Would you like to inspect the original subtitles? These are the user uploaded subtitles that are being translated: 1 00:00:00,600 --> 00:00:06,690 Now in this lecture and the next few lectures I like to spend some time talking about captive portals 2 00:00:06,930 --> 00:00:13,830 and how to bypass them captive portals are becoming very popular these days and they're they're being 3 00:00:13,830 --> 00:00:14,910 used everywhere. 4 00:00:15,090 --> 00:00:22,690 You can see them in colleges offices companies airports hotels and so on. 5 00:00:22,890 --> 00:00:28,440 Usually the way a captive portal works is that it's an open network so you can see it and you can connect 6 00:00:28,440 --> 00:00:30,150 to it without encryption. 7 00:00:30,270 --> 00:00:35,060 And once you connect you'll automatically see a logon page that you have to log in. 8 00:00:35,160 --> 00:00:37,150 So you can access the Internet. 9 00:00:37,440 --> 00:00:41,140 So in hotels sometimes it asks you for the room number. 10 00:00:41,220 --> 00:00:44,070 Sometimes you have to pay to get a certain password. 11 00:00:44,130 --> 00:00:47,880 Sometimes you have to log in with Facebook and so on. 12 00:00:47,880 --> 00:00:51,450 So let me just show you an example of a captive portal real quick right here. 13 00:00:51,780 --> 00:00:58,420 I have one set up here in the office so if I go here I just call that airport hotspot just for an example. 14 00:00:58,430 --> 00:01:01,280 But it's actually not an airport network. 15 00:01:01,830 --> 00:01:08,790 So I'm going to connect to it right now and you'll see automatically I see a logon page that will ask 16 00:01:08,790 --> 00:01:12,020 me to enter a password to access the Internet. 17 00:01:12,030 --> 00:01:17,430 Now if you're connecting through a phone you'll see this as well if you're connecting through OSX or 18 00:01:17,430 --> 00:01:22,680 Linux you'll see it you'll still see this and you can see at the top of the bar is telling me that I 19 00:01:22,680 --> 00:01:24,770 need to log in to access the Internet. 20 00:01:25,350 --> 00:01:33,110 So if I try to go to anything if I try to go to blink for example you'll see I'll still be redirected 21 00:01:33,350 --> 00:01:41,460 to the hotspot loggin as you can see the Logan is done through a Web site through a web interface and 22 00:01:41,490 --> 00:01:48,480 even on phones on Mac OS X. you'll see a pop up window shows up but this popup window is just a web 23 00:01:48,480 --> 00:01:50,570 browser without a navigation bar. 24 00:01:50,730 --> 00:01:58,230 So the data is being sent through a web interface through TTP or TTP as. 25 00:01:58,560 --> 00:02:05,580 So looking at that because the network is open we can think of so many ways to steal the password or 26 00:02:05,580 --> 00:02:09,950 gain access to this network and bypass the logon. 27 00:02:10,020 --> 00:02:16,620 Now a very simple method would be to try and change your MAC address to one of a connected client. 28 00:02:16,950 --> 00:02:22,200 So all you have to do in this case is just open a dump and just look for connected clients in the second 29 00:02:22,200 --> 00:02:27,980 section of the program and then change your MAC address to the MAC address of a connected client using 30 00:02:28,010 --> 00:02:29,400 Mike changer. 31 00:02:29,970 --> 00:02:35,880 Now this process is identical to the process that you follow to bypass whitelist filtering. 32 00:02:35,910 --> 00:02:37,980 And I covered that in the previous lecture. 33 00:02:37,980 --> 00:02:43,890 Therefore I'm not going to cover the first method in here because it's literally going to be exactly 34 00:02:43,890 --> 00:02:49,860 the same method as the one I covered in the Whiteley's filtering what I'm going to show you though I'm 35 00:02:49,860 --> 00:02:54,570 going to show you the three other methods that I think are very very useful. 36 00:02:54,570 --> 00:03:02,580 The first method is going to be sniffing logons in monitor mode now because by definition captive portals 37 00:03:02,580 --> 00:03:08,580 have to be open networks because like I said they're usually used in offices in hotels and so on. 38 00:03:08,580 --> 00:03:13,640 They're usually open and then once you log in they ask you for a username and password. 