SlideShare a Scribd company logo

Pau Oliva – Bypassing wifi pay-walls with Android [Rooted CON 2014]

RootedCON
RootedCON
Technology
1 of 37
Download to read offline
1 Rooted CON 2014 6-7-8 Marzo // 6-7-8 March Bypassing wifi pay-walls with Android Pau Oliva Fora <pof@eslack.org> @pof
2 Rooted CON 2014 6-7-8 Marzo // 6-7-8 March Agenda Typical wifi pay-wall solutions Networking 101: understanding the weaknesses Abusing the weaknesses with a shell script Android port (for fun and no-profit) Attack mitigation recommendations
3 Rooted CON 2014 6-7-8 Marzo // 6-7-8 March TYPICAL WIFI PAY-WALL SOLUTIONS
4 Rooted CON 2014 6-7-8 Marzo // 6-7-8 March Typical wifi pay-wall solutions Unauthenticated users redirected to a captive portal website, asking for credentials or payment
5 Rooted CON 2014 6-7-8 Marzo // 6-7-8 March Typical wifi pay-wall solutions
6 Rooted CON 2014 6-7-8 Marzo // 6-7-8 March Typical wifi pay-wall solutions
7 Rooted CON 2014 6-7-8 Marzo // 6-7-8 March Typical wifi pay-wall solutions Gateway replies to all ARP requests with its own MAC address (used for client isolation): Who has 192.168.30.15? 192.168.30.15 is at 1e:a7:de:ad:be:ef Who has 192.168.30.32? 192.168.30.32 is at 1e:a7:de:ad:be:ef Who has 192.168.30.77? 192.168.30.77 is at 1e:a7:de:ad:be:ef
8 Rooted CON 2014 6-7-8 Marzo // 6-7-8 March Typical wifi pay-wall solutions iptables - HTTP traffic
9 Rooted CON 2014 6-7-8 Marzo // 6-7-8 March Typical wifi pay-wall solutions iptables - HTTP traffic Sends a 301 to an HTTPs webserver
10 Rooted CON 2014 6-7-8 Marzo // 6-7-8 March Typical wifi pay-wall solutions iptables - HTTP traffic Sends a 301 to an HTTPs webserver
11 Rooted CON 2014 6-7-8 Marzo // 6-7-8 March Typical wifi pay-wall solutions
12 Rooted CON 2014 6-7-8 Marzo // 6-7-8 March Typical wifi pay-wall solutions
13 Rooted CON 2014 6-7-8 Marzo // 6-7-8 March Typical wifi pay-wall solutions Authenticate the user via RADIUS
14 Rooted CON 2014 6-7-8 Marzo // 6-7-8 March Typical wifi pay-wall solutions
15 Rooted CON 2014 6-7-8 Marzo // 6-7-8 March Typical wifi pay-wall solutions Authenticate the user via RADIUS Once the user is authenticated, the gateway (NAS) knows about it by a combination of: IP Address MAC Address HTTPS Cookie Authenticated sessions Unauthenticated sessions
16 Rooted CON 2014 6-7-8 Marzo // 6-7-8 March Typical wifi pay-wall solutions
17 Rooted CON 2014 6-7-8 Marzo // 6-7-8 March NETWORKING 101: UNDERSTANDING THE WEAKNESSES
18 Rooted CON 2014 6-7-8 Marzo // 6-7-8 March Networking 101: understanding the weaknesses MAC addresses can be spoofed ifconfig wlan0 hw ether 00:00:8b:ad:f0:0d ip link set dev wlan0 address 00:00:8b:ad:f0:0d IP addresses can be spoofed ifconfig wlan0 192.168.30.49 ip addr add 192.168.30.49 dev wlan0
19 Rooted CON 2014 6-7-8 Marzo // 6-7-8 March Networking 101: understanding the weaknesses MAC addresses can be spoofed IP addresses can be spoofed We only need to find an authenticated host
20 Rooted CON 2014 6-7-8 Marzo // 6-7-8 March Networking 101: understanding the weaknesses MAC addresses can be spoofed IP addresses can be spoofed We only need to find an authenticated host Bonus: Sometimes APs or switches can reach the internet! :)
