Page 1 of 3 123 LastLast
Results 1 to 10 of 23

Thread: Public Hotspot Security

  1. #1
    Member
    Join Date
    Jan 2006
    Posts
    90

    Default Public Hotspot Security

    So my company hosts a public hotspot type service, but company specific.

    They have buildings dotted around the globe used as meeting centres, and offer free wireless access for their clients via a token (basically the same as a public hotspot but they end users dont pay, the charging is done further up the chain).

    These buildings run open, unsecured access. Once connected, as soon as they try to make an outbound HTTP/S connection they are redirected to a Captive Portal to input credentials (token), once validated they have X time before kick out.

    Now my question is - if the Clients, even though authenticated with our HotSpot server, are sending traffic (could be documents, whatever) completely unencrypted right (between Client and AP)? As in someone could easily capture the session traffic and replay it later?

  2. #2
    Senior Member streaker69's Avatar
    Join Date
    Jan 2010
    Location
    Virginville, BlueBall, Bird In Hand, Intercourse, Paradise, PA
    Posts
    3,535

    Default

    Yes, very easily.
    A third party security audit is the IT equivalent of a colonoscopy. It's long, intrusive, very uncomfortable, and when it's done, you'll have seen things you really didn't want to see, and you'll never forget that you've had one.

  3. #3
    Member imported_anubis2k7's Avatar
    Join Date
    Jun 2006
    Posts
    115

    Default

    the system u guys run sounds like a captive portal:

    http://forums.remote-exploit.org/showthread.php?t=11729

    such configurations are vulnerable to any number of attacks, including wifizoo, which would enable them to hijack SSL sessions...

    not the best configuration from the security standpoint
    "Sure is for people with nothing on the line.....you and me? We just get on with it."

    -Garabaldi

  4. #4
    Member
    Join Date
    Jan 2006
    Posts
    90

    Default

    That is exactly it, a caoptive portal.

    Can we discuss further what kind of attacks this is vunerable to, and how (if possible) to secure it?

    Would appreciate pointers on how I can reproduce these attacks on backtrack too, will go some way in helping me present a solid case. I can easily set up an exact hardware + software lab condition with our hot standby kit.

    TIA

  5. #5
    Senior Member Thorn's Avatar
    Join Date
    Jan 2010
    Location
    The Green Dome
    Posts
    1,509

    Default

    Can you say "Social Engineering"?

    Sure you can.
    Thorn
    Stop the TSA now! Boycott the airlines.

  6. #6
    Member
    Join Date
    Jan 2006
    Posts
    90

    Default

    I don't get it ._.

    Well, I know what social engineering is, but I don't see how it applies

    Will check back in the morn.

  7. #7
    Senior Member Thorn's Avatar
    Join Date
    Jan 2010
    Location
    The Green Dome
    Posts
    1,509

    Default

    Quote Originally Posted by hongman View Post
    I don't get it ._.

    Well, I know what social engineering is, but I don't see how it applies

    Will check back in the morn.
    You're asking people for a guide on how to hack a captive portal.

    Quote Originally Posted by hongman View Post
    Would appreciate pointers on how I can reproduce these attacks on backtrack too, will go some way in helping me present a solid case.
    • It may be a legitimate request
    • It may be a skript kiddie asking "please tell me how to hack a hotspot"


    Many requests appear legitimate, but there is no way to differentiate one from the other. A lot of skriddies make requests just like your's in an attempt to SE step-by-step instructions. Just because you say it's for your company, no one here has any way to verify that.
    Thorn
    Stop the TSA now! Boycott the airlines.

  8. #8
    Senior Member
    Join Date
    Jan 2006
    Posts
    1,334

    Default

    Quote Originally Posted by hongman View Post
    ........Can we discuss further what kind of attacks this is vunerable to, and how (if possible) to secure it?........
    You have already discussed the gaping hole involved here. As well as other avenues of vulnerability.
    I would imagine that if the network is intended for any serious/business related use, then that would be more than sufficient evidence for your boss(es) to act upon.

    What equipment are they using to implement this token based captive portal?
    The results of your testing the discussed methods on your spare equipment should convince them

  9. #9
    Member
    Join Date
    Jan 2006
    Posts
    90

    Default

    Quote Originally Posted by Thorn View Post
    You're asking people for a guide on how to hack a captive portal.
    Yes, I guess I am, in a blunt way. Need to know how to do it, to understand how to stop it, correct? I admit this knowledge tickles me on a certain level becuase of the taboo associated with it, but I'm certain that applies to most people.


    Many requests appear legitimate, but there is no way to differentiate one from the other. A lot of skriddies make requests just like your's in an attempt to SE step-by-step instructions. Just because you say it's for your company, no one here has any way to verify that.
    Very true, but there is 0 ways for me to convince anyone 100% I am who I say I am and I do what I say I do, becuase hey, this is the internet. Trust noone.

    Frustrations for me being, I came here (actually I was reminded of this forum from a member of the Aircrack-ng team I met 2 weeks ago in the UK) in hopes of learning, but it seems there is a hidden virtue of asking questions correctly which I do not posess!

    I completely understand your viewpoint, and I agree with it. But then if you adhered to that 100% of the time, noone would get any answers :P

    sigh....

    You have already discussed the gaping hole involved here. As well as other avenues of vulnerability.
    I would imagine that if the network is intended for any serious/business related use, then that would be more than sufficient evidence for your boss(es) to act upon.
    Well, for the security aware, yes you are right! But unfortunately these people dont like to see things that cost money, until proven to them in their face, so to speak. We see this everywhere, and the powers that be in my company are no different :/ And the locations these hot spots are, are used for VERY sensitive information. Laughable situation.

    What equipment are they using to implement this token based captive portal?
    The results of your testing the discussed methods on your spare equipment should convince them
    The deployment in each site consists of Cisco Aironet 1100's on a flat network, and the Captive Portal software (First Spot) runs on a server. The front desk at each site has a login to a web front end that allows them to issue tokens. No Cisco WLAN Controller btw.

    Before I commence testing (this isnt my sole workload, so I have to deviant between other things, not enough time in the days ) I wanted to have a range of attacks I could reproduce in the lab. Right now I'm on ground 0, I have no idea where to start if you like. Dont forget, these people I will be presenting to are even less technical than me, so the format will have to be understandable.

    Example (prolly with pics, powerpoint slide jobby):

    Wireless Client session established as per usual
    Client transfers sensitive document
    Hacker can sniff the packets and do whatever

    blah blah blah
    Hacker hijacks SSL Session

    etc etc

    But it seems i have hit a brick wall here, for the reasons Thorn stated.

    If anyone does trust me (lol) and wishes to help privately via PM or email, please do so, will be greatly appreciated. But then that goes against the forum policy of sharing info for others to learn. Stuck between a rock and a hard place, so they say.

  10. #10
    Member
    Join Date
    Jan 2006
    Posts
    90

    Default

    Quote Originally Posted by anubis2k7 View Post
    the system u guys run sounds like a captive portal:

    http://forums.remote-exploit.org/showthread.php?t=11729

    such configurations are vulnerable to any number of attacks, including wifizoo, which would enable them to hijack SSL sessions...

    not the best configuration from the security standpoint
    Wow, reading this post and I somehow missed that link >.>

    Im going to start some testing asap with Wifizoo, and see if I can get enough from that to make a decent presentation.

    By the by, there is definately no way to secure this is there (captive portal I mean)...?

Page 1 of 3 123 LastLast

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •