Hacking con Android Apps [rootedvlc2]Chema Alonso - Dorking, Pentesting & Hacking con Android Apps [rootedvlc2]
Chema Alonso - Dorking, Pentesting & Hacking con Android Apps [rootedvlc2]RootedCON
 
Jorge Bermúdez - Botnets y troyanos: los artículos 197 y 264 CP llevados a la...
Jorge Bermúdez - Botnets y troyanos: los artículos 197 y 264 CP llevados a la...Jorge Bermúdez - Botnets y troyanos: los artículos 197 y 264 CP llevados a la...
Jorge Bermúdez - Botnets y troyanos: los artículos 197 y 264 CP llevados a la...RootedCON
 
Jose M Mejia - Usando computación paralela GPU en malware y herramientas de h...
Jose M Mejia - Usando computación paralela GPU en malware y herramientas de h...Jose M Mejia - Usando computación paralela GPU en malware y herramientas de h...
Jose M Mejia - Usando computación paralela GPU en malware y herramientas de h...RootedCON
 
Jose Selvi - Adaptando exploits para evitar la frustración [RootedSatellite V...
Jose Selvi - Adaptando exploits para evitar la frustración [RootedSatellite V...Jose Selvi - Adaptando exploits para evitar la frustración [RootedSatellite V...
Jose Selvi - Adaptando exploits para evitar la frustración [RootedSatellite V...RootedCON
 
Jorge Ramió - RSA cumple 36 años y se le ha caducado el carné joven [Rooted C...
Jorge Ramió - RSA cumple 36 años y se le ha caducado el carné joven [Rooted C...Jorge Ramió - RSA cumple 36 años y se le ha caducado el carné joven [Rooted C...
Jorge Ramió - RSA cumple 36 años y se le ha caducado el carné joven [Rooted C...RootedCON
 
Cesar Lorenzana & Javier Rodríguez – Por qué lo llaman APT´s, cuando lo que q...
Cesar Lorenzana & Javier Rodríguez – Por qué lo llaman APT´s, cuando lo que q...Cesar Lorenzana & Javier Rodríguez – Por qué lo llaman APT´s, cuando lo que q...
Cesar Lorenzana & Javier Rodríguez – Por qué lo llaman APT´s, cuando lo que q...RootedCON
 
Alberto Cita - Skype Sin Levita. Un análisis de seguridad y privacidad [Roote...
Alberto Cita - Skype Sin Levita. Un análisis de seguridad y privacidad [Roote...Alberto Cita - Skype Sin Levita. Un análisis de seguridad y privacidad [Roote...
Alberto Cita - Skype Sin Levita. Un análisis de seguridad y privacidad [Roote...RootedCON
 
Pablo San Emeterio López & Jaime Sánchez – WhatsApp, mentiras y cintas de vid...
Pablo San Emeterio López & Jaime Sánchez – WhatsApp, mentiras y cintas de vid...Pablo San Emeterio López & Jaime Sánchez – WhatsApp, mentiras y cintas de vid...
Pablo San Emeterio López & Jaime Sánchez – WhatsApp, mentiras y cintas de vid...RootedCON
 
Pablo San Emeterio - How to protect your hot pics with WHF [RootedSatellite V...
Pablo San Emeterio - How to protect your hot pics with WHF [RootedSatellite V...Pablo San Emeterio - How to protect your hot pics with WHF [RootedSatellite V...
Pablo San Emeterio - How to protect your hot pics with WHF [RootedSatellite V...RootedCON
 
Javier Saez - Una panorámica sobre la seguridad en entornos web [rootedvlc2]
Javier Saez - Una panorámica sobre la seguridad en entornos web [rootedvlc2]Javier Saez - Una panorámica sobre la seguridad en entornos web [rootedvlc2]
Javier Saez - Una panorámica sobre la seguridad en entornos web [rootedvlc2]RootedCON
 
David Pérez y José Pico - I wanna jam it wid you [RootedSatellite Valencia]
David Pérez y José Pico - I wanna jam it wid you [RootedSatellite Valencia]David Pérez y José Pico - I wanna jam it wid you [RootedSatellite Valencia]
David Pérez y José Pico - I wanna jam it wid you [RootedSatellite Valencia]RootedCON
 
RootedSatellite Valencia - Charla inaugural [RootedSatellite Valencia]
RootedSatellite Valencia - Charla inaugural [RootedSatellite Valencia]RootedSatellite Valencia - Charla inaugural [RootedSatellite Valencia]
RootedSatellite Valencia - Charla inaugural [RootedSatellite Valencia]RootedCON
 
Cesar Lorenzana - Picoletos en Rootedland [RootedSatellite Valencia]
Cesar Lorenzana - Picoletos en Rootedland [RootedSatellite Valencia]Cesar Lorenzana - Picoletos en Rootedland [RootedSatellite Valencia]
Cesar Lorenzana - Picoletos en Rootedland [RootedSatellite Valencia]RootedCON
 
Leonardo Nve - Explotando cambios en servidores DNS [RootedSatellite Valencia]
Leonardo Nve - Explotando cambios en servidores DNS [RootedSatellite Valencia]Leonardo Nve - Explotando cambios en servidores DNS [RootedSatellite Valencia]
Leonardo Nve - Explotando cambios en servidores DNS [RootedSatellite Valencia]RootedCON
 
Manu Quintans & Frank Ruiz – 50 shades of crimeware [Rooted CON 2014]
Manu Quintans & Frank Ruiz – 50 shades of crimeware [Rooted CON 2014]Manu Quintans & Frank Ruiz – 50 shades of crimeware [Rooted CON 2014]
Manu Quintans & Frank Ruiz – 50 shades of crimeware [Rooted CON 2014]RootedCON
 
Lorenzo Martínez - Cooking an APT in the paranoid way [RootedSatellite Valen...
Lorenzo Martínez  - Cooking an APT in the paranoid way [RootedSatellite Valen...Lorenzo Martínez  - Cooking an APT in the paranoid way [RootedSatellite Valen...
Lorenzo Martínez - Cooking an APT in the paranoid way [RootedSatellite Valen...RootedCON
 
Juan Vazquez & Julián Vilas – Tú a Barcelona y yo a Tejas, a patadas con mi S...
Juan Vazquez & Julián Vilas – Tú a Barcelona y yo a Tejas, a patadas con mi S...Juan Vazquez & Julián Vilas – Tú a Barcelona y yo a Tejas, a patadas con mi S...
Juan Vazquez & Julián Vilas – Tú a Barcelona y yo a Tejas, a patadas con mi S...RootedCON
 
Joaquín Moreno Garijo – Forense a bajo nivel en Mac OS X [Rooted CON 2014]
Joaquín Moreno Garijo – Forense a bajo nivel en Mac OS X [Rooted CON 2014]Joaquín Moreno Garijo – Forense a bajo nivel en Mac OS X [Rooted CON 2014]
Joaquín Moreno Garijo – Forense a bajo nivel en Mac OS X [Rooted CON 2014]RootedCON
 