21 Rooted CON 2014 6-7-8 Marzo // 6-7-8 March ABUSING THE WEAKNESSES WITH A SHELL SCRIPT
22 Rooted CON 2014 6-7-8 Marzo // 6-7-8 March Abusing the weaknesses with a shell script Loop through all IP addresses
23 Rooted CON 2014 6-7-8 Marzo // 6-7-8 March Abusing the weaknesses with a shell script Loop through all IP addresses Get the MAC address for each IP If MAC == Gateway MAC: use arping and discard the
24 Rooted CON 2014 6-7-8 Marzo // 6-7-8 March Abusing the weaknesses with a shell script Loop through all IP addresses Get the MAC address for each IP If MAC == Gateway MAC: use arping and discard the host IP/MAC
25 Rooted CON 2014 6-7-8 Marzo // 6-7-8 March Abusing the weaknesses with a shell script Loop through all IP addresses Get the MAC address for each IP If MAC == Gateway MAC: use arping and discard the host IP/MAC Test for internet access (eg: ping 8.8.8.8)
26 Rooted CON 2014 6-7-8 Marzo // 6-7-8 March Abusing the weaknesses with a shell script
27 Rooted CON 2014 6-7-8 Marzo // 6-7-8 March ANDROID PORT (FOR FUN AND NO-PROFIT)
28 Rooted CON 2014 6-7-8 Marzo // 6-7-8 March Android port (for fun and no-profit)
29 Rooted CON 2014 6-7-8 Marzo // 6-7-8 March Android port (for fun and no-profit)
30 Rooted CON 2014 6-7-8 Marzo // 6-7-8 March Android port (for fun and no-profit)
31 Rooted CON 2014 6-7-8 Marzo // 6-7-8 March ATTACK MITIGATION RECOMMENDATIONS
32 Rooted CON 2014 6-7-8 Marzo // 6-7-8 March Attack mitigation recommendations 1. Use a proper layer 2 user isolation (eg: PSPF on Cisco gear) 2. Use switchport on Cisco gear)
33 Rooted CON 2014 6-7-8 Marzo // 6-7-8 March Attack mitigation recommendations 1. Use a proper layer 2 user isolation (eg: PSPF on Cisco gear) 2. Use switchport on Cisco gear) Extra protection (sniff wlan traffic): Do not allow traffic from the same MAC address on different switchport port- causes
34 Rooted CON 2014 6-7-8 Marzo // 6-7-8 March Attack mitigation recommendations 1. Use a proper layer 2 user isolation (eg: PSPF on Cisco gear) 2. Use switchport on Cisco gear) Extra protection (sniff wlan traffic): Do not allow traffic from the same MAC address on different switchport port- causes All major WISP in Spain are vulnerable to this attack (*except one)
35 Rooted CON 2014 6-7-8 Marzo // 6-7-8 March Attack mitigation recommendations 1. Use a proper layer 2 user isolation (eg: PSPF on Cisco gear) 2. Use switchport on Cisco gear) Extra protection (sniff wlan traffic): Do not allow traffic from the same MAC address on different switchport port- causes All major WISP in Spain are vulnerable to this attack (*except one)
36 Rooted CON 2014 6-7-8 Marzo // 6-7-8 March Attack mitigation recommendations 1. Use a proper layer 2 user isolation (eg: PSPF on Cisco gear) 2. Use switchport on Cisco gear) Extra protection (sniff wlan traffic): Do not allow traffic from the same MAC address on different switchport port- causes All major WISP in Spain are vulnerable to this attack (*except one)
37 Rooted CON 2014 6-7-8 Marzo // 6-7-8 March Contact: @pof | <pof@eslack.org> | github.com/poliva