39 00:03:13,680 --> 00:03:19,620 So this means that we don't even need to connect and we'll be able to capture the data and read it in 40 00:03:19,620 --> 00:03:28,680 plain text unless the data is being sent over TTP as so we can just start with her mode sniff the data 41 00:03:28,680 --> 00:03:36,450 use an air dump and be saved in a file and then read the file and look for a username and password in 42 00:03:36,450 --> 00:03:37,250 Wireshark. 43 00:03:37,260 --> 00:03:44,190 Once someone logs in now you can force someone to log in by running the authentication attack and wait 44 00:03:44,190 --> 00:03:45,850 for them to get disconnected. 45 00:03:45,870 --> 00:03:49,890 Then when they connect again they usually get asked to enter the password again. 46 00:03:51,090 --> 00:03:52,600 So let's see how to do that. 47 00:03:52,620 --> 00:03:54,030 I'm going to go to Cali. 48 00:03:54,650 --> 00:04:01,970 And first of all I already have my wireless adapter connected so if I do ifconfig you can see my wireless 49 00:04:01,970 --> 00:04:02,900 adapter. 50 00:04:02,900 --> 00:04:06,040 Now I'm going to enable monitor mode on it real quick. 51 00:04:06,110 --> 00:04:10,040 We've covered this we've covered how to do that in a number of ways so that's why I'm just going to 52 00:04:10,040 --> 00:04:11,690 do it really quickly. 53 00:04:11,690 --> 00:04:19,700 So I'm going to do if config line zero down then I'm going to do either a blue config line zero mode 54 00:04:19,810 --> 00:04:26,960 monitor and then I'm going to do if config Landseer are up to bring the card up. 55 00:04:27,940 --> 00:04:31,220 Sorry I forgot to put up. 56 00:04:31,620 --> 00:04:39,210 And now it's in monitor mode so if we do w config we can see that the card is in weiter mode so that's 57 00:04:39,210 --> 00:04:40,230 perfect. 58 00:04:40,230 --> 00:04:45,840 Now the next step I'm going to just run down G against all the networks around me. 59 00:04:45,840 --> 00:04:48,660 So I'm just going to do aero dump ngi Lazaro 60 00:04:53,380 --> 00:04:53,730 OK. 61 00:04:53,740 --> 00:04:55,300 Now we have our target. 62 00:04:55,300 --> 00:04:58,180 We can see it right here it's called Airport hotspot. 63 00:04:58,270 --> 00:05:00,160 We can see that it's an open network. 64 00:05:00,250 --> 00:05:04,090 It's on channel 12 and we can see its MAC address. 65 00:05:04,480 --> 00:05:08,540 So as usual we want to run against this specific network. 66 00:05:08,650 --> 00:05:11,920 Again we've done this a lot before so I'm going to do it a bit quickly. 67 00:05:11,920 --> 00:05:18,330 I'm going to copy the MAC address and I'm going to run on punggye. 68 00:05:18,530 --> 00:05:20,480 I'm going to give it the VSS ID. 69 00:05:22,120 --> 00:05:25,210 And the channel which is 12. 70 00:05:26,190 --> 00:05:32,770 And then I'm going to write everything to a file and that's called that file. 71 00:05:32,780 --> 00:05:36,570 Airport because the network is called Airport hotspot. 72 00:05:37,140 --> 00:05:43,910 And finally we'll give the name of our wireless card in monitor mode which is non-zero zero so very 73 00:05:43,910 --> 00:05:46,700 simple commands that we run multiple times. 74 00:05:46,700 --> 00:05:52,460 The first thing we do is we do aero dump and we were given the VSS idea which is the MAC address of 75 00:05:52,460 --> 00:05:56,930 the target network where we give given the channel that the target network is working on and we can 76 00:05:56,930 --> 00:06:02,960 see it working on channel 12 we're saying right because we want to store all the captured data in a 77 00:06:02,960 --> 00:06:05,970 file and we're calling that file airport. 78 00:06:06,260 --> 00:06:10,190 And finally we have to give the name of the wireless interface in monitor mode. 79 00:06:10,190 --> 00:06:12,980 And in my case it's land zero. 80 00:06:12,980 --> 00:06:18,920 I'm going to hit enter and as you can see now aero dump Angie is working. 81 00:06:19,150 --> 00:06:22,310 And we can see that we have connected the client already. 82 00:06:22,570 --> 00:06:25,950 Now like I said if the client is connected then is using the Internet. 83 00:06:26,020 --> 00:06:30,690 You can just do the authentication attack and get it disconnected for a while. 