Hacking Wireless Acces Point
Jumat, 02 Januari 2009
There are many things that someone can do to outsmart the process authentication. Some of the ways discussed in this article only covers a small aspect of the design using the weaknesses of a wireless hotspot gateway. Given that the materials have been presented in front of the public, most likely the service provider and vendors of products that have been affected improve midst is.
As a notice, no vendor name that will be associated with a slit that I find. Please gather your own estimate. And tricks that can only be explained.1. Use the demo account.
Many service providers be careful to give the opportunity for prospective users to be able to access the Internet in the period Time is limited. At the authentication page is usually mentioned username and password for testing purposes.
Someone using an account trial / demo should do re-authentication after the end of the period. However, it can be done automatically by using the script Like this.
-------------------------------------------------- -------------------
#! / Bin / sh
While sleep 3;
Do
Curl - data
"username = demo & password = demo & submitForm = login"
"https: / / server: port / goform / HtmlLoginRequest";
Done
-------------------------------------------------- -------------------
2. Using tunneling.
Some of the implementation of the hotspot can be utilized with Tunneling method. Implementation of the implementation is do not block the port or protocol against Certain. 0x05
For example, a hotspot only to make the diversion all queries to the HTTP and HTTPS authentication for the login page Users who have not terautentikasi. You can use the socks-tunneling via SSH port because that is not used for SSH Terfilter. You can add the option 'DynamicForward' on SSH your user configuration (see the file ~ / .ssh / config).
-------------------------------------------------- ------------------
...
Host titanium
Hostname titanium.justanotherrandomdomain.com
Port 22
Users whfb
DynamicForward 22344
...
-------------------------------------------------- ------------------
If you are connecting to the SSH host titanium, the Automatic, will open port 22344. You can add the IP 127.0.0.1 and port 22344 on the network configuration in a web browser Your choice for SOCKS proxy.
However, the above is not always successful because gateway to the diversion of all TCP and UDP ports. To outsmart conditions, if you can take advantage of DNS tunneling.
Why DNS protocol? Because most service providers do not to block or to query DNS.
Please refer to the reference DNS Tunneling [3] [4] [5] [6] [7].
3. Utilizing rift on a web application portal Internet gateway.
I find the following tricks when I get a chance the opportunity to stay in one of the famous hotel and found the wireless hotspot service is available in the lobby.
At the authentication page, I provided several options for Make payments, among others:
A. login using the username and password from the pre-paid can Purchased in the lobby,
B. login using the username and password from the service and iPass Boingo
After observing the correct source-code of a web page that is used for authentication purposes, I see where the awkwardness have a choice billing_method_id is 2, and a choice of b Have any billing _method_id is 3. So my question is that time is what the options that have billing_method_id Is 1. With niatan try-try, I change the variable ago billing_method_id query with a value of 1, that I can Direct access to the Internet.
-------------------------------------------------- ------------------
http://host/defaultportal/check_form.cgi?&billing_method_id=1
-------------------------------------------------- ------------------
Later the day after I had borrowed the product used as an Internet gateway, I know that
billing_method_id with a value of 1 is a choice to make Billing on the room. Something that is not possible because I access it using the wireless from the lobby. I know that the only option
effective if the customer is not using the cable and wireless.
4. Changing the IP address
Found the implementation of some of the known wireless hotspot share allocation on the user's IP address is not yet autentication And users who already terautentikasi. After the user successfully through the process of authentication, the gateway will remember the MAC address
And give you a new IP address (on the new subnet) for User.
Using software such as packet sniffer or tcpdump ethereal (now wireshark), you can find out what IP address Just across the wireless network you. You can surmise, conjecture own IP address allocation of 'new' with the following netmask it.
For example, if you have not yet IP autentication with the address 10.0.0.14 netmask 255.255.255.0, and after your autentication, you get the IP address 10.0.1.18 Netmask 255.255.255.0.
If you do not want to make the process of authentication, you can simply mengkonfigur IP Address in the range of your network users who are autentication.
5. Piggyjacking
I piggyjacking defines as activities to obtain access to a wireless access to the session took session that is first to get access Internet autentication.
To do this, you need information:
- IP address and MAC address users who already terautentikasi
- IP address gateway
You can refer to the presentation Dean Pierce, Brandon Edwards & Anthony Lineberry given at DEFCON 13 [8] to use Software 'Pul'. If you want to do with the method manual, you can follow the procedure mentioned in the Point 4 above.
6. SQL Injection on the portal application gateway
Some hotspot that can diakali using the technique SQL injection. I think that does not need to explain more about this technique because it is often discussed. Not only for mem-by-pass access to the Internet, this technique can also be mem-by-pass Administrative authentication page.
7. Move the bill to another room.
If you are lucky to stay in hotels that provide services Internet Speed cables on hotel rooms. You may Can apply this trick. Tricks following can only be done on the cable network in the hotel (not related to wireless), but I study here because the product is used as a gateway With a wireless hotspot services.
You may be able to 'pester' switch with other people Internet billing your room or mengalihannya to empty rooms.
For example, you can modify the query such as the following HTTP This
-------------------------------------------------- ------------------
http://HOTSPOT_GATEWAY/mlcbb/mlc/welcome.asp?UI=012345 &
UURL = & http://BILLING_SERVER/userok.htm&MA=00AABBCCDDEE&RN=1234
Http://google.com/&SC=12345
-------------------------------------------------- ------------------
You can simply change the value 00AABBCCDDEE (MAC address) and 1234
(The room). Billing will be made in the room if the new room
Exist.
For safe, I suggest you search the room used for public purposes such as a lobby or ballroom. Read more...
Noted: In Neuss, Metro tests RFID labels for supermarkets of the future. 
Full TAK: A security research BSI give a description of risks RFID, but it does not offend the virus. 
