Sniffing Captive Portal Login Information In Monitor Mode
Sniffing Captive Portal Login Information In Monitor Mode
Now, in this lecture and the next few lectures, I'd like to spend some time talking about captive
portals and how to bypass them, captive portals are becoming very popular these days, and they're they're being used everywhere. You can see them in colleges, offices, companies, airports, hotels and so on. Usually the way a captive portal works is that it's an open network.
So you can see it and you can connect to it without any encryption. And once you connect, you'll automatically see a login page that you have to log in so you can access
the Internet. So in hotels, sometimes it asks you for the room number.
Sometimes you have to pay to get a certain password. Sometimes you have to login with Facebook and so on. So let me just show you an example of a captive portal real quick right here.
I have one set up here in the office.
So if I go here, I just called it airport hotspot, just for an example, but it's actually not an
airport network.
So I'm going to connect to it right now.
And you'll see automatically I see a login page that will ask me to enter a password to access the Internet.
Now, if you're connecting through a phone, you'll see this as well.
If you're connecting through OSX or Linux, you'll see you'll still see this.
And you can see here on the top at the bar, it's telling me that I need to log in to access the Internet.
So if I try to go to anything, if I try to go to a for example.
You'll see I'll still be redirected to the hotspot Log-in.
As you can see, the log in is done through a website, through a Web interface and even on phones, on Mac OS X, you'll see a pop up window shows up.
But this popup window is just a Web browser without a navigation bar.
So the data is being sent through a Web interface through HTTP or https.
So looking at that, because the network is open, we can think of so many ways to steal the password or gain access to this network and bypass the login.
Now, a very simple method would be to try and change your Mac address to one of a connected client.
So all they have to do in this case is just open a road map and you look for connected clients in the second section of the program and then change your Mac address to the Mac address of a connected client using Mac changer.
Now, this process is identical to the process that you follow to bypass whitelist filtering, and I
covered that in a previous lecture.
Therefore, I'm not going to cover the first method in here because it's literally going to be exactly
the same method as the one I covered in the whitelist filtering.
Well, I'm going to show you, though.
I'm going to show you the three other methods that I think are very, very useful.
The first method is going to be sniffing logins in monitor mode.
Now, because, by definition, captive Porto's have to be open networks because, like I said, they're usually used in offices and hotels and so on, they're usually open.
And then once you log in, they ask you for a username and password.
So this means that we don't even need to connect and we'll be able to capture the data and read it in plain text unless the data is being sent over https.
So we can just start monitor mode, sniffing the data, using dump, and you save it in a file and then read the file and look for a username and password in Wireshark once someone logs in.
Now you can force someone to log in by running the authentication attack and wait for them to get disconnected.
Then when they connect again, they usually get asked to enter the password again.
So let's see how to do that.
I'm going to go to Cali and first of all, I already have my wireless adapter connected.
So if I do if config.
You can see my wireless adapter now, I'm going to enable monitor mode on it real quick.
We've covered this.
We've covered how to do that in a number of ways.
So that's why I'm just going to do it really quickly.
So I'm going to do if config line zero down.
Then I'm going to do it config zero mode monitor.
And then I'm going to do if config lines up to bring the card up.
Sorry, I forgot to put up.
And now it's in monitor mode, so if we do it config, we can see that the card is in waita mode, so
that's perfect. Now, the next step, I'm going to just run Aradigm Punji against all the networks around me. So I'm just going to do Erro Dump Engie Lazerow.
OK, now we have our target, we can see it right here, second airport, hot hotspot, we can see that it's an open network, it's on Channel 12 and we can see it's Mac address.
So, as usual, we want to run against this specific network again, who we've done this a lot before. So I'm going to do it a bit quickly.
I'm going to copy the Mac address. And I'm going to run errands, punji.
I'm going to give you the best idea. And the channel, which is 12, and then I'm going to write everything. To our final and let's call that final airport, because the network is called Airport Hotspot. And finally, we'll give the name of our wireless card in monitor mode, which is land zero. So very simple command that we run multiple times.
The first thing we do is we do a roadmap. And you were given the best idea, which is the Mac address of the Target network. We're given the channel that the Target network is working on and we can see it working on Channel 12, we're saying.
Right, because we want to store all the captured data in a file and we're calling that file airport.
And finally, we have to give the name of the wireless interface and monitor mode.
And in my case, it's line zero. I'm going to hit enter.
And as you can see now, energy is working and we can see that we have a connected client already. Now, like I said, if the client is connected and is using the Internet, you can just do the authentication attack and get it disconnected for a while.
I'm not going to do that because I don't want to make the lecture too long.
We've already covered that. So we're just going to assume that we did the authenticate our target and now our target is going to go ahead and try to connect again.
So I have my Windows machine here. I'm going to close this. And I'm actually going to disconnect from the network. And then I'm going to connect to it again.
Now, as you can see, we automatically get the login page again, we're assuming that the user, this specific user, already have a password, whether they are they're staying in this hotel or this airport or whether they actually bought a membership to access the Internet to access this Wi-Fi network. We don't care.
Now the user is going to enter their password and we're going to assume that it's one, two, three, four, five, six.
This is actually a valid password. We're going to log in.
And will be redirected to Google, so this user got their Internet access and they're happy they can go and do whatever they want.
Now, let's go to the candy machine and see if we capture the password.
I'm going to control see out of this. And then I'm going to run Wireshark so we can just do Wireshark in here. I'm going to go to file. Open.
And open the file that we just captured, so we called the file airport and we're looking for the cap
Extension. So as you can see, we have a file here called Airport zero one dot cap.
I'm going to open it, like I said before, erodable.
And you automatically appends minus zero one to the name that you pick when you create the file.
And right here we have all the packets that we captured that were sent to the target network, to the airport network.
Now, what we're interested in is the TTP traffic, because as we see in the username and password, they are being sent over HTTP.
So in the theater here, I'm just going to type in HTTP.
Hit Enter and Wireshark right here is only showed me deep pockets now log in forums and such forums are usually sent over posts, so we want to look for a post request here instead of get.
So I'm going to scroll down until I find a post request.
So you can see we have one here, I'm going to go down and look for the HTML form URL encoded and we can see that in here, we actually don't have anything interesting.
So I'm just going to keep going looking for more post requests.
I have another one here. And this one looks interesting because we can see that there is an operation called Log In, and here we can see that the username is set to nothing and we can see the password reset to one, two, three, four, five, six.
So that's it, we have the password now, we can just go to the network manager here in Cali, connect to the network, put the password the same way that the user put it.
One, two, three, four, five, six.
And we'll be able to connect the network and we'll have a proper, legitimate access.
And instead of changing the Mac address where you might get caught because they'll be too much addresses connected to the same network.