00:00:01.001,00:00:06.206 So if you've been hanging around in track one all day like I have, um so far we 00:00:06.206,00:00:12.012 have learnt how to overthrow a government and cause mass anarchy, umm then we learnt how 00:00:12.012,00:00:17.251 to create survival tools after you've created the anarchy but just speaking more generally I 00:00:17.251,00:00:22.256 think we're gonna learn something here that is practical which is umm, bypassing captive 00:00:22.256,00:00:28.061 portals [audience applaud] which very clearly people have some interest in. So let's give Grant 00:00:28.061,00:00:33.066 a big round of applause and our laptop loaner. [audience applaud and indistinct dialogue] 00:00:40.274,00:00:43.944 Alright, uh hello everybody. I'm going to have to go pretty quickly because I've only got 00:00:43.944,00:00:50.250 about 15 mins here so um, first of all a bit about myself but not very much. I've been hacking 00:00:50.250,00:00:56.790 and coding for a long time and I like giving talks at Defcon and I'm a generalist in security; 00:00:56.790,00:01:02.696 I've done various programming, infrastructure etc. Um, I also have Perimeter Grid which is my 00:01:02.696,00:01:08.201 security blog and personal consultant. Uh, a few disclaimers. Um, this is my own 00:01:08.201,00:01:13.507 research, I have an employer, this talk has nothing to do with him. Uh, also this talk was 00:01:13.507,00:01:17.311 submitted to Defcon 101. They put me in the big room because they thought a lot of people 00:01:17.311,00:01:21.048 would be interested and looking at this room, it seems they were right. Uh but nevertheless 00:01:21.048,00:01:24.418 unless you're a professional ping tester you're going to be bored. This is not dropping 00:01:24.418,00:01:28.956 great new attacks, this is showing how to you can use some existing tools. And finally, in 00:01:28.956,00:01:32.960 the United States, doing any of this stuff on a network you are not authorised access is super 00:01:32.960,00:01:38.832 illegal. Uh, so captive portals. Uh captive portals are a very primitive type of network access 00:01:38.832,00:01:42.903 protection and they consist of an open network either Ethernet, [indistinct] docsis or open 00:01:42.903,00:01:48.141 wifi, usually open wifi and on initial join you can only go to one website, the captive portal 00:01:48.141,00:01:51.878 and it doesn't let you in to anything else and then that limited website can authorise 00:01:51.878,00:01:56.950 access to more. So you've seen these everywhere, uh every store, office, restaurant, wifi, 00:01:56.950,00:02:01.788 hotel and airline internet, uh guest networks at corporations and even some telecom networks 00:02:01.788,00:02:06.727 like subscriptions hotspots. Uh, these are not real network access protection, they're not 00:02:06.727,00:02:12.699 using 802.1x, they're not using real cryptography, um they are attempting to put a small 00:02:12.699,00:02:17.971 barrier in front of you that they hope you don't know the way around and as a result they 00:02:17.971,00:02:22.542 don't have a real security boundary and they're pretty easy to circumvent. They rely on 00:02:22.542,00:02:25.812 obedient network clients, network clients that are going to uh, that are going to behave 00:02:25.812,00:02:31.685 the way network clients normally do. Um they uh usu- they're either an authenticated proxy or 00:02:31.685,00:02:35.722 mac filtering on the gateway, usually mac filtering on the gateway, governed with IP tape 00:02:35.722,00:02:41.128 rules, tables rules. There's very little variety in these, they may look all different um 00:02:41.128,00:02:44.164 but there is a piece of open source software called Chillispot that's built into 00:02:44.164,00:02:50.037 open WRT it's available in most Linux package managers; um it requires you to have a web 00:02:50.037,00:02:55.042 server and a RADIUS server, if you want to authenticate users. Uh it's fairly easy to set up 00:02:55.042,00:03:00.747 and uh basically everything's just Chillispot – Worldspot.net, Hotspot Systems, Sputnik, Hot 00:03:00.747,00:03:05.819 Spot Express, Wifi Soft, SkyRove, ...uh they're all just Chillispot. Uh if they not 00:03:05.819,00:03:10.123 Chillispot, they are for all intents and purposes a Chillispot clone, to the point 00:03:10.123,00:03:15.362 that I can't tell the difference just looking at the software from the outside. Um in addition 00:03:15.362,00:03:20.467 even if it isn't Chillispot, it basically still is. It's still a website writing IPtables rules. 