Most hotels around the world offer paid wireless internet services. There are various different ways that these operate on a technical level, however in general terms;
- Your device connects to the paid network
- The network router puts your ‘MAC address’ into the unpaid pool
- Any traffic from your device is blocked aside from DNS traffic which is hijacked by the router and resolves any query to the router’s IP, and web traffic which is also hijacked by the router and redirected to a page presenting a signup and payment page
- The router will only allow traffic to the internal payment system and perhaps allowed IPs such as the hotel web site servers.
- Once payment is made, the payment system notifies the router and your MAC address is added into the paid list
- Enjoy surfing the net
A basic wifi hotspot will contain a wireless access point allowing wireless devices to connect, and a router that performs, you guessed it, routing, hotspot authentication and so on acting as the ‘gatekeeper’. This router will then be connected to the internet. More complex systems may include more access points to span multiple floors or locations, more routers, separate authentication servers and so on, although the basic principle is the same, and the network layout is largely irrelevant to our attack scenario in any case.
To the non technical readers, there are a few terms we are interested in –
MAC Addresses & IP Addresses: A MAC address is a hardware address assigned to your network device – the ethernet (network) card has one, the wireless card has one, the wireless device in a mobile phone has one. It’s not the same as an IP address. A MAC address is (or should be) unique to your device but most importantly, unique to the current network segment. In this case, the network segment that we are on extends through the wireless network and up to the top connection on the internet router. The secondary connection between the router and the internet provider is a second segment. Routers break up segments and MAC addresses do not pass through the router. To simplify, in this case, every device connected to the wireless network will have a different MAC. IP addresses are ‘routed’ i.e. passed across the internet and translated, MAC addresses are not. This point is important to know in understanding one of the attacks. Of course as with every rule there are exceptions and for more advanced reading, ‘proxy ARP’ is one such exception however this scenario has specifically been kept basic to illustrate a successful attack.
DHCP: When you connected to the wireless network, your device sent out a ‘DHCP request’. Basically – “I’m new to this network, please let me have the details”. The DHCP server then responds providing a private IP address, router, DNS server and so on. As all of your traffic is passed through the network router, the network router can mangle it and modify it in any way that it wishes.
DNS: DNS is the service that turns addresses such as ‘www.adampalmer.me/iodigitalsec’ into an IP address such as 18.104.22.168 which are what the IP networks on the internet run on. Other protocols also exist that we don’t need to be concerned with here. DNS actually does a lot more than just turning names into IP addresses but that’s all that’s relevant here. As an unpaid user, when you fire up your browser and visit www.adampalmer.me/iodigitalsec your browser will contact the DNS server (router in this case) and ask for the IP address. The router will respond with it’s own address, perhaps 192.168.0.1 rather than the real address. This means that your browser will then attempt to connect to the web server on 192.168.0.1 – the paid hotspot signup page. Attempting to enter 22.214.171.124 in to your browser directly will bypass the DNS query, but the router will nevertheless hijack the request and redirect it to the payment page – if it didn’t that would be a simple method for bypassing the payment system.
The first attack is relatively simple although when auditing wireless networks I see it less and less frequently now. On some setups, DNS queries are allowed out to the internet without having paid. This means that my request to www.adampalmer.me/iodigitalsec is able to be translated to 126.96.36.199 by directly contacting a DNS server on the internet, and any subsequent request to 188.8.131.52 is hijacked by the router and redirected back to a payment page. DNS queries are made by accessing port 53 UDP. TCP is also used for something called zone transfers and also for large queries but this is also not of any concern here. What this means is that we have found a route out to the internet, even if it’s only one port that’s allowed. Assume we set up a VPN service such as OpenVPN on a remote server that we control and configure it to run on UDP port 53. We can then configure the VPN client on our PC to connect to the VPN server on that port and we’ll be able to bypass the paid hotspot system and establish a connection to our remote VPN server. The way that VPNs work is outside of the scope of this article however this essentially means that we can now tunnel our traffic through the VPN over the one allowed port and continue browsing and using the internet as normal, restricted only by any limitations that may exist on our remote server which, so long as it is any regular dedicated or virtual private server will result in us having regular and unrestricted internet access. Here is a good article that explains VPN tunneling in more detail: http://compnetworking.about.com/od/vpn/a/vpn_tunneling.htm. Port 53 UDP for DNS is the most common port that will be unrestricted however this technique applies equally to any single port that’s allowed out to the internet before payment. This also applies to other TCP/UDP ports or IP protocols although they are far more likely to be filtered by default. It’s even possible to tunnel data over ICMP if that is the only protocol allowed out.
