How to Hack Wi-Fi: Evading an Authentication Proxy Using ICMPTX

Did you read the article, Secret?

I don't think most people would have the tunX interface up by default. Perhaps it would be pertinent to explain how to set up the interface?

man ssh

should help :) Or you might have another way.

Random:

Welcome to Null Byte!

Good point, but tun0 is enabled by default in Kali.

OTW

Thanks OTW,Waiting for such an article ...

Asif:

To answer you first question, the IP is the proxy/server system. For your second question, you access the Internet from the client.

OTW

actually i am not getting things right please help me,consider this scenario,we have wifi @ our university which has cyberroam firewall installed,when we connect to the university AP,it requests our credentials,by reading this tutorial i understand it is possible to bypass this login page(iam i right??)actually i got confused between various IP's you shown here.lets suppose that the login page looks like 192.168.2.1/login.php.as per my understanding is this 192.168.2.1 is the IP which you are refering as proxy/server..???/or do you mean the gateway of the wifi AP??please clarify

Step #1 can you ping the target?

This is key. If you can't, nothing else will work.

How would I go about port forwarding this through my router? What port does icmp run on? Also, when setting up the server side, is the "10.0.0.1" the IP of the server on the LAN?

thanks, appreciate it

yes i can ping it,lets use 192.168.2.1 as a server where you have used 10.0.0.1(right??)and what is this 76.x.x.x u used in the article??both those IP are mentioned as proxies in the artcle..

from my understanding of the article. (i havent tested it yet) The 10.0.0.1 and 76.x.x.x is meant to be the same address.

The 76.x.x.x is the website or address you would like to access

I might be wrong but maybe OTW could correct me.

The first IP is the target, the second is the proxy/server setup in the earlier step.

In my understanding, the server should be outside of the Local Wireless Network, right? how about a diagram

the client (me) --- wifi AP --- the server (Internet IP) -- Internet Access

Is that a correct diagram?
So, how does the wifi AP forward the ICMP Package to the server?

Thanks

No, the server/proxy is on the same side of the AP.

OK, so the diagram will be

the client --- proxy --- wifi AP --- Internet

the proxy will pass the ICMP message to the wifi AP, then will the wifi AP continuing the web request to the Internet?

and about this command line
kali > echo 1 > /proc/sys/net/ipv4/icmpechoignoreall

if the purpose of the command is for ignoring icmp echo, I think the proxy will also block the ICMP reply from the wifi AP, which maybe contains web response from the wifi AP. If the proxy has different interface between the client and the wifi AP, it will be better using that command to client interface.

I'm sorry if maybe i misunderstood.

Thanks.

OTW, love your tuts! (Can't say that to a random girl!)

I'm reading Metasploit: The Penetration Tester's Guide and just finished chapter 12, Karmetasploit. What do you think about the framework (or tool?)?

I think Metasploit is a wonderful and powerful exploitation framework.

How about Karmetasploit?

If I remember correctly, Karmasploit only works with Windows XP and earlier systems. Why don't you try and report back to us?

In the past I thought about writing something about it, so I documented just a little:

According to Metasploit Unleashed, Karmetasploit, which is born as a proof of concept, is also able to "allow you to fake access points, capture passwords, harvest data, and conduct browser attacks against clients."

Although the browser exploits are the ones from Metasploit (which are slowly becoming less and less reliable, is it?), there's also a lot of scripts that are launched once the client connects to the fake AP, including MITM and services sniffing (SMB, DNS, FTP and many others).

But, the fact that this is only a proof of concept, makes it, IMHO, hardly ever reliable. Just to give an example, in the Infosec Institute (I hope it's not Spam) topic about Karmetasploit, it (obviously) fails against latest versions of Windows 7 and Mac (and it's 3 years old), so it actually works only against Win XP and some Vistas.

I know this is Out Topic, should I post more informations about it in Forum (because, although it's not that useful, it's still being a good proof of concept)?

KEWNGEN: The penetration tester's guide is a very good book, though things have been happening since it has been published. As your next reading, I suggest "The Browser Hacker's Handbook".

Good reply!

I know it's a bit dated, same goes for the chapter about Fast-Track which if I understood correctly is now a part of SEToolkit?

I'll definitely check out "The Browser Hacker's Handbook", thanks!

Yes, it's part of SET.

This is awesome !

Could you connect to he IP of a VPS server with that technique?
That would be quite a decent setup to access the web without leaving traces.

I have kali linux, up to date etc. and typing 'ifconfig tun0' returns:

tun0: error fetching interface information: Device not found

I'm going to look into this, but if anyone knows what is wrong here, I'd appreciate the help.

You have tu run "icmptx" first. That creates tun0

Let's say someone connected to a wired connection and got no Internet connection. Then changed their mac address to get Internet. The Internet says it is live at that point yet no progress towards using it. This connection has a work place user name and password domain to log into their workplace computers of which a user name and password is accessible. Is there a chance that the domain could block Internet access due to a user not using their log in information at the windows log in menu? Do you think this work around you listed would work in the situation I've listed?