Vicente Díaz - Birds, bots and machines - Fraud in Twitter and how to detect ...
Vicente Díaz - Birds, bots and machines - Fraud in Twitter and how to detect ...Vicente Díaz - Birds, bots and machines - Fraud in Twitter and how to detect ...
Vicente Díaz - Birds, bots and machines - Fraud in Twitter and how to detect ...RootedCON
 
Conferencia de apertura [Rooted CON 2014]
Conferencia de apertura [Rooted CON 2014]Conferencia de apertura [Rooted CON 2014]
Conferencia de apertura [Rooted CON 2014]RootedCON
 

Viewers also liked (20)

Chema Alonso - Dorking, Pentesting & Hacking con Android Apps [rootedvlc2]
Chema Alonso - Dorking, Pentesting & Hacking con Android Apps [rootedvlc2]Chema Alonso - Dorking, Pentesting & Hacking con Android Apps [rootedvlc2]
Chema Alonso - Dorking, Pentesting & Hacking con Android Apps [rootedvlc2]
 
Jorge Bermúdez - Botnets y troyanos: los artículos 197 y 264 CP llevados a la...
Jorge Bermúdez - Botnets y troyanos: los artículos 197 y 264 CP llevados a la...Jorge Bermúdez - Botnets y troyanos: los artículos 197 y 264 CP llevados a la...
Jorge Bermúdez - Botnets y troyanos: los artículos 197 y 264 CP llevados a la...
 
Jose M Mejia - Usando computación paralela GPU en malware y herramientas de h...
Jose M Mejia - Usando computación paralela GPU en malware y herramientas de h...Jose M Mejia - Usando computación paralela GPU en malware y herramientas de h...
Jose M Mejia - Usando computación paralela GPU en malware y herramientas de h...
 
Jose Selvi - Adaptando exploits para evitar la frustración [RootedSatellite V...
Jose Selvi - Adaptando exploits para evitar la frustración [RootedSatellite V...Jose Selvi - Adaptando exploits para evitar la frustración [RootedSatellite V...
Jose Selvi - Adaptando exploits para evitar la frustración [RootedSatellite V...
 
Jorge Ramió - RSA cumple 36 años y se le ha caducado el carné joven [Rooted C...
Jorge Ramió - RSA cumple 36 años y se le ha caducado el carné joven [Rooted C...Jorge Ramió - RSA cumple 36 años y se le ha caducado el carné joven [Rooted C...
Jorge Ramió - RSA cumple 36 años y se le ha caducado el carné joven [Rooted C...
 
Cesar Lorenzana & Javier Rodríguez – Por qué lo llaman APT´s, cuando lo que q...
Cesar Lorenzana & Javier Rodríguez – Por qué lo llaman APT´s, cuando lo que q...Cesar Lorenzana & Javier Rodríguez – Por qué lo llaman APT´s, cuando lo que q...
Cesar Lorenzana & Javier Rodríguez – Por qué lo llaman APT´s, cuando lo que q...
 
Alberto Cita - Skype Sin Levita. Un análisis de seguridad y privacidad [Roote...
Alberto Cita - Skype Sin Levita. Un análisis de seguridad y privacidad [Roote...Alberto Cita - Skype Sin Levita. Un análisis de seguridad y privacidad [Roote...
Alberto Cita - Skype Sin Levita. Un análisis de seguridad y privacidad [Roote...
 
Pablo San Emeterio López & Jaime Sánchez – WhatsApp, mentiras y cintas de vid...
Pablo San Emeterio López & Jaime Sánchez – WhatsApp, mentiras y cintas de vid...Pablo San Emeterio López & Jaime Sánchez – WhatsApp, mentiras y cintas de vid...
Pablo San Emeterio López & Jaime Sánchez – WhatsApp, mentiras y cintas de vid...
 
Pablo San Emeterio - How to protect your hot pics with WHF [RootedSatellite V...
Pablo San Emeterio - How to protect your hot pics with WHF [RootedSatellite V...Pablo San Emeterio - How to protect your hot pics with WHF [RootedSatellite V...
Pablo San Emeterio - How to protect your hot pics with WHF [RootedSatellite V...
 
Javier Saez - Una panorámica sobre la seguridad en entornos web [rootedvlc2]
Javier Saez - Una panorámica sobre la seguridad en entornos web [rootedvlc2]Javier Saez - Una panorámica sobre la seguridad en entornos web [rootedvlc2]
Javier Saez - Una panorámica sobre la seguridad en entornos web [rootedvlc2]
 
David Pérez y José Pico - I wanna jam it wid you [RootedSatellite Valencia]
David Pérez y José Pico - I wanna jam it wid you [RootedSatellite Valencia]David Pérez y José Pico - I wanna jam it wid you [RootedSatellite Valencia]
David Pérez y José Pico - I wanna jam it wid you [RootedSatellite Valencia]
 
RootedSatellite Valencia - Charla inaugural [RootedSatellite Valencia]
RootedSatellite Valencia - Charla inaugural [RootedSatellite Valencia]RootedSatellite Valencia - Charla inaugural [RootedSatellite Valencia]
RootedSatellite Valencia - Charla inaugural [RootedSatellite Valencia]
 
Cesar Lorenzana - Picoletos en Rootedland [RootedSatellite Valencia]
Cesar Lorenzana - Picoletos en Rootedland [RootedSatellite Valencia]Cesar Lorenzana - Picoletos en Rootedland [RootedSatellite Valencia]
Cesar Lorenzana - Picoletos en Rootedland [RootedSatellite Valencia]
 
Leonardo Nve - Explotando cambios en servidores DNS [RootedSatellite Valencia]
Leonardo Nve - Explotando cambios en servidores DNS [RootedSatellite Valencia]Leonardo Nve - Explotando cambios en servidores DNS [RootedSatellite Valencia]
Leonardo Nve - Explotando cambios en servidores DNS [RootedSatellite Valencia]
 
Manu Quintans & Frank Ruiz – 50 shades of crimeware [Rooted CON 2014]
Manu Quintans & Frank Ruiz – 50 shades of crimeware [Rooted CON 2014]Manu Quintans & Frank Ruiz – 50 shades of crimeware [Rooted CON 2014]
Manu Quintans & Frank Ruiz – 50 shades of crimeware [Rooted CON 2014]
 
Lorenzo Martínez - Cooking an APT in the paranoid way [RootedSatellite Valen...
Lorenzo Martínez  - Cooking an APT in the paranoid way [RootedSatellite Valen...Lorenzo Martínez  - Cooking an APT in the paranoid way [RootedSatellite Valen...
Lorenzo Martínez - Cooking an APT in the paranoid way [RootedSatellite Valen...
 
Juan Vazquez & Julián Vilas – Tú a Barcelona y yo a Tejas, a patadas con mi S...
Juan Vazquez & Julián Vilas – Tú a Barcelona y yo a Tejas, a patadas con mi S...Juan Vazquez & Julián Vilas – Tú a Barcelona y yo a Tejas, a patadas con mi S...
Juan Vazquez & Julián Vilas – Tú a Barcelona y yo a Tejas, a patadas con mi S...
 
Joaquín Moreno Garijo – Forense a bajo nivel en Mac OS X [Rooted CON 2014]
Joaquín Moreno Garijo – Forense a bajo nivel en Mac OS X [Rooted CON 2014]Joaquín Moreno Garijo – Forense a bajo nivel en Mac OS X [Rooted CON 2014]
Joaquín Moreno Garijo – Forense a bajo nivel en Mac OS X [Rooted CON 2014]
 
Vicente Díaz - Birds, bots and machines - Fraud in Twitter and how to detect ...
Vicente Díaz - Birds, bots and machines - Fraud in Twitter and how to detect ...Vicente Díaz - Birds, bots and machines - Fraud in Twitter and how to detect ...
Vicente Díaz - Birds, bots and machines - Fraud in Twitter and how to detect ...
 
Conferencia de apertura [Rooted CON 2014]
Conferencia de apertura [Rooted CON 2014]Conferencia de apertura [Rooted CON 2014]
Conferencia de apertura [Rooted CON 2014]
 

Similar to Pau Oliva – Bypassing wifi pay-walls with Android [Rooted CON 2014]

RootedCON 2014 - Kicking around SCADA!
RootedCON 2014 - Kicking around SCADA!RootedCON 2014 - Kicking around SCADA!
RootedCON 2014 - Kicking around SCADA!testpurposes
 
June 2004 IPv6 – Hands on
June 2004 IPv6 – Hands on June 2004 IPv6 – Hands on
June 2004 IPv6 – Hands on Videoguy
 
Designing of SDN-Assisted Bandwidth and Latency Aware Route Allocation
Designing of SDN-Assisted Bandwidth and Latency Aware Route AllocationDesigning of SDN-Assisted Bandwidth and Latency Aware Route Allocation
Designing of SDN-Assisted Bandwidth and Latency Aware Route AllocationPongsakorn U-chupala
 
IPv6 for Pentesters
IPv6 for PentestersIPv6 for Pentesters
IPv6 for Pentesterscamsec
 
Getting started with IPv6
Getting started with IPv6Getting started with IPv6
Getting started with IPv6Private
 
OpenStack Havana over IPv6
OpenStack Havana over IPv6OpenStack Havana over IPv6
OpenStack Havana over IPv6Shixiong Shang
 
Chapter 6 : Network layer
Chapter 6 : Network layerChapter 6 : Network layer
Chapter 6 : Network layerteknetir
 
Chapter 06 - Network Layer
Chapter 06 - Network LayerChapter 06 - Network Layer
Chapter 06 - Network LayerYaser Rahmati
 
CCNAv5 - S1: Chapter 6 - Network Layer
CCNAv5 - S1: Chapter 6 - Network LayerCCNAv5 - S1: Chapter 6 - Network Layer
CCNAv5 - S1: Chapter 6 - Network LayerVuz Dở Hơi
 
Lightweight 4-over-6: One step further Dual-Stack Lite Networks (RIPE 76)
Lightweight 4-over-6: One step further Dual-Stack Lite Networks (RIPE 76)Lightweight 4-over-6: One step further Dual-Stack Lite Networks (RIPE 76)
Lightweight 4-over-6: One step further Dual-Stack Lite Networks (RIPE 76)Igalia
 
Swiss IPv6 Council: Konfusion um die Router Flags
Swiss IPv6 Council: Konfusion um die Router FlagsSwiss IPv6 Council: Konfusion um die Router Flags
Swiss IPv6 Council: Konfusion um die Router FlagsDigicomp Academy AG
 
Get Ready For Ipv6
Get Ready For Ipv6Get Ready For Ipv6
Get Ready For Ipv6Rishu Mehra
 
Get Ready For Ipv6
Get Ready For Ipv6Get Ready For Ipv6
Get Ready For Ipv6technext1
 
IPv6 Security - Hacker Halted 2013
IPv6 Security - Hacker Halted 2013IPv6 Security - Hacker Halted 2013
IPv6 Security - Hacker Halted 2013Zivaro Inc
 
Kendel Avaya-Fabric connect - Demo Lab Guide – Spoof Detect & SLPP-6
Kendel Avaya-Fabric connect - Demo Lab Guide – Spoof Detect & SLPP-6Kendel Avaya-Fabric connect - Demo Lab Guide – Spoof Detect & SLPP-6
Kendel Avaya-Fabric connect - Demo Lab Guide – Spoof Detect & SLPP-6ELI KENDEL אלי קנדל
 

Similar to Pau Oliva – Bypassing wifi pay-walls with Android [Rooted CON 2014] (20)

RootedCON 2014 - Kicking around SCADA!
RootedCON 2014 - Kicking around SCADA!RootedCON 2014 - Kicking around SCADA!
RootedCON 2014 - Kicking around SCADA!
 
June 2004 IPv6 – Hands on
June 2004 IPv6 – Hands on June 2004 IPv6 – Hands on
June 2004 IPv6 – Hands on
 
Network Security Best Practice (BCP38 & 140)
Network Security Best Practice (BCP38 & 140) Network Security Best Practice (BCP38 & 140)
Network Security Best Practice (BCP38 & 140)
 
Designing of SDN-Assisted Bandwidth and Latency Aware Route Allocation
Designing of SDN-Assisted Bandwidth and Latency Aware Route AllocationDesigning of SDN-Assisted Bandwidth and Latency Aware Route Allocation
Designing of SDN-Assisted Bandwidth and Latency Aware Route Allocation
 
IPv6 for Pentesters
IPv6 for PentestersIPv6 for Pentesters
IPv6 for Pentesters
 
IPv6 for Pentesters
IPv6 for PentestersIPv6 for Pentesters
IPv6 for Pentesters
 
Getting started with IPv6
Getting started with IPv6Getting started with IPv6
Getting started with IPv6
 
OpenStack Havana over IPv6
OpenStack Havana over IPv6OpenStack Havana over IPv6
OpenStack Havana over IPv6
 
Chapter 6 : Network layer
Chapter 6 : Network layerChapter 6 : Network layer
Chapter 6 : Network layer
 
Chapter 06 - Network Layer
Chapter 06 - Network LayerChapter 06 - Network Layer
Chapter 06 - Network Layer
 
CCNAv5 - S1: Chapter 6 - Network Layer
CCNAv5 - S1: Chapter 6 - Network LayerCCNAv5 - S1: Chapter 6 - Network Layer
CCNAv5 - S1: Chapter 6 - Network Layer
 
Lightweight 4-over-6: One step further Dual-Stack Lite Networks (RIPE 76)
Lightweight 4-over-6: One step further Dual-Stack Lite Networks (RIPE 76)Lightweight 4-over-6: One step further Dual-Stack Lite Networks (RIPE 76)
Lightweight 4-over-6: One step further Dual-Stack Lite Networks (RIPE 76)
 
3hows
3hows3hows
3hows
 
AF-23- IPv6 Security_Final
AF-23- IPv6 Security_FinalAF-23- IPv6 Security_Final
AF-23- IPv6 Security_Final
 
