Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Pau Oliva – Bypassing wifi pay-walls with Android [Rooted CON 2014]
1. 1
Rooted CON 2014 6-7-8 Marzo // 6-7-8 March
Bypassing wifi pay-walls with
Android
Pau Oliva Fora
<pof@eslack.org>
@pof
2. 2
Rooted CON 2014 6-7-8 Marzo // 6-7-8 March
Agenda
Typical wifi pay-wall solutions
Networking 101: understanding the weaknesses
Abusing the weaknesses with a shell script
Android port (for fun and no-profit)
Attack mitigation recommendations
3. 3
Rooted CON 2014 6-7-8 Marzo // 6-7-8 March
TYPICAL WIFI PAY-WALL
SOLUTIONS
4. 4
Rooted CON 2014 6-7-8 Marzo // 6-7-8 March
Typical wifi pay-wall solutions
Unauthenticated users redirected to a captive
portal website, asking for credentials or payment
5. 5
Rooted CON 2014 6-7-8 Marzo // 6-7-8 March
Typical wifi pay-wall solutions
6. 6
Rooted CON 2014 6-7-8 Marzo // 6-7-8 March
Typical wifi pay-wall solutions
7. 7
Rooted CON 2014 6-7-8 Marzo // 6-7-8 March
Typical wifi pay-wall solutions
Gateway replies to all ARP requests with its own
MAC address (used for client isolation):
Who has 192.168.30.15?
192.168.30.15 is at 1e:a7:de:ad:be:ef
Who has 192.168.30.32?
192.168.30.32 is at 1e:a7:de:ad:be:ef
Who has 192.168.30.77?
192.168.30.77 is at 1e:a7:de:ad:be:ef
8. 8
Rooted CON 2014 6-7-8 Marzo // 6-7-8 March
Typical wifi pay-wall solutions
iptables -
HTTP traffic
9. 9
Rooted CON 2014 6-7-8 Marzo // 6-7-8 March
Typical wifi pay-wall solutions
iptables -
HTTP traffic
Sends a 301 to an HTTPs webserver
10. 10
Rooted CON 2014 6-7-8 Marzo // 6-7-8 March
Typical wifi pay-wall solutions
iptables -
HTTP traffic
Sends a 301 to an HTTPs webserver
11. 11
Rooted CON 2014 6-7-8 Marzo // 6-7-8 March
Typical wifi pay-wall solutions
12. 12
Rooted CON 2014 6-7-8 Marzo // 6-7-8 March
Typical wifi pay-wall solutions
13. 13
Rooted CON 2014 6-7-8 Marzo // 6-7-8 March
Typical wifi pay-wall solutions
Authenticate the user via RADIUS
14. 14
Rooted CON 2014 6-7-8 Marzo // 6-7-8 March
Typical wifi pay-wall solutions
15. 15
Rooted CON 2014 6-7-8 Marzo // 6-7-8 March
Typical wifi pay-wall solutions
Authenticate the user via RADIUS
Once the user is authenticated, the gateway
(NAS) knows about it by a combination of:
IP Address
MAC Address
HTTPS Cookie
Authenticated
sessions
Unauthenticated
sessions
16. 16
Rooted CON 2014 6-7-8 Marzo // 6-7-8 March
Typical wifi pay-wall solutions
17. 17
Rooted CON 2014 6-7-8 Marzo // 6-7-8 March
NETWORKING 101:
UNDERSTANDING THE
WEAKNESSES
18. 18
Rooted CON 2014 6-7-8 Marzo // 6-7-8 March
Networking 101: understanding
the weaknesses
MAC addresses can be spoofed
ifconfig wlan0 hw ether 00:00:8b:ad:f0:0d
ip link set dev wlan0 address 00:00:8b:ad:f0:0d
IP addresses can be spoofed
ifconfig wlan0 192.168.30.49
ip addr add 192.168.30.49 dev wlan0
19. 19
Rooted CON 2014 6-7-8 Marzo // 6-7-8 March
Networking 101: understanding
the weaknesses
MAC addresses can be spoofed
IP addresses can be spoofed
We only need to find an authenticated host
20. 20
Rooted CON 2014 6-7-8 Marzo // 6-7-8 March
Networking 101: understanding
the weaknesses
MAC addresses can be spoofed
IP addresses can be spoofed
We only need to find an authenticated host
