In one of my assessments I came across a wireless
access point for the guests visiting the organization.
The wireless network to be used by the
Guests/visitors was identified as below:
GuestNet
This network was found to be using Open
authentication with portal login enabled for security and privacy of the staff.
This mode has been proved to be
vulnerable and can be bypassed very easily these days.
After some research, I used one of the easier ways -
using the DNS Tunneling style attacks to bypass the portal authentication.
Please find the steps I carried out to bypass restrictions to get access using
GuestNet below:
Step I: I connected to the Open
Wi-Fi for the guests.
In cases where such networks are hidden and are not
broadcasting their beacon frames, there would be an additional step of
un-hiding the same. However more on that later.
Step II: Once connected, I
automatically obtained an IP address associated with the network.
Step III: I went ahead and checked if
internet was accessible using a browser. This is when it showed the portal to
login and did not allow connecting to internet. Following this, I started the
command prompt and checked by connecting/pinging to a fresh website which I had
not connected to lately.
Figure 1 DNS
resolution occurring for test domains over internet
Since the DNS resolution was happening, it meant
that DNS requests are allowed. Alternately, the restriction was only for
accessing the internet through the browser or over HTTP/HTTPS.
This was a direct indication that all requests
tunneled via the allowed set of ports(which were all ports but http/https)
would be allowed.
Typically, DNS and some other ports are allowed by
organizations and very known ports such as http/https are the only ones
restricted.
Step IV: The above loop hole can be
exploited by a number of software freely available in the internet. One such
tool that I have used for demonstration is called – ‘Your Freedom’. I configured the tool to have suitable settings
for the target environment. For example if there are specific ports
allowed/disallowed by your initial analysis, you need to list the same in the
tool, allow a certain browser only, and so on..
Figure 2 searching
for servers to connect tunneling
Start the tool and connect to any website/service
over the internet without logging into the network.
Figure 3 Tunneling Over
FTP Port; Access To Site Without Login
Figure 4 Tunneling Over
DNS
Figure 5 Connection
to GMAIL
No comments:
Post a Comment