84 00:06:31,710 --> 00:06:35,850 I'm not going to do that because I don't want to make the lecture too long we've already covered that. 85 00:06:35,880 --> 00:06:40,770 So we're just going to assume that we did authenticate our target and now our target is going to go 86 00:06:40,770 --> 00:06:42,620 ahead and try to connect again. 87 00:06:42,810 --> 00:06:44,710 So I have my Windows machine here. 88 00:06:44,790 --> 00:06:45,900 I'm going to close this 89 00:06:50,160 --> 00:06:52,580 and I'm actually going to disconnect from the network. 90 00:06:55,820 --> 00:06:57,750 And then I'm going to connect to it again. 91 00:07:02,010 --> 00:07:05,710 Now as you can see we automatically get the log in page again. 92 00:07:05,730 --> 00:07:12,090 We're assuming that the user this specific user already have a password whether they are staying in 93 00:07:12,090 --> 00:07:18,090 this hotel or this airport or whether they actually bought a membership to access the internet to access 94 00:07:18,090 --> 00:07:19,280 this Wi-Fi network. 95 00:07:19,290 --> 00:07:20,240 We don't care. 96 00:07:20,310 --> 00:07:25,110 Now the user is going to enter their password and we're going to assume that it's one two three four 97 00:07:25,110 --> 00:07:26,100 five six. 98 00:07:26,100 --> 00:07:27,960 This is actually a valid password. 99 00:07:27,990 --> 00:07:32,460 We're going to log in and we'll be redirected to Google. 100 00:07:32,460 --> 00:07:37,500 So this user got their Internet access and they're happy they can go and do whatever they want. 101 00:07:37,500 --> 00:07:40,850 Now let's go to the candy machine and see if we capture the password. 102 00:07:42,220 --> 00:07:48,650 I'm going to Control-C out of this and then I'm going to run wireshark so we can just do wireshark in 103 00:07:48,650 --> 00:07:53,900 here. 104 00:07:54,090 --> 00:08:01,410 I'm going to go to file open and open the file that we just captured. 105 00:08:01,470 --> 00:08:06,360 So we called the file airport and we're looking for the cap extension. 106 00:08:06,510 --> 00:08:10,510 So as you can see we have a file here called Airport 0 1 that cab. 107 00:08:10,770 --> 00:08:18,390 I'm going to open it like I said before and you automatically appends minus 0 1 to the name that you 108 00:08:18,390 --> 00:08:18,800 pick. 109 00:08:18,800 --> 00:08:26,040 When you create the file and right here we have all the packets that we captured that were sent to the 110 00:08:26,040 --> 00:08:29,640 target network to the airport network. 111 00:08:29,640 --> 00:08:35,790 Now what we're interested in is the TTP traffic because as we see in the username and password they 112 00:08:35,800 --> 00:08:45,470 are being sent over here TTP so and the filter here I'm just going to type in haste TTP here enter and 113 00:08:45,470 --> 00:08:49,300 wireshark right here is only showing me here TTP packets. 114 00:08:49,340 --> 00:08:53,670 Now log in forums and such forums are usually sent over posts. 115 00:08:53,720 --> 00:08:58,240 So we want to look for a post request here instead of guess. 116 00:08:58,340 --> 00:09:05,810 So I'm going to scroll down until I find a post through question so you can see we have one here. 117 00:09:05,960 --> 00:09:12,830 I'm going to go down and look for the Hastey I'm all for your L encoded and we can see that in here 118 00:09:12,830 --> 00:09:19,670 we actually don't have anything interesting so I'm just going to keep going looking for more posts requests. 119 00:09:21,170 --> 00:09:27,240 I have another one here and this one looks interesting because we can see that there is an operation 120 00:09:27,240 --> 00:09:33,050 called log in and here we can see that the username is set to nothing and we can see the password they 121 00:09:33,060 --> 00:09:37,160 said two one two three four five six. 122 00:09:37,330 --> 00:09:37,950 So that's it. 123 00:09:37,950 --> 00:09:39,140 We have the password now. 124 00:09:39,220 --> 00:09:44,530 We can't just go to the network manager here in Cali connect to the network put the password the same 125 00:09:44,530 --> 00:09:45,610 way that the user put it. 126 00:09:45,610 --> 00:09:50,920 One two three four five six and we'll be able to connect the network and we'll have a proper legitimate 127 00:09:50,950 --> 00:09:56,200 access and a set of change in the MAC address where you might get caught because they'll be two MAC 128 00:09:56,200 --> 00:09:58,690 addresses connected to the same network. 13541