Thanks in advance.
K-

Hi, I'm kind of new here, the way I understood this, I need access to a server in the same network which has access to the Internet for this to work and I need to configure icmptx on the server first. So I dont understand how I'd be able to use this to connect to the Internet when a free wifi is available as long as I dont have a server on the same network with internet access and kali installed on it. Please correct me where I'm wrong

First, the server and the client could be on the same physical machine with VMs.

Second, this is a technique to get past the proxy that requires authentication or payment. With that type of system, when you access the Internet your HTTP requests are intercepted by the proxy. By using ICMP, the proxy let's it go past without interception.

Thank You!. Great Fan of your work!

OTW, I did ifconfig tun0 but it said "tun0: error fetching interface information: Device not found

Does this mean I need a wireless adapter for tun0 to work?

I have a better way of doing this I figured out a technique to get credentials from the network clients....all that requires is kali and a usb adapter ....connected to the ap using setoolkit credential harvester cloned the login page into apache server and with ettercap spoofed all the traffic to my apache server.....so the users will get the login page ....as they type in their credentials its all mine..hehe

Ok ... Am not quite getting some things here. Sorry newbie here, hope I dont piss u off but its really important. You stated, We needed to set up a server between us the client and the Internet. I didn't get that part clear so like, Do i need to have the server on my computer and the client too on my computer. ?

Yes, they can both be on the same computer.

Thanks for replying ... And a last question, whose ip address will be the icmptx -s 10.0.0.1 on the server side. And another one plz? So after all the steps are done, Will it configure my whole system so that like Whenever i use a browser I don't get faced with a login page. Thanks in advance :)

Hello ... Help needed here. I was able to figure out the above. But now whose ip or host is the 76.23.54.12

When I type apt-get install icmptx ,it shows unable to locate package icmptx.How to fix it?

open terminal and type:
su
leafpad /etc/apt/sources.list

select all and replace with :
deb http://http.kali.org/kali sana main non-free contrib
deb http://security.kali.org/kali-security sana/updates main contrib non-free

deb-src http://http.kali.org/kali sana main non-free contrib
deb-src http://security.kali.org/kali-security sana/updates main contrib non-free

I have a question. Why our proxy and our client in the same network with the AP? What's the difference between those two? Because in my thinking it's make sense if the proxy is outside the AP's network and we wrap our HTTP packet with the ICMP packet so that packet can pass through the AP's proxy and our proxy gonna forward it to the internet. And the second question is, that port forwarding didnt require additional setting for the port that gonna be forwarded to the ip? Sorry if my question is too newbie, still new in this null-byte and love your work OTW.

I am having wifi connection to my laptop at my college

They have provided me with Login Id and password with respect to my laptops IP only I know the Wifi Password but cant acces the same connection on mobile.

Is there any way to get same coonection on my andriod fone

I have a wifi, but it have been blocked, my father didnt want to pay it anymore, i need it since im entering IT school, we live seprately, although he don't really care about me, i still don't want to burden him. Is there a way to make my wifi works again? Hacking into the server? Plus i don't have any money

hi i my college uses smart guard firewall
we have to enter login id and password in http://172.16.1.10/indexmain.php#parentHorizontalTab1
the ip address from "ip addr show" command is 192.168.21.75/22
the gateway from "/sbin/route -n" command is 192.168.20.1

now please tell what should i write in
1.server ipaddress(where you used 10.0.0.1)
2.client ipaddress(when i used just you 76.23.54.12,it showed error)
3.in second last step where you used 192.168.1.1

Did you set up a client and follow the directions in the article?

yes i have followed all the instructions.in this article its written
{
kali > icmptx -s 10.0.0.1

This points the server/proxy at the IP address 10.0.0.1. This is only an example; you will need to replace this IP with whatever the target IP address you are trying to connect to.

}
i don't know basics about networking
{
my college uses smart guard firewall
we have to enter login id and password in http://172.16.1.10/indexmain.php#parentHorizontalTab1
the ip address from "ip addr show" command is 192.168.21.75/22
the gateway from "/sbin/route -n" command is 192.168.20.1
}
plz tell
1.what is my target ip adress
and similarly
{ kali > icmptx -c <IP address of the proxy/server>}
2.my proxy/server address

Hello
I just want to know do we need two Kali machines to do this attack?

Why do I get "Could not create tunnel device. Fatal." when I run "icmptx -s XXX.XXX.XXX.XXX"?

Could it be because I don't have a tun0 interface on my Ubuntu laptop? I've tried to set it up with "tunctl" by typing "sudo tunctl -u root -t tun0", after which running "ifconfig tun0" does return an interface, but I'm still getting the original error... Please help me out someone!