Swiss IPv6 Council: Konfusion um die Router Flags
Swiss IPv6 Council: Konfusion um die Router FlagsSwiss IPv6 Council: Konfusion um die Router Flags
Swiss IPv6 Council: Konfusion um die Router Flags
 
Get Ready For Ipv6
Get Ready For Ipv6Get Ready For Ipv6
Get Ready For Ipv6
 
Get Ready For Ipv6
Get Ready For Ipv6Get Ready For Ipv6
Get Ready For Ipv6
 
IPv6 Security - Hacker Halted 2013
IPv6 Security - Hacker Halted 2013IPv6 Security - Hacker Halted 2013
IPv6 Security - Hacker Halted 2013
 
Icnd210 s07l02
Icnd210 s07l02Icnd210 s07l02
Icnd210 s07l02
 
Kendel Avaya-Fabric connect - Demo Lab Guide – Spoof Detect & SLPP-6
Kendel Avaya-Fabric connect - Demo Lab Guide – Spoof Detect & SLPP-6Kendel Avaya-Fabric connect - Demo Lab Guide – Spoof Detect & SLPP-6
Kendel Avaya-Fabric connect - Demo Lab Guide – Spoof Detect & SLPP-6
 

More from RootedCON

Rooted2020 A clockwork pentester - Jose Carlos Moral & Alvaro Villaverde
Rooted2020 A clockwork pentester - Jose Carlos Moral & Alvaro VillaverdeRooted2020 A clockwork pentester - Jose Carlos Moral & Alvaro Villaverde
Rooted2020 A clockwork pentester - Jose Carlos Moral & Alvaro VillaverdeRootedCON
 
rooted2020 Sandbox fingerprinting -_evadiendo_entornos_de_analisis_-_victor_c...
rooted2020 Sandbox fingerprinting -_evadiendo_entornos_de_analisis_-_victor_c...rooted2020 Sandbox fingerprinting -_evadiendo_entornos_de_analisis_-_victor_c...
rooted2020 Sandbox fingerprinting -_evadiendo_entornos_de_analisis_-_victor_c...RootedCON
 
Rooted2020 hunting malware-using_process_behavior-roberto_amado
Rooted2020 hunting malware-using_process_behavior-roberto_amadoRooted2020 hunting malware-using_process_behavior-roberto_amado
Rooted2020 hunting malware-using_process_behavior-roberto_amadoRootedCON
 
Rooted2020 compliance as-code_-_guillermo_obispo_-_jose_mariaperez_-_
Rooted2020 compliance as-code_-_guillermo_obispo_-_jose_mariaperez_-_Rooted2020 compliance as-code_-_guillermo_obispo_-_jose_mariaperez_-_
Rooted2020 compliance as-code_-_guillermo_obispo_-_jose_mariaperez_-_RootedCON
 
Rooted2020 the day i_ruled_the_world_deceiving_software_developers_through_op...
Rooted2020 the day i_ruled_the_world_deceiving_software_developers_through_op...Rooted2020 the day i_ruled_the_world_deceiving_software_developers_through_op...
Rooted2020 the day i_ruled_the_world_deceiving_software_developers_through_op...RootedCON
 
Rooted2020 si la-empresa_ha_ocultado_el_ciberataque,_como_se_ha_enterado_el_r...
Rooted2020 si la-empresa_ha_ocultado_el_ciberataque,_como_se_ha_enterado_el_r...Rooted2020 si la-empresa_ha_ocultado_el_ciberataque,_como_se_ha_enterado_el_r...
Rooted2020 si la-empresa_ha_ocultado_el_ciberataque,_como_se_ha_enterado_el_r...RootedCON
 
Rooted2020 wordpress-another_terror_story_-_manuel_garcia_-_jacinto_sergio_ca...
Rooted2020 wordpress-another_terror_story_-_manuel_garcia_-_jacinto_sergio_ca...Rooted2020 wordpress-another_terror_story_-_manuel_garcia_-_jacinto_sergio_ca...
Rooted2020 wordpress-another_terror_story_-_manuel_garcia_-_jacinto_sergio_ca...RootedCON
 
Rooted2020 Atacando comunicaciones-de_voz_cifradas_-_jose_luis_verdeguer
Rooted2020 Atacando comunicaciones-de_voz_cifradas_-_jose_luis_verdeguerRooted2020 Atacando comunicaciones-de_voz_cifradas_-_jose_luis_verdeguer
Rooted2020 Atacando comunicaciones-de_voz_cifradas_-_jose_luis_verdeguerRootedCON
 
rooted2020-Rootkit necurs no_es_un_bug,_es_una_feature_-_roberto_santos_-_jav...
rooted2020-Rootkit necurs no_es_un_bug,_es_una_feature_-_roberto_santos_-_jav...rooted2020-Rootkit necurs no_es_un_bug,_es_una_feature_-_roberto_santos_-_jav...
rooted2020-Rootkit necurs no_es_un_bug,_es_una_feature_-_roberto_santos_-_jav...RootedCON
 
Rooted2020 stefano maccaglia--_the_enemy_of_my_enemy
Rooted2020 stefano maccaglia--_the_enemy_of_my_enemyRooted2020 stefano maccaglia--_the_enemy_of_my_enemy
Rooted2020 stefano maccaglia--_the_enemy_of_my_enemyRootedCON
 
Rooted2020 taller de-reversing_de_binarios_escritos_en_golang_-_mariano_palom...
Rooted2020 taller de-reversing_de_binarios_escritos_en_golang_-_mariano_palom...Rooted2020 taller de-reversing_de_binarios_escritos_en_golang_-_mariano_palom...
Rooted2020 taller de-reversing_de_binarios_escritos_en_golang_-_mariano_palom...RootedCON
 
Rooted2020 virtual pwned-network_-_manel_molina
Rooted2020 virtual pwned-network_-_manel_molinaRooted2020 virtual pwned-network_-_manel_molina
Rooted2020 virtual pwned-network_-_manel_molinaRootedCON
 
Rooted2020 van a-mear_sangre_como_hacer_que_los_malos_lo_paguen_muy_caro_-_an...
Rooted2020 van a-mear_sangre_como_hacer_que_los_malos_lo_paguen_muy_caro_-_an...Rooted2020 van a-mear_sangre_como_hacer_que_los_malos_lo_paguen_muy_caro_-_an...
Rooted2020 van a-mear_sangre_como_hacer_que_los_malos_lo_paguen_muy_caro_-_an...RootedCON
 
Rooted2020 todo a-siem_-_marta_lopez
Rooted2020 todo a-siem_-_marta_lopezRooted2020 todo a-siem_-_marta_lopez
Rooted2020 todo a-siem_-_marta_lopezRootedCON
 
Rooted2020 roapt evil-mass_storage_-_tu-ya_aqui_-_david_reguera_-_abel_valero
Rooted2020 roapt evil-mass_storage_-_tu-ya_aqui_-_david_reguera_-_abel_valeroRooted2020 roapt evil-mass_storage_-_tu-ya_aqui_-_david_reguera_-_abel_valero
Rooted2020 roapt evil-mass_storage_-_tu-ya_aqui_-_david_reguera_-_abel_valeroRootedCON
 