00:03:20.467,00:03:24.638 So if you want to be able to get around this you actually need to do some advanced preparation, 00:03:24.638,00:03:30.043 you need to have an end point that you can tunnel your traffic to and so tunnelling is just 00:03:30.043,00:03:33.980 moving one protocol via another, uh usually you'd use an encrypted protocol but you 00:03:33.980,00:03:38.418 wouldn't have. You can, you can use a completely clear text tunnel um but you'd need some 00:03:38.418,00:03:43.323 server to act as the other end of your tunnel. And that means you needs a port, a protocol 00:03:43.323,00:03:48.929 that the captive portal isn't blocking. So sometimes HTTPS and SSH are unblocked on specific 00:03:48.929,00:03:53.834 the ports; uh in addition DNS is basically always unblocked because of DNS recursion. You 00:03:53.834,00:03:59.539 can reach the local DNS and it would then proxy your DNS queries out to the internet. So 00:03:59.539,00:04:04.211 we need to set up a server, any internet accessible server, any cheap VPS that lets you control 00:04:04.211,00:04:08.715 all ports, we'll use, uh will work. So you can't use a like uh uh shared web host account cos 00:04:08.715,00:04:13.620 you usually get 80 and 443. Uh you can even use your home pc if you wanna open these ports to 00:04:13.620,00:04:18.325 the internet on it which I don't think is a great idea because you can get a cheap or free AWS 00:04:18.325,00:04:24.064 or Azure node from and just let Amazon or Microsoft provide you your end point. Um so some end 00:04:24.064,00:04:30.103 points you wanna set up HTTPS proxy, SSH and Iodine which we'll talk a little more about 00:04:30.103,00:04:36.343 and also be sure you open the ports you set up on your server cyber wall. So any decent VPS 00:04:36.343,00:04:42.182 will come with SSH enabled so uh go ahead and add port 3128 to that as well as any other ports 00:04:42.182,00:04:46.753 you might think is useful to connect to. Uh depending on the specific captive portals you are 00:04:46.753,00:04:51.224 after the ports available may be different. Uh while you're at it, disable insecure logons on 00:04:51.224,00:04:56.096 SSH just because you should do that anyway and ensure you have a public key available so you're 00:04:56.096,00:05:01.802 not doing password log in. Um so Google app engine, Google uses a front door service. All Google 00:05:01.802,00:05:06.940 services are behind the same IP, so if the captive portal allows access to Google it also allows 00:05:06.940,00:05:11.311 access to Google app engine which means you can run your proxy behind Google's front door 00:05:11.311,00:05:17.117 and the same um uh the same access the captive portal is using to download ads will also 00:05:17.117,00:05:21.054 let you get to your tunnel. So you just get your app engine account, install Python and the 00:05:21.054,00:05:26.660 app engine SDK and uh you can find code online uh like the peace offer called Mirrorrr, 00:05:26.660,00:05:32.132 with 3 R's, that is an app engine compatible Python proxy, uh just go ahead and put that in 00:05:32.132,00:05:37.137 there and you can now browse to your app-id.appspot.com and get to your own proxy. Uh then 00:05:40.140,00:05:44.911 there's this peace offer called Iodine. Iodine is IP over DNS and there are several IP over 00:05:44.911,00:05:48.682 DNS packages. I like Iodine because it is actually still supported and it works on 00:05:48.682,00:05:54.754 Windows which is not the case for most of them. Um, so on your VPS you install Iodine and you 00:05:54.754,00:06:00.227 then you run it as route with uh password you make up and a subdomain