Recommended

Hugo Teso - Profundizando en la seguridad de la aviación [Rooted CON 2014]
Hugo Teso - Profundizando en la seguridad de la aviación [Rooted CON 2014]Hugo Teso - Profundizando en la seguridad de la aviación [Rooted CON 2014]
Hugo Teso - Profundizando en la seguridad de la aviación [Rooted CON 2014]
RootedCON
 
Raul Siles - iOS: Regreso al futuro [Rooted CON 2014]
Raul Siles - iOS: Regreso al futuro [Rooted CON 2014]Raul Siles - iOS: Regreso al futuro [Rooted CON 2014]
Raul Siles - iOS: Regreso al futuro [Rooted CON 2014]
RootedCON
 
Francisco Jesús Gómez & Carlos Juan Diaz - Sinfonier: Storm Builder for Secur...
Francisco Jesús Gómez & Carlos Juan Diaz - Sinfonier: Storm Builder for Secur...Francisco Jesús Gómez & Carlos Juan Diaz - Sinfonier: Storm Builder for Secur...
Francisco Jesús Gómez & Carlos Juan Diaz - Sinfonier: Storm Builder for Secur...
RootedCON
 
How to build Big Brother
How to build Big BrotherHow to build Big Brother
How to build Big Brother
Payment Village
 
Sarbanes Oxley IT Competitive Advantage.
Sarbanes Oxley IT Competitive Advantage.Sarbanes Oxley IT Competitive Advantage.
Sarbanes Oxley IT Competitive Advantage.
Robert Brown
 
APT
APTAPT
APT
morisson
 
Layakk - Atacando 3G Vol. 2 [rootedvlc2]
Layakk - Atacando 3G Vol. 2 [rootedvlc2]Layakk - Atacando 3G Vol. 2 [rootedvlc2]
Layakk - Atacando 3G Vol. 2 [rootedvlc2]
RootedCON
 
Aladdin Gurbanov – Magnetic Road [Rooted CON 2014]
Aladdin Gurbanov – Magnetic Road [Rooted CON 2014]Aladdin Gurbanov – Magnetic Road [Rooted CON 2014]
Aladdin Gurbanov – Magnetic Road [Rooted CON 2014]
RootedCON
 

Recommended

Hugo Teso - Profundizando en la seguridad de la aviación [Rooted CON 2014]
Hugo Teso - Profundizando en la seguridad de la aviación [Rooted CON 2014]Hugo Teso - Profundizando en la seguridad de la aviación [Rooted CON 2014]
Hugo Teso - Profundizando en la seguridad de la aviación [Rooted CON 2014]
RootedCON
 
Raul Siles - iOS: Regreso al futuro [Rooted CON 2014]
Raul Siles - iOS: Regreso al futuro [Rooted CON 2014]Raul Siles - iOS: Regreso al futuro [Rooted CON 2014]
Raul Siles - iOS: Regreso al futuro [Rooted CON 2014]
RootedCON
 
Francisco Jesús Gómez & Carlos Juan Diaz - Sinfonier: Storm Builder for Secur...
Francisco Jesús Gómez & Carlos Juan Diaz - Sinfonier: Storm Builder for Secur...Francisco Jesús Gómez & Carlos Juan Diaz - Sinfonier: Storm Builder for Secur...
Francisco Jesús Gómez & Carlos Juan Diaz - Sinfonier: Storm Builder for Secur...
RootedCON
 
How to build Big Brother
How to build Big BrotherHow to build Big Brother
How to build Big Brother
Payment Village
 
Sarbanes Oxley IT Competitive Advantage.
Sarbanes Oxley IT Competitive Advantage.Sarbanes Oxley IT Competitive Advantage.
Sarbanes Oxley IT Competitive Advantage.
Robert Brown
 
APT
APTAPT
APT
morisson
 
Layakk - Atacando 3G Vol. 2 [rootedvlc2]
Layakk - Atacando 3G Vol. 2 [rootedvlc2]Layakk - Atacando 3G Vol. 2 [rootedvlc2]
Layakk - Atacando 3G Vol. 2 [rootedvlc2]
RootedCON
 