Bonus: Sometimes APs or switches can reach the
internet! :)
21. 21
Rooted CON 2014 6-7-8 Marzo // 6-7-8 March
ABUSING THE WEAKNESSES
WITH A SHELL SCRIPT
22. 22
Rooted CON 2014 6-7-8 Marzo // 6-7-8 March
Abusing the weaknesses with a
shell script
Loop through all IP addresses
23. 23
Rooted CON 2014 6-7-8 Marzo // 6-7-8 March
Abusing the weaknesses with a
shell script
Loop through all IP addresses
Get the MAC address for each IP
If MAC == Gateway MAC: use arping and discard the
24. 24
Rooted CON 2014 6-7-8 Marzo // 6-7-8 March
Abusing the weaknesses with a
shell script
Loop through all IP addresses
Get the MAC address for each IP
If MAC == Gateway MAC: use arping and discard the
host IP/MAC
25. 25
Rooted CON 2014 6-7-8 Marzo // 6-7-8 March
Abusing the weaknesses with a
shell script
Loop through all IP addresses
Get the MAC address for each IP
If MAC == Gateway MAC: use arping and discard the
host IP/MAC
Test for internet access (eg: ping 8.8.8.8)
26. 26
Rooted CON 2014 6-7-8 Marzo // 6-7-8 March
Abusing the weaknesses with a
shell script
27. 27
Rooted CON 2014 6-7-8 Marzo // 6-7-8 March
ANDROID PORT (FOR FUN
AND NO-PROFIT)
28. 28
Rooted CON 2014 6-7-8 Marzo // 6-7-8 March
Android port (for fun and no-profit)
29. 29
Rooted CON 2014 6-7-8 Marzo // 6-7-8 March
Android port (for fun and no-profit)
30. 30
Rooted CON 2014 6-7-8 Marzo // 6-7-8 March
Android port (for fun and no-profit)
31. 31
Rooted CON 2014 6-7-8 Marzo // 6-7-8 March
ATTACK MITIGATION
RECOMMENDATIONS
32. 32
Rooted CON 2014 6-7-8 Marzo // 6-7-8 March
Attack mitigation recommendations
1. Use a proper layer 2 user isolation (eg: PSPF on
Cisco gear)
2. Use switchport
on Cisco gear)
33. 33
Rooted CON 2014 6-7-8 Marzo // 6-7-8 March
Attack mitigation recommendations
1. Use a proper layer 2 user isolation (eg: PSPF on
Cisco gear)
2. Use switchport
on Cisco gear)
Extra protection (sniff wlan traffic):
Do not allow traffic from the same MAC address on different
switchport port- causes
34. 34
Rooted CON 2014 6-7-8 Marzo // 6-7-8 March
Attack mitigation recommendations
1. Use a proper layer 2 user isolation (eg: PSPF on
Cisco gear)
2. Use switchport
on Cisco gear)
Extra protection (sniff wlan traffic):
Do not allow traffic from the same MAC address on different
switchport port- causes
All major WISP in Spain are vulnerable to this attack
(*except one)
35. 35
Rooted CON 2014 6-7-8 Marzo // 6-7-8 March
Attack mitigation recommendations
1. Use a proper layer 2 user isolation (eg: PSPF on
Cisco gear)
2. Use switchport
on Cisco gear)
Extra protection (sniff wlan traffic):
Do not allow traffic from the same MAC address on different
switchport port- causes
All major WISP in Spain are vulnerable to this attack
(*except one)
36. 36
Rooted CON 2014 6-7-8 Marzo // 6-7-8 March
Attack mitigation recommendations
1. Use a proper layer 2 user isolation (eg: PSPF on
Cisco gear)
2. Use switchport
on Cisco gear)
Extra protection (sniff wlan traffic):
Do not allow traffic from the same MAC address on different
switchport port- causes
All major WISP in Spain are vulnerable to this attack
(*except one)
37. 37
Rooted CON 2014 6-7-8 Marzo // 6-7-8 March
Contact: @pof | <pof@eslack.org> | github.com/poliva