The unwillingness of cafe owners to spend money on Captive portals has helped some providers to distribute their access points with paid sms authorization. We had a desire to check whether such sms authorization can be circumvented.
Disclaimer
This article is written for informational purposes only. All trademarks and names of Wi-Fi networks in this article are fictional, and all coincidences are random.
To the point...
To find a suitable victim, I took a laptop with Debian on Board and went to the nearest pizzeria. There were a couple of shopping centers nearby, and a few other eateries, which guaranteed me to find the right "victim". I connected to one of the networks available to me, then opened the browser to go to the cherished one habr.com and here's what I saw:
This access point was controlled by one of providers. I was offered to use this network as a guest at the lowest speed, get a premium for $ 2, or (if I am a client of this provider) log in through my personal account. And, of course, I took a path not included in this list (otherwise, why would I have started writing this article).
I knew from my own experience that if you pass identification on one access point of this provider, then when connecting the same device to another point, you didn't need to pass identification (later it turned out that this is the case for all providers that provide sms authorization). Identification was not required even when using a different browser. This means that the provider somehow remembers our hardware. The very first thing that occurred to me was that the provider remembers the mac address of our device. This means that if we set the mac address of someone who has already been identified, we can safely use the network. And, as we'll see later, my intuition was right.
To attack, I decided to use the utilities from the aircrack-ng package and the TL-WN722N WiFi adapter with an external antenna for greater coverage. First, I connected the adapter and used airodump-ng to switch it to monitor mode. I described this process briefly.
Getting the output:
wlx60e32719503f is our adapter
We kill the processes that use the adapter and switch it to monitor mode.
We can see that there is a new network interface - wlan0mon. Launching it
We wait a couple of minutes, and we get this sign
We are interested in the BSSID (Mac address of the access point), CH (channel), and ESSID (network name) fields. Using the ESSID field, I found the network of interest (it is the sixth in a row). We take the mac address of the access point (CC:B2) from the table:**:**:**:FC), the channel (channel 4) on which it works and transmit them to airodump-ng:
We wait for some time, and now we get the following output.
The first table has only one row. This is our attacked network. In the second table, we see a list of clients of this network. We are interested in the STATION field. These are the Mac addresses of clients, and we save them to a text file. We need to replace our mac address with one of them. I chose the mac of the penultimate client (1C: CD:**:**:**:43), since this client is the most active in the network, and therefore, it must have passed identification.
As everyone knows (and I hope you know), it will be difficult for two devices with the same mac addresses to get along on the same network. And now we have 2 options.
You can use the aireplay-ng utility to deauthenticate our client from the network
Fortunately, this customer quickly left. Now all we have to do is set its mac address for ourselves. There are many ways to change the mac address to linux. The easiest way is to specify the desired mac address directly in the network settings.
The Mac address is specified. now we can connect to the point and check Internet access with the ping command.
I tried to go to Google, and several other sites-successfully.
Conclusion
Thus, we found out that SMS authorization can be easily circumvented by replacing your mac address with the mac address of a client that has already been identified.
Disclaimer
This article is written for informational purposes only. All trademarks and names of Wi-Fi networks in this article are fictional, and all coincidences are random.
To the point...
To find a suitable victim, I took a laptop with Debian on Board and went to the nearest pizzeria. There were a couple of shopping centers nearby, and a few other eateries, which guaranteed me to find the right "victim". I connected to one of the networks available to me, then opened the browser to go to the cherished one habr.com and here's what I saw:
This access point was controlled by one of providers. I was offered to use this network as a guest at the lowest speed, get a premium for $ 2, or (if I am a client of this provider) log in through my personal account. And, of course, I took a path not included in this list (otherwise, why would I have started writing this article).
I knew from my own experience that if you pass identification on one access point of this provider, then when connecting the same device to another point, you didn't need to pass identification (later it turned out that this is the case for all providers that provide sms authorization). Identification was not required even when using a different browser. This means that the provider somehow remembers our hardware. The very first thing that occurred to me was that the provider remembers the mac address of our device. This means that if we set the mac address of someone who has already been identified, we can safely use the network. And, as we'll see later, my intuition was right.
To attack, I decided to use the utilities from the aircrack-ng package and the TL-WN722N WiFi adapter with an external antenna for greater coverage. First, I connected the adapter and used airodump-ng to switch it to monitor mode. I described this process briefly.
Code:
sudo-s # we will work with super user rights
ifconfig # we are looking at the name of the adapter that we want to useGetting the output:
Code:
...
wlx60e32719503f: flags=4099<UP,BROADCAST,MULTICAST> mtu 1500
ether 2a:36:62:d5:ec:63 txqueuelen 1000 (Ethernet)
RX packets 0 bytes 0 (0.0 B)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 0 bytes 0 (0.0 B)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
...wlx60e32719503f is our adapter
We kill the processes that use the adapter and switch it to monitor mode.
Code:
airmon-ng check kill
airmon-ng start wlx60e32719503fWe can see that there is a new network interface - wlan0mon. Launching it
Code:
airodump-ng wlan0monWe wait a couple of minutes, and we get this sign
We are interested in the BSSID (Mac address of the access point), CH (channel), and ESSID (network name) fields. Using the ESSID field, I found the network of interest (it is the sixth in a row). We take the mac address of the access point (CC:B2) from the table:**:**:**:FC), the channel (channel 4) on which it works and transmit them to airodump-ng:
Code:
airodump-ng wlan0mon -c 4 --bssid CC:B2:**:**:**:FCWe wait for some time, and now we get the following output.
The first table has only one row. This is our attacked network. In the second table, we see a list of clients of this network. We are interested in the STATION field. These are the Mac addresses of clients, and we save them to a text file. We need to replace our mac address with one of them. I chose the mac of the penultimate client (1C: CD:**:**:**:43), since this client is the most active in the network, and therefore, it must have passed identification.
As everyone knows (and I hope you know), it will be difficult for two devices with the same mac addresses to get along on the same network. And now we have 2 options.
You can use the aireplay-ng utility to deauthenticate our client from the network
Code:
aireplay-ng -0 1000 -a CC:B2:**:**:**:FC -c 1C:CD:**:**:**:43 wlan0mon- "-a CC:B2:**:**:**:FC " is the attacked access point
- "-c 1C: CD:**:**:**:43" — this is the client that we will be disabling
- "-0 1000" - here we specify the type of attack (zero is deauthentication) and the number of deauthentication packets to disable the client if it connects again.
Fortunately, this customer quickly left. Now all we have to do is set its mac address for ourselves. There are many ways to change the mac address to linux. The easiest way is to specify the desired mac address directly in the network settings.
The Mac address is specified. now we can connect to the point and check Internet access with the ping command.
I tried to go to Google, and several other sites-successfully.
Conclusion
Thus, we found out that SMS authorization can be easily circumvented by replacing your mac address with the mac address of a client that has already been identified.