Aladdin Gurbanov – Magnetic Road [Rooted CON 2014]
Aladdin Gurbanov – Magnetic Road [Rooted CON 2014]Aladdin Gurbanov – Magnetic Road [Rooted CON 2014]
Aladdin Gurbanov – Magnetic Road [Rooted CON 2014]
RootedCON
 
Chema Alonso - Dorking, Pentesting & Hacking con Android Apps [rootedvlc2]
Chema Alonso - Dorking, Pentesting & Hacking con Android Apps [rootedvlc2]Chema Alonso - Dorking, Pentesting & Hacking con Android Apps [rootedvlc2]
Chema Alonso - Dorking, Pentesting & Hacking con Android Apps [rootedvlc2]
RootedCON
 
Jorge Bermúdez - Botnets y troyanos: los artículos 197 y 264 CP llevados a la...
Jorge Bermúdez - Botnets y troyanos: los artículos 197 y 264 CP llevados a la...Jorge Bermúdez - Botnets y troyanos: los artículos 197 y 264 CP llevados a la...
Jorge Bermúdez - Botnets y troyanos: los artículos 197 y 264 CP llevados a la...
RootedCON
 
Jose M Mejia - Usando computación paralela GPU en malware y herramientas de h...
Jose M Mejia - Usando computación paralela GPU en malware y herramientas de h...Jose M Mejia - Usando computación paralela GPU en malware y herramientas de h...
Jose M Mejia - Usando computación paralela GPU en malware y herramientas de h...
RootedCON
 
Jose Selvi - Adaptando exploits para evitar la frustración [RootedSatellite V...
Jose Selvi - Adaptando exploits para evitar la frustración [RootedSatellite V...Jose Selvi - Adaptando exploits para evitar la frustración [RootedSatellite V...
Jose Selvi - Adaptando exploits para evitar la frustración [RootedSatellite V...
RootedCON
 
Jorge Ramió - RSA cumple 36 años y se le ha caducado el carné joven [Rooted C...
Jorge Ramió - RSA cumple 36 años y se le ha caducado el carné joven [Rooted C...Jorge Ramió - RSA cumple 36 años y se le ha caducado el carné joven [Rooted C...
Jorge Ramió - RSA cumple 36 años y se le ha caducado el carné joven [Rooted C...
RootedCON
 
Cesar Lorenzana & Javier Rodríguez – Por qué lo llaman APT´s, cuando lo que q...
Cesar Lorenzana & Javier Rodríguez – Por qué lo llaman APT´s, cuando lo que q...Cesar Lorenzana & Javier Rodríguez – Por qué lo llaman APT´s, cuando lo que q...
Cesar Lorenzana & Javier Rodríguez – Por qué lo llaman APT´s, cuando lo que q...
RootedCON
 
Alberto Cita - Skype Sin Levita. Un análisis de seguridad y privacidad [Roote...
Alberto Cita - Skype Sin Levita. Un análisis de seguridad y privacidad [Roote...Alberto Cita - Skype Sin Levita. Un análisis de seguridad y privacidad [Roote...
Alberto Cita - Skype Sin Levita. Un análisis de seguridad y privacidad [Roote...
RootedCON
 
Pablo San Emeterio López & Jaime Sánchez – WhatsApp, mentiras y cintas de vid...
Pablo San Emeterio López & Jaime Sánchez – WhatsApp, mentiras y cintas de vid...Pablo San Emeterio López & Jaime Sánchez – WhatsApp, mentiras y cintas de vid...
Pablo San Emeterio López & Jaime Sánchez – WhatsApp, mentiras y cintas de vid...
RootedCON
 
Pablo San Emeterio - How to protect your hot pics with WHF [RootedSatellite V...
Pablo San Emeterio - How to protect your hot pics with WHF [RootedSatellite V...Pablo San Emeterio - How to protect your hot pics with WHF [RootedSatellite V...
Pablo San Emeterio - How to protect your hot pics with WHF [RootedSatellite V...
RootedCON
 
