Yes, very easily.
Public Hotspot Security
So my company hosts a public hotspot type service, but company specific.
They have buildings dotted around the globe used as meeting centres, and offer free wireless access for their clients via a token (basically the same as a public hotspot but they end users dont pay, the charging is done further up the chain).
These buildings run open, unsecured access. Once connected, as soon as they try to make an outbound HTTP/S connection they are redirected to a Captive Portal to input credentials (token), once validated they have X time before kick out.
Now my question is - if the Clients, even though authenticated with our HotSpot server, are sending traffic (could be documents, whatever) completely unencrypted right (between Client and AP)? As in someone could easily capture the session traffic and replay it later?
Yes, very easily.
A third party security audit is the IT equivalent of a colonoscopy. It's long, intrusive, very uncomfortable, and when it's done, you'll have seen things you really didn't want to see, and you'll never forget that you've had one.
the system u guys run sounds like a captive portal:
http://forums.remote-exploit.org/showthread.php?t=11729
such configurations are vulnerable to any number of attacks, including wifizoo, which would enable them to hijack SSL sessions...
not the best configuration from the security standpoint
"Sure is for people with nothing on the line.....you and me? We just get on with it."
-Garabaldi
That is exactly it, a caoptive portal.
Can we discuss further what kind of attacks this is vunerable to, and how (if possible) to secure it?
Would appreciate pointers on how I can reproduce these attacks on backtrack too, will go some way in helping me present a solid case. I can easily set up an exact hardware + software lab condition with our hot standby kit.
TIA
Can you say "Social Engineering"?
Sure you can.
Thorn
Stop the TSA now! Boycott the airlines.
I don't get it ._.
Well, I know what social engineering is, but I don't see how it applies
Will check back in the morn.
You're asking people for a guide on how to hack a captive portal.Originally Posted by hongman
I don't get it ._.
Well, I know what social engineering is, but I don't see how it applies
Will check back in the morn.
- It may be a legitimate request
- It may be a skript kiddie asking "please tell me how to hack a hotspot"
Many requests appear legitimate, but there is no way to differentiate one from the other. A lot of skriddies make requests just like your's in an attempt to SE step-by-step instructions. Just because you say it's for your company, no one here has any way to verify that.
Thorn
Stop the TSA now! Boycott the airlines.
You have already discussed the gaping hole involved here. As well as other avenues of vulnerability.
I would imagine that if the network is intended for any serious/business related use, then that would be more than sufficient evidence for your boss(es) to act upon.
What equipment are they using to implement this token based captive portal?
The results of your testing the discussed methods on your spare equipment should convince them
Yes, I guess I am, in a blunt way. Need to know how to do it, to understand how to stop it, correct? I admit this knowledge tickles me on a certain level becuase of the taboo associated with it, but I'm certain that applies to most people.
Very true, but there is 0 ways for me to convince anyone 100% I am who I say I am and I do what I say I do, becuase hey, this is the internet. Trust noone.Many requests appear legitimate, but there is no way to differentiate one from the other. A lot of skriddies make requests just like your's in an attempt to SE step-by-step instructions. Just because you say it's for your company, no one here has any way to verify that.
Frustrations for me being, I came here (actually I was reminded of this forum from a member of the Aircrack-ng team I met 2 weeks ago in the UK) in hopes of learning, but it seems there is a hidden virtue of asking questions correctly which I do not posess!
I completely understand your viewpoint, and I agree with it. But then if you adhered to that 100% of the time, noone would get any answers :P
sigh....
Well, for the security aware, yes you are right! But unfortunately these people dont like to see things that cost money, until proven to them in their face, so to speak. We see this everywhere, and the powers that be in my company are no different :/ And the locations these hot spots are, are used for VERY sensitive information. Laughable situation.You have already discussed the gaping hole involved here. As well as other avenues of vulnerability.
I would imagine that if the network is intended for any serious/business related use, then that would be more than sufficient evidence for your boss(es) to act upon.
The deployment in each site consists of Cisco Aironet 1100's on a flat network, and the Captive Portal software (First Spot) runs on a server. The front desk at each site has a login to a web front end that allows them to issue tokens. No Cisco WLAN Controller btw.What equipment are they using to implement this token based captive portal?
The results of your testing the discussed methods on your spare equipment should convince them
Before I commence testing (this isnt my sole workload, so I have to deviant between other things, not enough time in the days) I wanted to have a range of attacks I could reproduce in the lab. Right now I'm on ground 0, I have no idea where to start if you like. Dont forget, these people I will be presenting to are even less technical than me, so the format will have to be understandable.
Example (prolly with pics, powerpoint slide jobby):
Wireless Client session established as per usual
Client transfers sensitive document
Hacker can sniff the packets and do whatever
blah blah blah
Hacker hijacks SSL Session
etc etc
But it seems i have hit a brick wall here, for the reasons Thorn stated.
If anyone does trust me (lol) and wishes to help privately via PM or email, please do so, will be greatly appreciated. But then that goes against the forum policy of sharing info for others to learn. Stuck between a rock and a hard place, so they say.
Wow, reading this post and I somehow missed that link >.>
Im going to start some testing asap with Wifizoo, and see if I can get enough from that to make a decent presentation.
By the by, there is definately no way to secure this is there (captive portal I mean)...?
Posting Permissions