Rooted2020 live coding--_jesus_jara
Rooted2020 live coding--_jesus_jaraRooted2020 live coding--_jesus_jara
Rooted2020 live coding--_jesus_jaraRootedCON
 
Rooted2020 legalidad de-la_prueba_tecnologica_indiciaria_cuando_tu_papi_es_un...
Rooted2020 legalidad de-la_prueba_tecnologica_indiciaria_cuando_tu_papi_es_un...Rooted2020 legalidad de-la_prueba_tecnologica_indiciaria_cuando_tu_papi_es_un...
Rooted2020 legalidad de-la_prueba_tecnologica_indiciaria_cuando_tu_papi_es_un...RootedCON
 
Rooted2020 hackeando el-mundo_exterior_a_traves_de_bluetooth_low-energy_ble_-...
Rooted2020 hackeando el-mundo_exterior_a_traves_de_bluetooth_low-energy_ble_-...Rooted2020 hackeando el-mundo_exterior_a_traves_de_bluetooth_low-energy_ble_-...
Rooted2020 hackeando el-mundo_exterior_a_traves_de_bluetooth_low-energy_ble_-...RootedCON
 
Rooted2020 evading deep-learning_malware_detectors_-_javier_yuste
Rooted2020 evading deep-learning_malware_detectors_-_javier_yusteRooted2020 evading deep-learning_malware_detectors_-_javier_yuste
Rooted2020 evading deep-learning_malware_detectors_-_javier_yusteRootedCON
 
Rooted2020 encontrando 0days-en_2020_-_antonio_morales
Rooted2020 encontrando 0days-en_2020_-_antonio_moralesRooted2020 encontrando 0days-en_2020_-_antonio_morales
Rooted2020 encontrando 0days-en_2020_-_antonio_moralesRootedCON
 

More from RootedCON (20)

Rooted2020 A clockwork pentester - Jose Carlos Moral & Alvaro Villaverde
Rooted2020 A clockwork pentester - Jose Carlos Moral & Alvaro VillaverdeRooted2020 A clockwork pentester - Jose Carlos Moral & Alvaro Villaverde
Rooted2020 A clockwork pentester - Jose Carlos Moral & Alvaro Villaverde
 
rooted2020 Sandbox fingerprinting -_evadiendo_entornos_de_analisis_-_victor_c...
rooted2020 Sandbox fingerprinting -_evadiendo_entornos_de_analisis_-_victor_c...rooted2020 Sandbox fingerprinting -_evadiendo_entornos_de_analisis_-_victor_c...
rooted2020 Sandbox fingerprinting -_evadiendo_entornos_de_analisis_-_victor_c...
 
Rooted2020 hunting malware-using_process_behavior-roberto_amado
Rooted2020 hunting malware-using_process_behavior-roberto_amadoRooted2020 hunting malware-using_process_behavior-roberto_amado
Rooted2020 hunting malware-using_process_behavior-roberto_amado
 
Rooted2020 compliance as-code_-_guillermo_obispo_-_jose_mariaperez_-_
Rooted2020 compliance as-code_-_guillermo_obispo_-_jose_mariaperez_-_Rooted2020 compliance as-code_-_guillermo_obispo_-_jose_mariaperez_-_
Rooted2020 compliance as-code_-_guillermo_obispo_-_jose_mariaperez_-_
 
Rooted2020 the day i_ruled_the_world_deceiving_software_developers_through_op...
Rooted2020 the day i_ruled_the_world_deceiving_software_developers_through_op...Rooted2020 the day i_ruled_the_world_deceiving_software_developers_through_op...
Rooted2020 the day i_ruled_the_world_deceiving_software_developers_through_op...
 
Rooted2020 si la-empresa_ha_ocultado_el_ciberataque,_como_se_ha_enterado_el_r...
Rooted2020 si la-empresa_ha_ocultado_el_ciberataque,_como_se_ha_enterado_el_r...Rooted2020 si la-empresa_ha_ocultado_el_ciberataque,_como_se_ha_enterado_el_r...
Rooted2020 si la-empresa_ha_ocultado_el_ciberataque,_como_se_ha_enterado_el_r...
 
Rooted2020 wordpress-another_terror_story_-_manuel_garcia_-_jacinto_sergio_ca...
Rooted2020 wordpress-another_terror_story_-_manuel_garcia_-_jacinto_sergio_ca...Rooted2020 wordpress-another_terror_story_-_manuel_garcia_-_jacinto_sergio_ca...
Rooted2020 wordpress-another_terror_story_-_manuel_garcia_-_jacinto_sergio_ca...
 
Rooted2020 Atacando comunicaciones-de_voz_cifradas_-_jose_luis_verdeguer
Rooted2020 Atacando comunicaciones-de_voz_cifradas_-_jose_luis_verdeguerRooted2020 Atacando comunicaciones-de_voz_cifradas_-_jose_luis_verdeguer
Rooted2020 Atacando comunicaciones-de_voz_cifradas_-_jose_luis_verdeguer
 
rooted2020-Rootkit necurs no_es_un_bug,_es_una_feature_-_roberto_santos_-_jav...
rooted2020-Rootkit necurs no_es_un_bug,_es_una_feature_-_roberto_santos_-_jav...rooted2020-Rootkit necurs no_es_un_bug,_es_una_feature_-_roberto_santos_-_jav...
rooted2020-Rootkit necurs no_es_un_bug,_es_una_feature_-_roberto_santos_-_jav...
 
Rooted2020 stefano maccaglia--_the_enemy_of_my_enemy
Rooted2020 stefano maccaglia--_the_enemy_of_my_enemyRooted2020 stefano maccaglia--_the_enemy_of_my_enemy
Rooted2020 stefano maccaglia--_the_enemy_of_my_enemy
 
Rooted2020 taller de-reversing_de_binarios_escritos_en_golang_-_mariano_palom...
Rooted2020 taller de-reversing_de_binarios_escritos_en_golang_-_mariano_palom...Rooted2020 taller de-reversing_de_binarios_escritos_en_golang_-_mariano_palom...
Rooted2020 taller de-reversing_de_binarios_escritos_en_golang_-_mariano_palom...
 
Rooted2020 virtual pwned-network_-_manel_molina
Rooted2020 virtual pwned-network_-_manel_molinaRooted2020 virtual pwned-network_-_manel_molina
Rooted2020 virtual pwned-network_-_manel_molina
 
Rooted2020 van a-mear_sangre_como_hacer_que_los_malos_lo_paguen_muy_caro_-_an...
Rooted2020 van a-mear_sangre_como_hacer_que_los_malos_lo_paguen_muy_caro_-_an...Rooted2020 van a-mear_sangre_como_hacer_que_los_malos_lo_paguen_muy_caro_-_an...
Rooted2020 van a-mear_sangre_como_hacer_que_los_malos_lo_paguen_muy_caro_-_an...
 
Rooted2020 todo a-siem_-_marta_lopez
Rooted2020 todo a-siem_-_marta_lopezRooted2020 todo a-siem_-_marta_lopez
Rooted2020 todo a-siem_-_marta_lopez
 
Rooted2020 roapt evil-mass_storage_-_tu-ya_aqui_-_david_reguera_-_abel_valero
Rooted2020 roapt evil-mass_storage_-_tu-ya_aqui_-_david_reguera_-_abel_valeroRooted2020 roapt evil-mass_storage_-_tu-ya_aqui_-_david_reguera_-_abel_valero
Rooted2020 roapt evil-mass_storage_-_tu-ya_aqui_-_david_reguera_-_abel_valero
 
Rooted2020 live coding--_jesus_jara
Rooted2020 live coding--_jesus_jaraRooted2020 live coding--_jesus_jara
Rooted2020 live coding--_jesus_jara
 
Rooted2020 legalidad de-la_prueba_tecnologica_indiciaria_cuando_tu_papi_es_un...
Rooted2020 legalidad de-la_prueba_tecnologica_indiciaria_cuando_tu_papi_es_un...Rooted2020 legalidad de-la_prueba_tecnologica_indiciaria_cuando_tu_papi_es_un...
Rooted2020 legalidad de-la_prueba_tecnologica_indiciaria_cuando_tu_papi_es_un...
 
Rooted2020 hackeando el-mundo_exterior_a_traves_de_bluetooth_low-energy_ble_-...
Rooted2020 hackeando el-mundo_exterior_a_traves_de_bluetooth_low-energy_ble_-...Rooted2020 hackeando el-mundo_exterior_a_traves_de_bluetooth_low-energy_ble_-...
Rooted2020 hackeando el-mundo_exterior_a_traves_de_bluetooth_low-energy_ble_-...
 
Rooted2020 evading deep-learning_malware_detectors_-_javier_yuste
Rooted2020 evading deep-learning_malware_detectors_-_javier_yusteRooted2020 evading deep-learning_malware_detectors_-_javier_yuste
Rooted2020 evading deep-learning_malware_detectors_-_javier_yuste
 
Rooted2020 encontrando 0days-en_2020_-_antonio_morales
Rooted2020 encontrando 0days-en_2020_-_antonio_moralesRooted2020 encontrando 0days-en_2020_-_antonio_morales
Rooted2020 encontrando 0days-en_2020_-_antonio_morales
 

Recently uploaded

React Native vs Ionic - The Best Mobile App Framework
React Native vs Ionic - The Best Mobile App FrameworkReact Native vs Ionic - The Best Mobile App Framework
React Native vs Ionic - The Best Mobile App FrameworkPixlogix Infotech
 
Bridging Between CAD & GIS: 6 Ways to Automate Your Data Integration
Bridging Between CAD & GIS:  6 Ways to Automate Your Data IntegrationBridging Between CAD & GIS:  6 Ways to Automate Your Data Integration
Bridging Between CAD & GIS: 6 Ways to Automate Your Data Integrationmarketing932765
 
React JS; all concepts. Contains React Features, JSX, functional & Class comp...
React JS; all concepts. Contains React Features, JSX, functional & Class comp...React JS; all concepts. Contains React Features, JSX, functional & Class comp...
React JS; all concepts. Contains React Features, JSX, functional & Class comp...Karmanjay Verma
 
MuleSoft Online Meetup Group - B2B Crash Course: Release SparkNotes
MuleSoft Online Meetup Group - B2B Crash Course: Release SparkNotesMuleSoft Online Meetup Group - B2B Crash Course: Release SparkNotes
MuleSoft Online Meetup Group - B2B Crash Course: Release SparkNotesManik S Magar
 
How to Effectively Monitor SD-WAN and SASE Environments with ThousandEyes
How to Effectively Monitor SD-WAN and SASE Environments with ThousandEyesHow to Effectively Monitor SD-WAN and SASE Environments with ThousandEyes
How to Effectively Monitor SD-WAN and SASE Environments with ThousandEyesThousandEyes
 
Genislab builds better products and faster go-to-market with Lean project man...
Genislab builds better products and faster go-to-market with Lean project man...Genislab builds better products and faster go-to-market with Lean project man...
Genislab builds better products and faster go-to-market with Lean project man...Farhan Tariq
 
Digital Tools & AI in Career Development
Digital Tools & AI in Career DevelopmentDigital Tools & AI in Career Development
Digital Tools & AI in Career DevelopmentMahmoud Rabie
 
Infrared simulation and processing on Nvidia platforms
Infrared simulation and processing on Nvidia platformsInfrared simulation and processing on Nvidia platforms
Infrared simulation and processing on Nvidia platformsYoss Cohen
 
Long journey of Ruby standard library at RubyConf AU 2024
Long journey of Ruby standard library at RubyConf AU 2024Long journey of Ruby standard library at RubyConf AU 2024
Long journey of Ruby standard library at RubyConf AU 2024Hiroshi SHIBATA
 
Dynamical Context introduction word sensibility orientation
Dynamical Context introduction word sensibility orientationDynamical Context introduction word sensibility orientation
Dynamical Context introduction word sensibility orientationBuild Intuit
 
Emixa Mendix Meetup 11 April 2024 about Mendix Native development
Emixa Mendix Meetup 11 April 2024 about Mendix Native developmentEmixa Mendix Meetup 11 April 2024 about Mendix Native development
Emixa Mendix Meetup 11 April 2024 about Mendix Native developmentPim van der Noll
 
Laying the Data Foundations for Artificial Intelligence!
Laying the Data Foundations for Artificial Intelligence!Laying the Data Foundations for Artificial Intelligence!
Laying the Data Foundations for Artificial Intelligence!Memoori
 
JET Technology Labs White Paper for Virtualized Security and Encryption Techn...
JET Technology Labs White Paper for Virtualized Security and Encryption Techn...JET Technology Labs White Paper for Virtualized Security and Encryption Techn...
JET Technology Labs White Paper for Virtualized Security and Encryption Techn...amber724300
 
A Glance At The Java Performance Toolbox
A Glance At The Java Performance ToolboxA Glance At The Java Performance Toolbox
A Glance At The Java Performance ToolboxAna-Maria Mihalceanu
 
Arti Languages Pre Seed Pitchdeck 2024.pdf
Arti Languages Pre Seed Pitchdeck 2024.pdfArti Languages Pre Seed Pitchdeck 2024.pdf
Arti Languages Pre Seed Pitchdeck 2024.pdfwill854175
 
The Future Roadmap for the Composable Data Stack - Wes McKinney - Data Counci...
The Future Roadmap for the Composable Data Stack - Wes McKinney - Data Counci...The Future Roadmap for the Composable Data Stack - Wes McKinney - Data Counci...
The Future Roadmap for the Composable Data Stack - Wes McKinney - Data Counci...Wes McKinney
 
Glenn Lazarus- Why Your Observability Strategy Needs Security Observability
Glenn Lazarus- Why Your Observability Strategy Needs Security ObservabilityGlenn Lazarus- Why Your Observability Strategy Needs Security Observability
Glenn Lazarus- Why Your Observability Strategy Needs Security Observabilityitnewsafrica
 
Software Security in the Real World w/Kelsey Hightower
Software Security in the Real World w/Kelsey HightowerSoftware Security in the Real World w/Kelsey Hightower
Software Security in the Real World w/Kelsey HightowerAnchore
 