Javier Saez - Una panorámica sobre la seguridad en entornos web [rootedvlc2]
Javier Saez - Una panorámica sobre la seguridad en entornos web [rootedvlc2]Javier Saez - Una panorámica sobre la seguridad en entornos web [rootedvlc2]
Javier Saez - Una panorámica sobre la seguridad en entornos web [rootedvlc2]
RootedCON
 
David Pérez y José Pico - I wanna jam it wid you [RootedSatellite Valencia]
David Pérez y José Pico - I wanna jam it wid you [RootedSatellite Valencia]David Pérez y José Pico - I wanna jam it wid you [RootedSatellite Valencia]
David Pérez y José Pico - I wanna jam it wid you [RootedSatellite Valencia]
RootedCON
 
RootedSatellite Valencia - Charla inaugural [RootedSatellite Valencia]
RootedSatellite Valencia - Charla inaugural [RootedSatellite Valencia]RootedSatellite Valencia - Charla inaugural [RootedSatellite Valencia]
RootedSatellite Valencia - Charla inaugural [RootedSatellite Valencia]
RootedCON
 
Cesar Lorenzana - Picoletos en Rootedland [RootedSatellite Valencia]
Cesar Lorenzana - Picoletos en Rootedland [RootedSatellite Valencia]Cesar Lorenzana - Picoletos en Rootedland [RootedSatellite Valencia]
Cesar Lorenzana - Picoletos en Rootedland [RootedSatellite Valencia]
RootedCON
 
Leonardo Nve - Explotando cambios en servidores DNS [RootedSatellite Valencia]
Leonardo Nve - Explotando cambios en servidores DNS [RootedSatellite Valencia]Leonardo Nve - Explotando cambios en servidores DNS [RootedSatellite Valencia]
Leonardo Nve - Explotando cambios en servidores DNS [RootedSatellite Valencia]
RootedCON
 
Manu Quintans & Frank Ruiz – 50 shades of crimeware [Rooted CON 2014]
Manu Quintans & Frank Ruiz – 50 shades of crimeware [Rooted CON 2014]Manu Quintans & Frank Ruiz – 50 shades of crimeware [Rooted CON 2014]
Manu Quintans & Frank Ruiz – 50 shades of crimeware [Rooted CON 2014]
RootedCON
 
Lorenzo Martínez - Cooking an APT in the paranoid way [RootedSatellite Valen...
Lorenzo Martínez - Cooking an APT in the paranoid way [RootedSatellite Valen...Lorenzo Martínez - Cooking an APT in the paranoid way [RootedSatellite Valen...
Lorenzo Martínez - Cooking an APT in the paranoid way [RootedSatellite Valen...
RootedCON
 
Juan Vazquez & Julián Vilas – Tú a Barcelona y yo a Tejas, a patadas con mi S...
Juan Vazquez & Julián Vilas – Tú a Barcelona y yo a Tejas, a patadas con mi S...Juan Vazquez & Julián Vilas – Tú a Barcelona y yo a Tejas, a patadas con mi S...
Juan Vazquez & Julián Vilas – Tú a Barcelona y yo a Tejas, a patadas con mi S...
RootedCON
 
Joaquín Moreno Garijo – Forense a bajo nivel en Mac OS X [Rooted CON 2014]
Joaquín Moreno Garijo – Forense a bajo nivel en Mac OS X [Rooted CON 2014]Joaquín Moreno Garijo – Forense a bajo nivel en Mac OS X [Rooted CON 2014]
Joaquín Moreno Garijo – Forense a bajo nivel en Mac OS X [Rooted CON 2014]
RootedCON
 
Vicente Díaz - Birds, bots and machines - Fraud in Twitter and how to detect ...
Vicente Díaz - Birds, bots and machines - Fraud in Twitter and how to detect ...Vicente Díaz - Birds, bots and machines - Fraud in Twitter and how to detect ...
Vicente Díaz - Birds, bots and machines - Fraud in Twitter and how to detect ...
RootedCON
 
