How to Hack Wi-Fi: Evading an Authentication Proxy Using ICMPTX

Evading an Authentication Proxy Using ICMPTX

Welcome back, my greenhorn hackers!

In previous Wi-Fi hacking tutorials, I have shown you ways to create an Evil Twin, to DoS a wireless AP, and to crack WEP and WPA2 passwords, but in this tutorial, I will show you something a little bit different.

In many restaurants, hotels, airports, airplanes, and cafes, they have open authentication on the wireless AP, but once you connect to the AP, you are sent to a proxy that asks you for your credentials. This is very common in many commercial establishments around the world. To obtain the necessary credentials, there is usually charge associated with it.

What if you didn't have a credit card, or forgot your credit card, and needed to access the internet? You still may be able to, if the server accepts ICMP (ping) and you are patient.

In addition, imagine a scenario where you need to stealthily retrieve a file, send a message, or retrieve a message, in say, a cyber espionage or cyber warfare situation, while barely leaving a trace of your activity. This may be your method of choice.

Note: This is a more advanced technique, so if you are new to hacking, work on some of the more basic techniques before trying this.

ICMP: The Internet Control Message Protocol

As you know, ICMP is a protocol that is used detect the presence of a active host. We can determine if a host is active (pay attention, newbies) by simply typing:

  • kali > ping <IPaddress>

There are multiple types of ICMP messages, but this one is echo request (Type 0) and echo reply (Type 8). Although nearly all of us use ping one time or another, keep in mind that there are other types of ICMP that can come in handy when scanning or hacking systems that may block or drop ICMP Type 0.

If a server accepts ICMP (many won't as a security precaution), you can use ICMP to bypass the need for authentication via the proxy (that webpage that asks you for credentials). Because it is very slow, I don't recommend this for daily use, but in a pinch, this can be a very innovative way to get your email when you don't want to buy access to the service, or—you want to access the web without leaving a trace.

Step 1: Fire Up Kali & Download Icmptx

To begin, let's fire up Kali Linux and download icmptx. Since icmptx is in the Kali repository, all we need to do is:

  • kali > apt-get install icmptx

This will install icmptx to your Kali operating system.

Step 2: Getting Help

Next, let's take a look at the help file for icmptx. Simply type:

  • kali > icmptx

This help screen will appear. As you can see, the syntax is very straightforward and simple. Unfortunately, the implementation is not.

When we downloaded icmptx, it installed a manual page, so let's take a look at it by typing:

  • kali > man icmptx

The manual page doesn't offer much more information than the help page.

Step 3: Server Side Proxy

The way icmptx works is that you need to set up a proxy/server between you, the client, and the intended target on the web. First, let's set up the proxy/server.

To set up the up the proxy/server, the syntax is simple:

  • kali > icmptx -s 10.0.0.1

This points the server/proxy at the IP address 10.0.0.1. This is only an example; you will need to replace this IP with whatever the target IP address you are trying to connect to.

Step 4: Tunneling

Next, we need to set up a tunnel. A tunnel provides a packet transmission and reception place for user-based applications. Since icmptx is a user-based application, we need to set up a tunnel to send and receive packets, in this case, ICMP packets.

We can check to see whether our kernel supports tunneling by typing:

  • kali > ifconfig tun0

This response indicates that our Debian operating system (that Kali is built on) supports tunneling. Let's set up a tunnel on the server now.

Step 5: IP Forwarding

Next, we need to set up this server to first, ignore ICMP requests and second, forward IP traffic. If we didn't tell the kernel to ignore ICMP requests, it would respond with a echo reply (Type 8), which is the normal response. We don't want that. We want the ICMP traffic to enter the server and pass right through it.

We can tell the kernel to ignore ICMP traffic by typing:

  • kali > echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_all

Then we need to forward IP traffic, by typing:

  • kali > echo 1 > /proc/sys/net/ipv4/ip_forward

Step 6: Set Up the Client

Now, let's set up our client. This is the system we will be using to access the Internet from. We need to install icmptx on this system as well, but here we will be using the client and not the server setup.

To do so, type:

  • kali > icmptx -c <IP address of the proxy/server>

Then we need to establish a tunnel on this system as well.

Next, we need to set up a route to the proxy.

Lastly, we need to set a route through the tunnel we created (tun0) to the server on the web we want to access.

Now, when you want to access that site on the web, you can do so without authenticating and be almost totally invisible!

Although using icmptx is probably not a practical means of accessing the web on a daily basis, in a pinch or under severely clandestine circumstances, it will get you past web-based authentication and leave almost no trail. Few, if any, security administrators will be looking for ICMP traffic to trace your activities and, since you did not have to authenticate, your trail is almost invisible. In addition, if you set up the server on a zombie system, the only trail will lead back to the server/zombie without a highly skilled forensic investigation.

For more ways to hack wireless networks, make sure to check out my Wi-Fi Hacking series of guides and, as always, stayed tuned to Null Byte for more hacking fun.

