Saturday 14 March 2015

Wi-Fi Authentication Portal Bypass


In one of my assessments I came across a wireless access point for the guests visiting the organization. 
The wireless network to be used by the Guests/visitors was identified as below:

GuestNet

This network was found to be using Open authentication with portal login enabled for security and privacy of the staff. This mode has been proved to be  vulnerable and can be bypassed very easily these days.
After some research, I used one of the easier ways - using the DNS Tunneling style attacks to bypass the portal authentication. Please find the steps I carried out to bypass restrictions to get access using GuestNet below:

Step I: I connected to the Open Wi-Fi for the guests. 

In cases where such networks are hidden and are not broadcasting their beacon frames, there would be an additional step of un-hiding the same. However more on that later.
Step II: Once connected, I automatically obtained an IP address associated with the network.

Step III: I went ahead and checked if internet was accessible using a browser. This is when it showed the portal to login and did not allow connecting to internet. Following this, I started the command prompt and checked by connecting/pinging to a fresh website which I had not connected to lately. 
Figure 1 DNS resolution occurring for test domains over internet

Since the DNS resolution was happening, it meant that DNS requests are allowed. Alternately, the restriction was only for accessing the internet through the browser or over HTTP/HTTPS.
This was a direct indication that all requests tunneled via the allowed set of ports(which were all ports but http/https) would be allowed.
Typically, DNS and some other ports are allowed by organizations and very known ports such as http/https are the only ones restricted.

Step IV: The above loop hole can be exploited by a number of software freely available in the internet. One such tool that I have used for demonstration is called – ‘Your Freedom’. I  configured the tool to have suitable settings for the target environment. For example if there are specific ports allowed/disallowed by your initial analysis, you need to list the same in the tool, allow a certain browser only, and so on..
Figure 2 searching for servers to connect tunneling

Start the tool and connect to any website/service over the internet without logging into the network.
 
Figure 3 Tunneling Over FTP Port; Access To Site Without Login
Figure 4 Tunneling Over DNS
 
Figure 5 Connection to GMAIL

No comments:

Post a Comment