Conferencia de apertura [Rooted CON 2014]
Conferencia de apertura [Rooted CON 2014]Conferencia de apertura [Rooted CON 2014]
Conferencia de apertura [Rooted CON 2014]
RootedCON
 
RootedCON 2014 - Kicking around SCADA!
RootedCON 2014 - Kicking around SCADA!RootedCON 2014 - Kicking around SCADA!
RootedCON 2014 - Kicking around SCADA!
testpurposes
 
June 2004 IPv6 – Hands on
June 2004 IPv6 – Hands on June 2004 IPv6 – Hands on
June 2004 IPv6 – Hands on
Videoguy
 

More Related Content

Viewers also liked

Jose Selvi - Adaptando exploits para evitar la frustración [RootedSatellite V...
Jose Selvi - Adaptando exploits para evitar la frustración [RootedSatellite V...Jose Selvi - Adaptando exploits para evitar la frustración [RootedSatellite V...
Jose Selvi - Adaptando exploits para evitar la frustración [RootedSatellite V...
RootedCON
 
Jorge Ramió - RSA cumple 36 años y se le ha caducado el carné joven [Rooted C...
Jorge Ramió - RSA cumple 36 años y se le ha caducado el carné joven [Rooted C...Jorge Ramió - RSA cumple 36 años y se le ha caducado el carné joven [Rooted C...
Jorge Ramió - RSA cumple 36 años y se le ha caducado el carné joven [Rooted C...
RootedCON
 
Cesar Lorenzana & Javier Rodríguez – Por qué lo llaman APT´s, cuando lo que q...
Cesar Lorenzana & Javier Rodríguez – Por qué lo llaman APT´s, cuando lo que q...Cesar Lorenzana & Javier Rodríguez – Por qué lo llaman APT´s, cuando lo que q...
Cesar Lorenzana & Javier Rodríguez – Por qué lo llaman APT´s, cuando lo que q...
RootedCON
 
Alberto Cita - Skype Sin Levita. Un análisis de seguridad y privacidad [Roote...
Alberto Cita - Skype Sin Levita. Un análisis de seguridad y privacidad [Roote...Alberto Cita - Skype Sin Levita. Un análisis de seguridad y privacidad [Roote...
Alberto Cita - Skype Sin Levita. Un análisis de seguridad y privacidad [Roote...
RootedCON
 
Pablo San Emeterio López & Jaime Sánchez – WhatsApp, mentiras y cintas de vid...
Pablo San Emeterio López & Jaime Sánchez – WhatsApp, mentiras y cintas de vid...Pablo San Emeterio López & Jaime Sánchez – WhatsApp, mentiras y cintas de vid...
Pablo San Emeterio López & Jaime Sánchez – WhatsApp, mentiras y cintas de vid...
RootedCON
 
Pablo San Emeterio - How to protect your hot pics with WHF [RootedSatellite V...
Pablo San Emeterio - How to protect your hot pics with WHF [RootedSatellite V...Pablo San Emeterio - How to protect your hot pics with WHF [RootedSatellite V...
Pablo San Emeterio - How to protect your hot pics with WHF [RootedSatellite V...
RootedCON
 
David Pérez y José Pico - I wanna jam it wid you [RootedSatellite Valencia]
David Pérez y José Pico - I wanna jam it wid you [RootedSatellite Valencia]David Pérez y José Pico - I wanna jam it wid you [RootedSatellite Valencia]
David Pérez y José Pico - I wanna jam it wid you [RootedSatellite Valencia]
RootedCON
 
RootedSatellite Valencia - Charla inaugural [RootedSatellite Valencia]
RootedSatellite Valencia - Charla inaugural [RootedSatellite Valencia]RootedSatellite Valencia - Charla inaugural [RootedSatellite Valencia]
RootedSatellite Valencia - Charla inaugural [RootedSatellite Valencia]
RootedCON
 