that is going to be 00:06:00.227,00:06:06.466 used to forward DNS queries to you. On your DNS server uh you need to create a custom record 00:06:06.466,00:06:10.770 for the sub domain and look for the name server. It's like mine is t.perimetergrid.com so I 00:06:10.770,00:06:16.509 created a DNS record for NS, the name server t.perimetergrid.com and then I create a name server 00:06:16.509,00:06:22.515 record uh pointing back there so now DNS queries on the Internet to t.perimetrgrid.com will go to 00:06:22.515,00:06:27.220 my Iodine install. And if you don't have an DNS server, Namecheap free DNS is free, 00:06:27.220,00:06:32.592 Amazon Route 53 isn't free but is also configurable so you can use those. Uh finally you may 00:06:32.592,00:06:38.632 wanna set up a HTTPS proxy, it's kinda low value, most captive portals are too smart for, to 00:06:38.632,00:06:44.004 fall for this but um if you have a network that allows web traffic and not other traffic, 00:06:44.004,00:06:49.876 this can be useful as a way to tunnel other protocols. So then you need to prepare your client, 00:06:49.876,00:06:53.647 the laptop you're gonna actually use when you're wanting to do a bypass so on a hustle network 00:06:53.647,00:06:56.516 you're not going to have Internet so that means you're going to have to set all this up 00:06:56.516,00:07:01.621 before you're on a restricted network. Uh ideally you're gonna use Linux or Kali, um but 00:07:01.621,00:07:05.892 Windows will actually work fine for most of these, the only thing it won't is potentially 00:07:05.892,00:07:09.996 MAC changing. Uh most Windows drivers don't support changing the MAC address of your card uh 00:07:09.996,00:07:13.800 but there are some USB network cards with great support for windows like the Alpha networks 00:07:13.800,00:07:18.071 card with Realtek and Atheros chip sets which by the way you can get down in the Defcon 00:07:18.071,00:07:23.743 vendor room, I, I, uh bought a lot of them there. Um and you can always run Linux or Kali in 00:07:23.743,00:07:28.748 HyperV or VirtualBox and make use of your uh, of it that way. Um preinstalled tools, you need 00:07:31.151,00:07:34.954 an SSH client. Linux has it built in. If you're on Windows, I like moba x term, you can use 00:07:34.954,00:07:40.660 putty or whatever you want, uh a copy of Iodine, uh Wireshark on Windows or Aircrack-NG if you're 00:07:40.660,00:07:46.299 on Linux, nmap and an HTTP [indistinct] proxy would be nice. Uh none of the bypasses I 00:07:46.299,00:07:51.237 go through in this talk use that but uh sometimes you can actually take advantage of thee 00:07:51.237,00:07:58.178 the captive portal itself, they have bugs in them. Uh so then we get to uh ok uh what do we do 00:07:58.178,00:08:03.116 when we want to uh actually exploit this. So you're on a network with a captive portal. 00:08:03.116,00:08:07.921 First thing you wanna do is, use ipconfig or ifconfig on Linux, see your current IP and find out 00:08:07.921,00:08:12.859 what the gateway is, so once you know what the gateway is, uh go ahead and use a MAC to see 00:08:12.859,00:08:17.197 what's on your local subnet, see what's on the gateway. Um, you're looking on the gateway 00:08:17.197,00:08:22.001 for uh proxies uh TCP to 3128 which is the default port for Squid is always 00:08:22.001,00:08:26.940 promising um but there are uh, it could be on any port really, they can tap into whatever they 00:08:26.940,00:08:32.979 want. Also look to see if there is DNS um there almost certainly is, uh and any other unknown 00:08:32.979,00:08:37.751 ports that you might wanna try sending traffic to in case they're a proxy. So try 00:08:37.751,00:08:42.322 connecting to possible proxy ports, try connecting to your server through them uh over port 00:08:42.322,00:08:45.859 numbers open on the gateway. Now admittedly that should never work just cos the ports open on 00:08:45.859,00:08:48.595 the gateway doesn't mean it should be open to anything else, uh but sometimes it does work. 00:08:48.595,00:08:50.597 Uh it was well known for a while that this worked