Re: tunneling through hotspot firewall

[Aarón Mizrachi <unmanarc () gmail com>]

On Miércoles 22 Abril 2009 07:05:51 Daniel Gultsch escribió:
> Hey guys,
>
> this is my first posting on this mailling list. I kinda hope this is
> the right place. However lets get to the point.
>
> Suppose I'd have an unencrypted  wireless lan with an dhcp server and a
> router integreted in the access point. By default a firewall is
> blocking all traffic coming from clients and going to the outside
> world. When one of the clients logs in on in internal website (also on
> the access point) the client's IP-address will be white listed in the
> firewall. As soon as the client logs out again his IP will be removed
> from the whitelist, preventing the client from connecting to the outside
> world. (Login in this case means payment, but thats another story)
> All in all: it's a usual hotspot like the ones one can find on airports,
> hotels and elsewhere.
> Ok, lets further suppose I'd have on succesfully logged in (and
> whitelisted) client). An evil attackers joins the notework as well -
> not beeing able to connect to the outside world (because of the
> firewall) but beeing able to sniff all the traffic (it's an unencrypted
> wlan which means hub, basicly). Suppose the attacker would sniff the
> mac address and the ip address of the whitelisted, logged in client and
> give hiself the very same mac address and ip address (both easily can
> be assigned with a simple ifconfig). Suppose the attacker would go on
> and set up a firewall on his computer preventing all packages TCP, IP,
> UDP and everything else from being both recieved or send. (Simple
> iptables rules). He then opens a very tiny whole in his own firewall
> (some strange udp port, which is definitly not used by the other (real)
> client) and uses this udp port to tunnel to an external server
>
> Would this work? Or if not on which layer would it fail. This is
> basicly about Layer 1 and 2. What happens if two clients with the same
> MAC address share a shared medium like wireless lan. 

It could work... but, some wireless hotspot blocks UDP traffic and only allow 80 
and 443 TCP... With TCP, the clone computer will emit an ICMP or RST closing 
your connection.

There is a well known method called DNS tunneling: 

(Look at:)
http://code.kryo.se/iodine/

Aprox, 90% (or more) of hotspots lets you resolve directly any DNS address 
without any logon or mac address verification. 

And when its a complete ip block restriction (Outside DNS restriction also) 
and also an UDP block, your method could be used in conjunction with an udp 
dns tunnel... 


The best method to protect your Wireless AP is using a VPN's... but its VERY 
nasty to implement... 

Nothing outside the VPN have any access outside the world.

> The rest starting
> of Layer 4 should definitly work (I'm familar enough with these layers
> to say this. I'm just not sure about the underlaying layers.
>
> Thanks for the input.
>
> cheers Daniel
>
> ------------------------------------------------------------------------
> This list is sponsored by: InfoSec Institute
>
> Tired of using other people's tools? Why not learn how to write your own
> exploits? InfoSec Institute's Advanced Ethical Hacking class teaches you
> how to write stack and heap buffer overflow exploits for Windows and Linux.
> Gain your Certified Expert Penetration Tester (CEPT) cert as well.
>
> http://www.infosecinstitute.com/courses/advanced_ethical_hacking_training.h
> tml ------------------------------------------------------------------------


------------------------------------------------------------------------
This list is sponsored by: InfoSec Institute

Tired of using other people's tools? Why not learn how to write your own exploits?
InfoSec Institute's Advanced Ethical Hacking class teaches you how to write stack and heap buffer overflow exploits for 
Windows and Linux. Gain your Certified Expert Penetration Tester (CEPT) cert as well.

http://www.infosecinstitute.com/courses/advanced_ethical_hacking_training.html
------------------------------------------------------------------------