Cesar Lorenzana - Picoletos en Rootedland [RootedSatellite Valencia]
Cesar Lorenzana - Picoletos en Rootedland [RootedSatellite Valencia]Cesar Lorenzana - Picoletos en Rootedland [RootedSatellite Valencia]
Cesar Lorenzana - Picoletos en Rootedland [RootedSatellite Valencia]
RootedCON
 
Leonardo Nve - Explotando cambios en servidores DNS [RootedSatellite Valencia]
Leonardo Nve - Explotando cambios en servidores DNS [RootedSatellite Valencia]Leonardo Nve - Explotando cambios en servidores DNS [RootedSatellite Valencia]
Leonardo Nve - Explotando cambios en servidores DNS [RootedSatellite Valencia]
RootedCON
 
Manu Quintans & Frank Ruiz – 50 shades of crimeware [Rooted CON 2014]
Manu Quintans & Frank Ruiz – 50 shades of crimeware [Rooted CON 2014]Manu Quintans & Frank Ruiz – 50 shades of crimeware [Rooted CON 2014]
Manu Quintans & Frank Ruiz – 50 shades of crimeware [Rooted CON 2014]
RootedCON
 
Lorenzo Martínez - Cooking an APT in the paranoid way [RootedSatellite Valen...
Lorenzo Martínez - Cooking an APT in the paranoid way [RootedSatellite Valen...Lorenzo Martínez - Cooking an APT in the paranoid way [RootedSatellite Valen...
Lorenzo Martínez - Cooking an APT in the paranoid way [RootedSatellite Valen...
RootedCON
 
Juan Vazquez & Julián Vilas – Tú a Barcelona y yo a Tejas, a patadas con mi S...
Juan Vazquez & Julián Vilas – Tú a Barcelona y yo a Tejas, a patadas con mi S...Juan Vazquez & Julián Vilas – Tú a Barcelona y yo a Tejas, a patadas con mi S...
Juan Vazquez & Julián Vilas – Tú a Barcelona y yo a Tejas, a patadas con mi S...
RootedCON
 
Joaquín Moreno Garijo – Forense a bajo nivel en Mac OS X [Rooted CON 2014]
Joaquín Moreno Garijo – Forense a bajo nivel en Mac OS X [Rooted CON 2014]Joaquín Moreno Garijo – Forense a bajo nivel en Mac OS X [Rooted CON 2014]
Joaquín Moreno Garijo – Forense a bajo nivel en Mac OS X [Rooted CON 2014]
RootedCON
 
Vicente Díaz - Birds, bots and machines - Fraud in Twitter and how to detect ...
Vicente Díaz - Birds, bots and machines - Fraud in Twitter and how to detect ...Vicente Díaz - Birds, bots and machines - Fraud in Twitter and how to detect ...
Vicente Díaz - Birds, bots and machines - Fraud in Twitter and how to detect ...
RootedCON
 
Conferencia de apertura [Rooted CON 2014]
Conferencia de apertura [Rooted CON 2014]Conferencia de apertura [Rooted CON 2014]
Conferencia de apertura [Rooted CON 2014]
RootedCON
 

Viewers also liked (20)

Chema Alonso - Dorking, Pentesting & Hacking con Android Apps [rootedvlc2]
Chema Alonso - Dorking, Pentesting & Hacking con Android Apps [rootedvlc2]Chema Alonso - Dorking, Pentesting & Hacking con Android Apps [rootedvlc2]
Chema Alonso - Dorking, Pentesting & Hacking con Android Apps [rootedvlc2]
 
Jorge Bermúdez - Botnets y troyanos: los artículos 197 y 264 CP llevados a la...
Jorge Bermúdez - Botnets y troyanos: los artículos 197 y 264 CP llevados a la...Jorge Bermúdez - Botnets y troyanos: los artículos 197 y 264 CP llevados a la...
Jorge Bermúdez - Botnets y troyanos: los artículos 197 y 264 CP llevados a la...
 