on GoGo Inflight, um they have fixed 00:08:50.597,00:08:52.599 that but, um that, that was a vulnerability in a well-known hotspot service. So then try 00:08:52.599,00:08:54.601 setting your proxy to your app engine end point, um, if the captive portal is app supported 00:08:54.601,00:08:56.603 this would probably work. If it's not app supported though umm, then uh this doesn't always 00:08:56.603,00:08:58.605 work. So then try DNS lookups. Umm, this is the most reliable method and if a DNS lookup 00:08:58.605,00:09:01.541 works, then try looking up your Iodine domain um so if you have a route to a working proxy 00:09:01.541,00:09:06.546 whether an app engine or your server or the gateways, you're done. Configure your browser and 00:09:13.319,00:09:20.193 you're out. Otherwise you can sshd your server through any of those ports, do that and then do 00:09:20.193,00:09:25.198 an ssh -d which creates a local SOCKS proxy on your computer that routes through that tunnel 00:09:37.043,00:09:42.148 and configure your browser to go through there. Uh if you can look up your Iodine DNS then 00:09:42.148,00:09:45.952 just run Iodine with the appropriate password and subdomain and now you got a 00:09:45.952,00:09:51.691 tunnel out and through that tunnel you SSH and do the proxy so you're using your own tunnel 00:09:51.691,00:09:56.663 to get out. And I'll demo this one, uh and then finally you need to fix your routing to 00:09:56.663,00:10:00.934 point through the new tunnel. Um, if you're using ssh -d, that's actually the easiest way 00:10:00.934,00:10:05.939 to do it, just point to the SOCKS proxy and do it that way. Alternately though you can 00:10:05.939,00:10:10.243 actually edit the route table on your proxy to make your new default route go through the 00:10:10.243,00:10:16.316 tunnel and at that point, everything works through it. Um... alright if nothing else 00:10:16.316,00:10:21.654 fails or nothing else works rather, um Chillispot is just configuring MAC filters so our 00:10:21.654,00:10:27.627 last ditch way through is using Airodump NG to uh watch the traffic and look for a MAC 00:10:27.627,00:10:32.332 address that is in use for a while and then stops being used. That's probably someone who 00:10:32.332,00:10:37.637 accessed the captive portal and then shut their laptop off. So you just clone your MAC address 00:10:37.637,00:10:42.308 to that MAC address and jump on the network and you're already allowed through the IP filters. 00:10:42.308,00:10:46.613 Um, you wanna look for a network someone stopped using because if you and someone else are both 00:10:46.613,00:10:50.917 using the same MAC address, everytime one of you transmits, you'll deauth the other and so 00:10:50.917,00:10:55.889 your network kinda activity will be absolutely horrible. Um, it can work but it's going to be 00:10:55.889,00:11:02.228 really slow. Um on Windows you can use Wireshark instead of Airodump NG, um, and you can 00:11:02.228,00:11:06.199 look in device manager and try to change mac addresses. As I mentioned earlier, most Windows 00:11:06.199,00:11:12.672 adapters don't support that. Um so I'm gonna give quick demos of these and hopefully have at 00:11:12.672,00:11:18.511 least a couple of minutes for questions. So, hopefully this will play... it will. Ok, so I 00:11:18.511,00:11:24.584 get on my Wifi at my super expensive hotel and I want to go and google for food but the 00:11:24.584,00:11:29.455 super expensive hotel has state-of-the-art, blistering fast 256 kilobit 802.11B for 00:11:29.455,00:11:35.061 only $29.95 per 24 hour period limit 2 devices, just give them my mobile phone, date of birth, 00:11:35.061,00:11:39.499 my mother's maiden name, credit card number, social security number and uh uh I don't think I 00:11:39.499,00:11:45.572 wanna do that so uh I'm gonna go over to my command prompt and do an ifconfig and I see I'm on a 00:11:45.572,00:11:51.077 on a 10. network and check the routing cable and the gateway is 10.0.0.1, just like I'd expect 00:11:51.077,00:11:57.850 so I'm going to nmap 10.0.0.1 and see what's on