HOW TO BYPASS A CAPTIVE PORTAL

Disclaimer: This is for educational purposes only. We are not endorsing/encouraging anything illegal.  

   

 BYPASSING A CAPTIVE PORTAL

Introduction:

What is a Captive Portal?

Captive portal is a mean by which users can access the internet by agreeing to an acceptable use policy (AUP) on a guest network. They mostly intercept a web browser’s attempted connections by injecting a redirect to the captive portal by force.

These captive portals can be bypassed by taking advantage of a simple fact that most organizations don’t block all outbound ports while the user is busy filling in the captive portal requirements.

Most organizations keep outbound DNS open on UDP port 53 or SSH on TCP port 22 or even TCP port 3128.

The prerequisite to bypass the captive portals is that the client must have an external server preconfigured. This external server in turn acts as the endpoint for the different bypass methods.

Techniques to bypass a captive portal:

Like any network security attack, the client’s first step is to perform reconnaissance i.e. a preliminary research.

After connecting to the guest network, the mischievous client will typically run a scan to find what ports are open (allowed) through the network’s gateway. The client is looking for open ports matching the ones mentioned earlier, TCP/3128 for a web proxy, TCP/22 for SSH, or UDP/53 for DNS.

The chances of TCP and SSH ports being open are slim to none.

In that case, the following methods can be used diligently to bypass a captive portal:

1)    ARP (Address Resolution Protocol) Spoofing

2)    Iodine

1)    ARP (Address Resolution Protocol) Spoofing

In simple words ARP spoofing refers to the technique of pretending to be another computer that is already on a network.

Spoofing a MAC address of a device that is still connected to a network is extremely easy to detect since both you and the client you are spoofing, receive half the packets. It results in a choppy connection with lots of dropped packets. The only viable way is to wait for a few hours and see which users have dropped off from the network by packet sniffing at fixed intervals with the help of packet sniffing softwares like Wireshark on Windows and aircrack-ng on Linux.

The actual contents of the packet does not matter, we are only interested in the metadata.

Find a client that has dropped off from the network. Then change your IP manually and set it to the one you recorded. Also clone the MAC address of that of the target client.

Depending on whether or not they explicitly signed out or their session expired, you can use their MAC and IP address without intercepting each other's traffic.

     2) Iodine - application

Another method to bypass the captive portal is an application called Iodine.

Iodine basically allows a user to tunnel IPv4 data through a DNS port.

This can be used in different situations where internet access is firewalled, but DNS queries are allowed (to allow the initial browser connection).
Unsurprisingly Iodine is supported on a variety of platforms:  Linux, Mac OS X, FreeBSD, NetBSD, OpenBSD and Windows.

The bandwidth is asymmetrical with limited upstream and up to 1 Mbit/s downstream.

The first step is to set up iodine on both the client’s remote server and the client itself.

After this, the client can tunnel the traffic out over the DNS port. 

This type of bypass is more difficult for an IT administrator to prevent.

The admin can choose to block outbound DNS from the captive portal network, but the clients still need to be able to resolve domain names in order to hit the portal redirect.

They could restrict outbound DNS to only be allowed from an internal DNS server, and then hand out that internal DNS server’s IP address to connecting clients using DHCP.

The only disadvantage in this method is that there is an extra overhead of maintaining an internal DNS server and causes problems for any client with hard-coded DNS server addresses.

Reference:

DEF CON 24 Conference 2016,

Speaker: Grant Bugher

Rishi Kambil

Sooraj Nair