The second type of attack is more insidious and involves surfing based on someone elses payment and authenticated login. This is also the attack that relies on an understanding of MAC addresses and network segmentation. Let’s assume that the wireless network name is ‘hotelwifi’. In the most simple case, the only additional hardware that an attacker needs beyond an inbuilt wireless card capable of connecting to the wireless network is an additional wifi card capable of either ‘master’ or ‘monitor’ mode with injection support. More and more cards and drivers support this mode and the card that I personally use for wireless network auditing is the ALFA Networks adapter containing the rtl8187 chipset. If the internal wifi card supports multiple SSIDs and modes simultaneously, then this attack will work without any additional hardware although this is rare and performance will be degraded. In any case, on to the attack..
If an attacker were to set up the secondary wireless card as an access point, either through master mode or through monitor mode and using airbase-ng from the aircrack-ng suite, he will be able to name his own network also as ‘hotelwifi’. It should be noted that this will need to be configured to exclude his own laptop’s internal network card from connecting to it when it connects to ‘hotelwifi’ as this will create a simple loop that will not function. When the attacker connects his internal network card to ‘hotelwifi’ he must connect to the real network, whilst at the same time running his own separate access point broadcasting out the ‘hotelwifi’ SSID. Unsuspecting guests connecting to ‘hotelwifi’ will simply connect to the nearest access point, and should they be located sufficiently close to the attacker, their devices will prefer the attacker’s fake ‘hotelwifi’ network as opposed to the real one. This then results in the following setup:
All the attacker is then required to do is to run his own network services such as DHCP, DNS and NAT/Routing. Recall now MAC addresses and network segmentation. As we discussed, the first segment is the legitimate wireless network up to the router, and the second segment is between the router and the ISP. We have now created a third segment encompassing our new malicious access point and the guest PCs that have inadvertently connected to that network. Remembering that routers break up domains, whilst the legitimate paid internet router is routing and filtering between the wireless hotspot network and the ISP, our malicious PC is now routing between two wireless networks.
Now we come back to the concept that the legitimate router uses MAC addresses to distinguish between paid and unpaid PCs, and the fact that MAC addresses do not get passed across simple routers.
The legitimate internet router in the diagram to the left is only aware of 3 clients – the 2 guest PCs and the attacker’s malicious PC. It is entirely unaware that the malicious PC is providing internet service for other PCs behind it. The malicious PC will be using NAT to provide service to an unlimited number of connected guest PCs, whilst the legitimate router will only be aware of the malicious PC’s internal wireless card’s MAC address, not the guest PCs behind it, and this is because MAC addresses are not passed over the router (malicious PC).
When one of the guest PCs connects to the malicious PC’s network and attempts to access the internet, the malicious PC will be passing traffic through, and the guest PC will be prompted with the payment page. As soon as the guest PC makes payment from behind the malicious PC, it will be the malicious PC’s internal wireless card’s MAC connected to the legitimate network that is authenticated on the network as a paid user. The unsuspecting guest will never know as his device will also now have internet access through the malicious PC as will other unfortunate guest PCs that subsequently connect to the malicious network. Worse still, the malicious user can now intercept and modify the guest’s data passing through it as well as setting up fake payment or authentication pages to capture personal payment information.
This attack is reasonably trivial to execute and does not require any particularly advanced knowledge beyond the basic networking mechanics and the ability to set up a Linux based DNS, DHCP and NAT router. The best way to stay protected as a user is to be very careful what wireless networks you connect to, and assume that any traffic transmitted over an unsecured public network is being captured. This also applies to any secured wireless network, i.e. WEP and WPA1/2 where unknown users have the key.