Just updated your iPhone to iOS 18? You'll find a ton of hot new features for some of your most-used Apple apps. Dive in and see for yourself:

Cover image via TSA

49 Comments

can we pypass CYBEROM proxy????

Did you read the article, Secret?

I don't think most people would have the tunX interface up by default. Perhaps it would be pertinent to explain how to set up the interface?

man ssh

should help :) Or you might have another way.

Random:

Welcome to Null Byte!

Good point, but tun0 is enabled by default in Kali.

OTW

Actually I get an error message when I type: "ifconfig tun0": error fetching interface information - device not found.

I've searched a bit but I can't find how to set up this interface... some help, please?

EDIT: ok, I actually founf icmptx (with wget, apt-install failed), and after initializing icmptx tun0 was created!).

Well, God-fukcing-baby-Jesus! You're a clever cundt.

Thanks OTW,Waiting for such an article ...

hello otw,i didnt understand the step where is says "kali > icmptx -s 10.0.0.1" which is this ip..?is 76.x.x.x is the ip of proxy server..?and at step 6 when u say "system we will be using to access the Internet from" is probably our system in which we have installed icmptx right???

please clarify

Asif:

To answer you first question, the IP is the proxy/server system. For your second question, you access the Internet from the client.

OTW

actually i am not getting things right please help me,consider this scenario,we have wifi @ our university which has cyberroam firewall installed,when we connect to the university AP,it requests our credentials,by reading this tutorial i understand it is possible to bypass this login page(iam i right??)actually i got confused between various IP's you shown here.lets suppose that the login page looks like 192.168.2.1/login.php.as per my understanding is this 192.168.2.1 is the IP which you are refering as proxy/server..???/or do you mean the gateway of the wifi AP??please clarify

Step #1 can you ping the target?

This is key. If you can't, nothing else will work.

How would I go about port forwarding this through my router? What port does icmp run on? Also, when setting up the server side, is the "10.0.0.1" the IP of the server on the LAN?

thanks, appreciate it

yes i can ping it,lets use 192.168.2.1 as a server where you have used 10.0.0.1(right??)and what is this 76.x.x.x u used in the article??both those IP are mentioned as proxies in the artcle..

from my understanding of the article. (i havent tested it yet) The 10.0.0.1 and 76.x.x.x is meant to be the same address.

The 76.x.x.x is the website or address you would like to access

I might be wrong but maybe OTW could correct me.

The first IP is the target, the second is the proxy/server setup in the earlier step.

In my understanding, the server should be outside of the Local Wireless Network, right? how about a diagram

the client (me) --- wifi AP --- the server (Internet IP) -- Internet Access

Is that a correct diagram?
So, how does the wifi AP forward the ICMP Package to the server?

Thanks

No, the server/proxy is on the same side of the AP.

OK, so the diagram will be

the client --- proxy --- wifi AP --- Internet

the proxy will pass the ICMP message to the wifi AP, then will the wifi AP continuing the web request to the Internet?

and about this command line
kali > echo 1 > /proc/sys/net/ipv4/icmpechoignoreall

if the purpose of the command is for ignoring icmp echo, I think the proxy will also block the ICMP reply from the wifi AP, which maybe contains web response from the wifi AP. If the proxy has different interface between the client and the wifi AP, it will be better using that command to client interface.

I'm sorry if maybe i misunderstood.

Thanks.

OTW, love your tuts! (Can't say that to a random girl!)

I'm reading Metasploit: The Penetration Tester's Guide and just finished chapter 12, Karmetasploit. What do you think about the framework (or tool?)?

I think Metasploit is a wonderful and powerful exploitation framework.

If I remember correctly, Karmasploit only works with Windows XP and earlier systems. Why don't you try and report back to us?

In the past I thought about writing something about it, so I documented just a little:

According to Metasploit Unleashed, Karmetasploit, which is born as a proof of concept, is also able to "allow you to fake access points, capture passwords, harvest data, and conduct browser attacks against clients."

Although the browser exploits are the ones from Metasploit (which are slowly becoming less and less reliable, is it?), there's also a lot of scripts that are launched once the client connects to the fake AP, including MITM and services sniffing (SMB, DNS, FTP and many others).

But, the fact that this is only a proof of concept, makes it, IMHO, hardly ever reliable. Just to give an example, in the Infosec Institute (I hope it's not Spam) topic about Karmetasploit, it (obviously) fails against latest versions of Windows 7 and Mac (and it's 3 years old), so it actually works only against Win XP and some Vistas.

I know this is Out Topic, should I post more informations about it in Forum (because, although it's not that useful, it's still being a good proof of concept)?

KEWNGEN: The penetration tester's guide is a very good book, though things have been happening since it has been published. As your next reading, I suggest "The Browser Hacker's Handbook".

Good reply!

I know it's a bit dated, same goes for the chapter about Fast-Track which if I understood correctly is now a part of SEToolkit?

I'll definitely check out "The Browser Hacker's Handbook", thanks!

Yes, it's part of SET.

This is awesome !

Could you connect to he IP of a VPS server with that technique?
That would be quite a decent setup to access the web without leaving traces.