the gateway. Uh they've got 22 23 53 80 52 80 00:11:57.850,00:12:02.789 so I would try SSH-ing or uh just or HTTPS-ing to my local server or my app engine through 00:12:05.558,00:12:10.396 those various ports first. That's the easiest way. Umm, for the sake of the demo we are 00:12:10.396,00:12:16.202 going to say those failed, uh the the proxy is not configured that badly. Um so since we can't 00:12:16.202,00:12:21.207 get through it that way our next option is running Iodine; so we do IP over DNS so I run Iodine, 00:12:23.309,00:12:29.616 I use the password I specified earlier and I specify a DNS packet-size just because it 00:12:29.616,00:12:36.222 makes it run faster and I get my domain t.perimetergrid.com now it will attempt to uh connect. 00:12:36.222,00:12:39.993 Normally we wouldn't use that dash m, just used it to make the demo run faster. It will auto 00:12:39.993,00:12:46.966 guess the size but it takes it a couple of minutes to do it so that speeds it along. And I do 00:12:46.966,00:12:51.571 an ifconfig and I now have this new interface DNS zero which is, it's pointing to 172.16.02 so I 00:12:51.571,00:12:53.573 ping 172.16.01. That is actually my server being accessed through the tunnel cos remember I'm on a 00:12:53.573,00:12:55.642 10. network; I shouldn't be able to get to 172.16 so I'm going to an SSH dash D uh set up for port 00:12:55.642,00:13:00.380 5000 and I'm going to login to my own server using the tunnel address 172.16.01. And now I'm 00:13:00.380,00:13:04.317 on my server. I'm going over, completely over DNS so since I've got that SOCKS proxy set 00:13:04.317,00:13:09.422 up, the next thing I want to do is reconfigure my local web browser and I'm going to tell it 00:13:09.422,00:13:14.427 manually proxy config, give it SOCKS v4 proxy 127.0.0.1 port 5000 and now when I go back here 00:13:42.689,00:13:47.694 and I back out of this captive portal, and I look for food, I have found food!! So... 00:13:57.270,00:14:02.208 [audience applauds] Thank you. Now if that hadn't worked we do have one other option and that 00:14:05.578,00:14:10.283 is MAC spoofing. I'm running this one on a Kali VM, uh, because my Windows driver will 00:14:10.283,00:14:15.288 not let me get away with these tricks. So uh I got, I got this one using a USB wireless adapter 00:14:17.323,00:14:20.727 on Kali so wlan1, I'm going to grab the uh MAC address of the access point, this is the 00:14:20.727,00:14:23.362 hotspot network that I'm connected to and I'm going to Airomon-NG and turn on monitor 00:14:23.362,00:14:28.968 mode on my uh wifi card. Monitor mode's now on so I will run Airodump-NG and I will pass it 00:14:28.968,00:14:33.973 in, wlan one on and it will pass in the MAC address of the hotspot. That just makes it not 00:14:37.777,00:14:42.782 show me any other networks in the area and only show me the network I want. And I look, ah 00:14:46.719,00:14:50.890 look their client just connected 985FD3 etcetera. Um, normally I would wait and see other clients 00:14:50.890,00:14:56.796 connect, see if one of them drops off in this case, once again for speed I'm going to 00:14:56.796,00:15:02.435 just break out of there and uh on Linux it's really easy to change your MAC address; it's 00:15:02.435,00:15:07.440 quite trivial, you just down the interface and then run MAC change or dash m and uh specify 00:15:10.943,00:15:15.948 the new MAC address and then we're gonna up the interface again and now we give it a good 00:15:23.790,00:15:28.594 30 seconds, because this seems to confuse most of the uh most of the Linux networking GUI 00:15:28.594,00:15:33.599 tools. [quietly to self] Um, try connecting again. Ok now it thinks it's connected so we're 00:15:39.405,00:15:44.410 gonna go back here and we're out. So... [audience applauds] Alright I'm at one minute left 00:15:54.353,00:15:58.357 so I can take like a question but otherwise I'm going to be in the hallway on the right to 00:15:58.357,00:16:03.296 answer any other questions people have. So... got, anyone? [pause] OK. Thank you. [audience 00:16:12.972,00:16:13.940 applauds]