Decarbonising Buildings: Making a net-zero built environment a reality
Decarbonising Buildings: Making a net-zero built environment a realityDecarbonising Buildings: Making a net-zero built environment a reality
Decarbonising Buildings: Making a net-zero built environment a realityIES VE
 
Email Marketing Automation for Bonterra Impact Management (fka Social Solutio...
Email Marketing Automation for Bonterra Impact Management (fka Social Solutio...Email Marketing Automation for Bonterra Impact Management (fka Social Solutio...
Email Marketing Automation for Bonterra Impact Management (fka Social Solutio...Jeffrey Haguewood
 

Recently uploaded (20)

React Native vs Ionic - The Best Mobile App Framework
React Native vs Ionic - The Best Mobile App FrameworkReact Native vs Ionic - The Best Mobile App Framework
React Native vs Ionic - The Best Mobile App Framework
 
Bridging Between CAD & GIS: 6 Ways to Automate Your Data Integration
Bridging Between CAD & GIS:  6 Ways to Automate Your Data IntegrationBridging Between CAD & GIS:  6 Ways to Automate Your Data Integration
Bridging Between CAD & GIS: 6 Ways to Automate Your Data Integration
 
React JS; all concepts. Contains React Features, JSX, functional & Class comp...
React JS; all concepts. Contains React Features, JSX, functional & Class comp...React JS; all concepts. Contains React Features, JSX, functional & Class comp...
React JS; all concepts. Contains React Features, JSX, functional & Class comp...
 
MuleSoft Online Meetup Group - B2B Crash Course: Release SparkNotes
MuleSoft Online Meetup Group - B2B Crash Course: Release SparkNotesMuleSoft Online Meetup Group - B2B Crash Course: Release SparkNotes
MuleSoft Online Meetup Group - B2B Crash Course: Release SparkNotes
 
How to Effectively Monitor SD-WAN and SASE Environments with ThousandEyes
How to Effectively Monitor SD-WAN and SASE Environments with ThousandEyesHow to Effectively Monitor SD-WAN and SASE Environments with ThousandEyes
How to Effectively Monitor SD-WAN and SASE Environments with ThousandEyes
 
Genislab builds better products and faster go-to-market with Lean project man...
Genislab builds better products and faster go-to-market with Lean project man...Genislab builds better products and faster go-to-market with Lean project man...
Genislab builds better products and faster go-to-market with Lean project man...
 
Digital Tools & AI in Career Development
Digital Tools & AI in Career DevelopmentDigital Tools & AI in Career Development
Digital Tools & AI in Career Development
 
Infrared simulation and processing on Nvidia platforms
Infrared simulation and processing on Nvidia platformsInfrared simulation and processing on Nvidia platforms
Infrared simulation and processing on Nvidia platforms
 
Long journey of Ruby standard library at RubyConf AU 2024
Long journey of Ruby standard library at RubyConf AU 2024Long journey of Ruby standard library at RubyConf AU 2024
Long journey of Ruby standard library at RubyConf AU 2024
 
Dynamical Context introduction word sensibility orientation
Dynamical Context introduction word sensibility orientationDynamical Context introduction word sensibility orientation
Dynamical Context introduction word sensibility orientation
 
Emixa Mendix Meetup 11 April 2024 about Mendix Native development
Emixa Mendix Meetup 11 April 2024 about Mendix Native developmentEmixa Mendix Meetup 11 April 2024 about Mendix Native development
Emixa Mendix Meetup 11 April 2024 about Mendix Native development
 
Laying the Data Foundations for Artificial Intelligence!
Laying the Data Foundations for Artificial Intelligence!Laying the Data Foundations for Artificial Intelligence!
Laying the Data Foundations for Artificial Intelligence!
 
JET Technology Labs White Paper for Virtualized Security and Encryption Techn...
JET Technology Labs White Paper for Virtualized Security and Encryption Techn...JET Technology Labs White Paper for Virtualized Security and Encryption Techn...
JET Technology Labs White Paper for Virtualized Security and Encryption Techn...
 
A Glance At The Java Performance Toolbox
A Glance At The Java Performance ToolboxA Glance At The Java Performance Toolbox
A Glance At The Java Performance Toolbox
 
Arti Languages Pre Seed Pitchdeck 2024.pdf
Arti Languages Pre Seed Pitchdeck 2024.pdfArti Languages Pre Seed Pitchdeck 2024.pdf
Arti Languages Pre Seed Pitchdeck 2024.pdf
 
The Future Roadmap for the Composable Data Stack - Wes McKinney - Data Counci...
The Future Roadmap for the Composable Data Stack - Wes McKinney - Data Counci...The Future Roadmap for the Composable Data Stack - Wes McKinney - Data Counci...
The Future Roadmap for the Composable Data Stack - Wes McKinney - Data Counci...
 
Glenn Lazarus- Why Your Observability Strategy Needs Security Observability
Glenn Lazarus- Why Your Observability Strategy Needs Security ObservabilityGlenn Lazarus- Why Your Observability Strategy Needs Security Observability
Glenn Lazarus- Why Your Observability Strategy Needs Security Observability
 
Software Security in the Real World w/Kelsey Hightower
Software Security in the Real World w/Kelsey HightowerSoftware Security in the Real World w/Kelsey Hightower
Software Security in the Real World w/Kelsey Hightower
 
Decarbonising Buildings: Making a net-zero built environment a reality
Decarbonising Buildings: Making a net-zero built environment a realityDecarbonising Buildings: Making a net-zero built environment a reality
Decarbonising Buildings: Making a net-zero built environment a reality
 
Email Marketing Automation for Bonterra Impact Management (fka Social Solutio...
Email Marketing Automation for Bonterra Impact Management (fka Social Solutio...Email Marketing Automation for Bonterra Impact Management (fka Social Solutio...
Email Marketing Automation for Bonterra Impact Management (fka Social Solutio...
 

Pau Oliva – Bypassing wifi pay-walls with Android [Rooted CON 2014]