I have kali linux, up to date etc. and typing 'ifconfig tun0' returns:

tun0: error fetching interface information: Device not found

I'm going to look into this, but if anyone knows what is wrong here, I'd appreciate the help.

You have tu run "icmptx" first. That creates tun0

Let's say someone connected to a wired connection and got no Internet connection. Then changed their mac address to get Internet. The Internet says it is live at that point yet no progress towards using it. This connection has a work place user name and password domain to log into their workplace computers of which a user name and password is accessible. Is there a chance that the domain could block Internet access due to a user not using their log in information at the windows log in menu? Do you think this work around you listed would work in the situation I've listed?

Thanks in advance.
K-

Hi, I'm kind of new here, the way I understood this, I need access to a server in the same network which has access to the Internet for this to work and I need to configure icmptx on the server first. So I dont understand how I'd be able to use this to connect to the Internet when a free wifi is available as long as I dont have a server on the same network with internet access and kali installed on it. Please correct me where I'm wrong

First, the server and the client could be on the same physical machine with VMs.

Second, this is a technique to get past the proxy that requires authentication or payment. With that type of system, when you access the Internet your HTTP requests are intercepted by the proxy. By using ICMP, the proxy let's it go past without interception.

Thank You!. Great Fan of your work!

OTW, I did ifconfig tun0 but it said "tun0: error fetching interface information: Device not found

Does this mean I need a wireless adapter for tun0 to work?

I have a better way of doing this I figured out a technique to get credentials from the network clients....all that requires is kali and a usb adapter ....connected to the ap using setoolkit credential harvester cloned the login page into apache server and with ettercap spoofed all the traffic to my apache server.....so the users will get the login page ....as they type in their credentials its all mine..hehe

Ok ... Am not quite getting some things here. Sorry newbie here, hope I dont piss u off but its really important. You stated, We needed to set up a server between us the client and the Internet. I didn't get that part clear so like, Do i need to have the server on my computer and the client too on my computer. ?

Yes, they can both be on the same computer.

Thanks for replying ... And a last question, whose ip address will be the icmptx -s 10.0.0.1 on the server side. And another one plz? So after all the steps are done, Will it configure my whole system so that like Whenever i use a browser I don't get faced with a login page. Thanks in advance :)

Hello ... Help needed here. I was able to figure out the above. But now whose ip or host is the 76.23.54.12

When I type apt-get install icmptx ,it shows unable to locate package icmptx.How to fix it?

I have a question. Why our proxy and our client in the same network with the AP? What's the difference between those two? Because in my thinking it's make sense if the proxy is outside the AP's network and we wrap our HTTP packet with the ICMP packet so that packet can pass through the AP's proxy and our proxy gonna forward it to the internet. And the second question is, that port forwarding didnt require additional setting for the port that gonna be forwarded to the ip? Sorry if my question is too newbie, still new in this null-byte and love your work OTW.

I am having wifi connection to my laptop at my college

They have provided me with Login Id and password with respect to my laptops IP only I know the Wifi Password but cant acces the same connection on mobile.

Is there any way to get same coonection on my andriod fone

I have a wifi, but it have been blocked, my father didnt want to pay it anymore, i need it since im entering IT school, we live seprately, although he don't really care about me, i still don't want to burden him. Is there a way to make my wifi works again? Hacking into the server? Plus i don't have any money

hi i my college uses smart guard firewall
we have to enter login id and password in http://172.16.1.10/indexmain.php#parentHorizontalTab1
the ip address from "ip addr show" command is 192.168.21.75/22
the gateway from "/sbin/route -n" command is 192.168.20.1

now please tell what should i write in
1.server ipaddress(where you used 10.0.0.1)
2.client ipaddress(when i used just you 76.23.54.12,it showed error)
3.in second last step where you used 192.168.1.1

Did you set up a client and follow the directions in the article?

yes i have followed all the instructions.in this article its written
{
kali > icmptx -s 10.0.0.1

This points the server/proxy at the IP address 10.0.0.1. This is only an example; you will need to replace this IP with whatever the target IP address you are trying to connect to.

}
i don't know basics about networking
{
my college uses smart guard firewall
we have to enter login id and password in http://172.16.1.10/indexmain.php#parentHorizontalTab1
the ip address from "ip addr show" command is 192.168.21.75/22
the gateway from "/sbin/route -n" command is 192.168.20.1
}
plz tell
1.what is my target ip adress
and similarly
{ kali > icmptx -c <IP address of the proxy/server>}
2.my proxy/server address

Hello
I just want to know do we need two Kali machines to do this attack?

Why do I get "Could not create tunnel device. Fatal." when I run "icmptx -s XXX.XXX.XXX.XXX"?

Could it be because I don't have a tun0 interface on my Ubuntu laptop? I've tried to set it up with "tunctl" by typing "sudo tunctl -u root -t tun0", after which running "ifconfig tun0" does return an interface, but I'm still getting the original error... Please help me out someone!

Share Your Thoughts

  • Hot
  • Latest