  • 1. 1 Rooted CON 2014 6-7-8 Marzo // 6-7-8 March Bypassing wifi pay-walls with Android Pau Oliva Fora <pof@eslack.org> @pof
  • 2. 2 Rooted CON 2014 6-7-8 Marzo // 6-7-8 March Agenda Typical wifi pay-wall solutions Networking 101: understanding the weaknesses Abusing the weaknesses with a shell script Android port (for fun and no-profit) Attack mitigation recommendations
  • 3. 3 Rooted CON 2014 6-7-8 Marzo // 6-7-8 March TYPICAL WIFI PAY-WALL SOLUTIONS
  • 4. 4 Rooted CON 2014 6-7-8 Marzo // 6-7-8 March Typical wifi pay-wall solutions Unauthenticated users redirected to a captive portal website, asking for credentials or payment
  • 5. 5 Rooted CON 2014 6-7-8 Marzo // 6-7-8 March Typical wifi pay-wall solutions
  • 6. 6 Rooted CON 2014 6-7-8 Marzo // 6-7-8 March Typical wifi pay-wall solutions
  • 7. 7 Rooted CON 2014 6-7-8 Marzo // 6-7-8 March Typical wifi pay-wall solutions Gateway replies to all ARP requests with its own MAC address (used for client isolation): Who has 192.168.30.15? 192.168.30.15 is at 1e:a7:de:ad:be:ef Who has 192.168.30.32? 192.168.30.32 is at 1e:a7:de:ad:be:ef Who has 192.168.30.77? 192.168.30.77 is at 1e:a7:de:ad:be:ef
  • 8. 8 Rooted CON 2014 6-7-8 Marzo // 6-7-8 March Typical wifi pay-wall solutions iptables - HTTP traffic
  • 9. 9 Rooted CON 2014 6-7-8 Marzo // 6-7-8 March Typical wifi pay-wall solutions iptables - HTTP traffic Sends a 301 to an HTTPs webserver
  • 10. 10 Rooted CON 2014 6-7-8 Marzo // 6-7-8 March Typical wifi pay-wall solutions iptables - HTTP traffic Sends a 301 to an HTTPs webserver
  • 11. 11 Rooted CON 2014 6-7-8 Marzo // 6-7-8 March Typical wifi pay-wall solutions
  • 12. 12 Rooted CON 2014 6-7-8 Marzo // 6-7-8 March Typical wifi pay-wall solutions
  • 13. 13 Rooted CON 2014 6-7-8 Marzo // 6-7-8 March Typical wifi pay-wall solutions Authenticate the user via RADIUS
  • 14. 14 Rooted CON 2014 6-7-8 Marzo // 6-7-8 March Typical wifi pay-wall solutions
  • 15. 15 Rooted CON 2014 6-7-8 Marzo // 6-7-8 March Typical wifi pay-wall solutions Authenticate the user via RADIUS Once the user is authenticated, the gateway (NAS) knows about it by a combination of: IP Address MAC Address HTTPS Cookie Authenticated sessions Unauthenticated sessions
  • 16. 16 Rooted CON 2014 6-7-8 Marzo // 6-7-8 March Typical wifi pay-wall solutions
  • 17. 17 Rooted CON 2014 6-7-8 Marzo // 6-7-8 March NETWORKING 101: UNDERSTANDING THE WEAKNESSES
  • 18. 18 Rooted CON 2014 6-7-8 Marzo // 6-7-8 March Networking 101: understanding the weaknesses MAC addresses can be spoofed ifconfig wlan0 hw ether 00:00:8b:ad:f0:0d ip link set dev wlan0 address 00:00:8b:ad:f0:0d IP addresses can be spoofed ifconfig wlan0 192.168.30.49 ip addr add 192.168.30.49 dev wlan0
  • 19. 19 Rooted CON 2014 6-7-8 Marzo // 6-7-8 March Networking 101: understanding the weaknesses MAC addresses can be spoofed IP addresses can be spoofed We only need to find an authenticated host
  • 20. 20 Rooted CON 2014 6-7-8 Marzo // 6-7-8 March Networking 101: understanding the weaknesses MAC addresses can be spoofed IP addresses can be spoofed We only need to find an authenticated host Bonus: Sometimes APs or switches can reach the internet! :)
  • 21. 21 Rooted CON 2014 6-7-8 Marzo // 6-7-8 March ABUSING THE WEAKNESSES WITH A SHELL SCRIPT
  • 22. 22 Rooted CON 2014 6-7-8 Marzo // 6-7-8 March Abusing the weaknesses with a shell script Loop through all IP addresses
  • 23. 23 Rooted CON 2014 6-7-8 Marzo // 6-7-8 March Abusing the weaknesses with a shell script Loop through all IP addresses Get the MAC address for each IP If MAC == Gateway MAC: use arping and discard the
  • 24. 24 Rooted CON 2014 6-7-8 Marzo // 6-7-8 March Abusing the weaknesses with a shell script Loop through all IP addresses Get the MAC address for each IP If MAC == Gateway MAC: use arping and discard the host IP/MAC
  • 25. 25 Rooted CON 2014 6-7-8 Marzo // 6-7-8 March Abusing the weaknesses with a shell script Loop through all IP addresses Get the MAC address for each IP If MAC == Gateway MAC: use arping and discard the host IP/MAC Test for internet access (eg: ping 8.8.8.8)
  • 26. 26 Rooted CON 2014 6-7-8 Marzo // 6-7-8 March Abusing the weaknesses with a shell script
  • 27. 27 Rooted CON 2014 6-7-8 Marzo // 6-7-8 March ANDROID PORT (FOR FUN AND NO-PROFIT)
  • 28. 28 Rooted CON 2014 6-7-8 Marzo // 6-7-8 March Android port (for fun and no-profit)
  • 29. 29 Rooted CON 2014 6-7-8 Marzo // 6-7-8 March Android port (for fun and no-profit)
  • 30. 30 Rooted CON 2014 6-7-8 Marzo // 6-7-8 March Android port (for fun and no-profit)
  • 31. 31 Rooted CON 2014 6-7-8 Marzo // 6-7-8 March ATTACK MITIGATION RECOMMENDATIONS
  • 32. 32 Rooted CON 2014 6-7-8 Marzo // 6-7-8 March Attack mitigation recommendations 1. Use a proper layer 2 user isolation (eg: PSPF on Cisco gear) 2. Use switchport on Cisco gear)
  • 33. 33 Rooted CON 2014 6-7-8 Marzo // 6-7-8 March Attack mitigation recommendations 1. Use a proper layer 2 user isolation (eg: PSPF on Cisco gear) 2. Use switchport on Cisco gear) Extra protection (sniff wlan traffic): Do not allow traffic from the same MAC address on different switchport port- causes
  • 34. 34 Rooted CON 2014 6-7-8 Marzo // 6-7-8 March Attack mitigation recommendations 1. Use a proper layer 2 user isolation (eg: PSPF on Cisco gear) 2. Use switchport on Cisco gear) Extra protection (sniff wlan traffic): Do not allow traffic from the same MAC address on different switchport port- causes All major WISP in Spain are vulnerable to this attack (*except one)
  • 35. 35 Rooted CON 2014 6-7-8 Marzo // 6-7-8 March Attack mitigation recommendations 1. Use a proper layer 2 user isolation (eg: PSPF on Cisco gear) 2. Use switchport on Cisco gear) Extra protection (sniff wlan traffic): Do not allow traffic from the same MAC address on different switchport port- causes All major WISP in Spain are vulnerable to this attack (*except one)
  • 36. 36 Rooted CON 2014 6-7-8 Marzo // 6-7-8 March Attack mitigation recommendations 1. Use a proper layer 2 user isolation (eg: PSPF on Cisco gear) 2. Use switchport on Cisco gear) Extra protection (sniff wlan traffic): Do not allow traffic from the same MAC address on different switchport port- causes All major WISP in Spain are vulnerable to this attack (*except one)
  • 37. 37 Rooted CON 2014 6-7-8 Marzo // 6-7-8 March Contact: @pof | <pof@eslack.org> | github.com/poliva