Jose M Mejia - Usando computación paralela GPU en malware y herramientas de h...
Jose M Mejia - Usando computación paralela GPU en malware y herramientas de h...Jose M Mejia - Usando computación paralela GPU en malware y herramientas de h...
Jose M Mejia - Usando computación paralela GPU en malware y herramientas de h...
 
Jose Selvi - Adaptando exploits para evitar la frustración [RootedSatellite V...
Jose Selvi - Adaptando exploits para evitar la frustración [RootedSatellite V...Jose Selvi - Adaptando exploits para evitar la frustración [RootedSatellite V...
Jose Selvi - Adaptando exploits para evitar la frustración [RootedSatellite V...
 
Jorge Ramió - RSA cumple 36 años y se le ha caducado el carné joven [Rooted C...
Jorge Ramió - RSA cumple 36 años y se le ha caducado el carné joven [Rooted C...Jorge Ramió - RSA cumple 36 años y se le ha caducado el carné joven [Rooted C...
Jorge Ramió - RSA cumple 36 años y se le ha caducado el carné joven [Rooted C...
 
Cesar Lorenzana & Javier Rodríguez – Por qué lo llaman APT´s, cuando lo que q...
Cesar Lorenzana & Javier Rodríguez – Por qué lo llaman APT´s, cuando lo que q...Cesar Lorenzana & Javier Rodríguez – Por qué lo llaman APT´s, cuando lo que q...
Cesar Lorenzana & Javier Rodríguez – Por qué lo llaman APT´s, cuando lo que q...
 
Alberto Cita - Skype Sin Levita. Un análisis de seguridad y privacidad [Roote...
Alberto Cita - Skype Sin Levita. Un análisis de seguridad y privacidad [Roote...Alberto Cita - Skype Sin Levita. Un análisis de seguridad y privacidad [Roote...
Alberto Cita - Skype Sin Levita. Un análisis de seguridad y privacidad [Roote...
 
Pablo San Emeterio López & Jaime Sánchez – WhatsApp, mentiras y cintas de vid...
Pablo San Emeterio López & Jaime Sánchez – WhatsApp, mentiras y cintas de vid...Pablo San Emeterio López & Jaime Sánchez – WhatsApp, mentiras y cintas de vid...
Pablo San Emeterio López & Jaime Sánchez – WhatsApp, mentiras y cintas de vid...
 
Pablo San Emeterio - How to protect your hot pics with WHF [RootedSatellite V...
Pablo San Emeterio - How to protect your hot pics with WHF [RootedSatellite V...Pablo San Emeterio - How to protect your hot pics with WHF [RootedSatellite V...
Pablo San Emeterio - How to protect your hot pics with WHF [RootedSatellite V...
 
Javier Saez - Una panorámica sobre la seguridad en entornos web [rootedvlc2]
Javier Saez - Una panorámica sobre la seguridad en entornos web [rootedvlc2]Javier Saez - Una panorámica sobre la seguridad en entornos web [rootedvlc2]
Javier Saez - Una panorámica sobre la seguridad en entornos web [rootedvlc2]
 
David Pérez y José Pico - I wanna jam it wid you [RootedSatellite Valencia]
David Pérez y José Pico - I wanna jam it wid you [RootedSatellite Valencia]David Pérez y José Pico - I wanna jam it wid you [RootedSatellite Valencia]
David Pérez y José Pico - I wanna jam it wid you [RootedSatellite Valencia]
 
RootedSatellite Valencia - Charla inaugural [RootedSatellite Valencia]
RootedSatellite Valencia - Charla inaugural [RootedSatellite Valencia]RootedSatellite Valencia - Charla inaugural [RootedSatellite Valencia]
RootedSatellite Valencia - Charla inaugural [RootedSatellite Valencia]
 
Cesar Lorenzana - Picoletos en Rootedland [RootedSatellite Valencia]
Cesar Lorenzana - Picoletos en Rootedland [RootedSatellite Valencia]Cesar Lorenzana - Picoletos en Rootedland [RootedSatellite Valencia]
Cesar Lorenzana - Picoletos en Rootedland [RootedSatellite Valencia]
 
Leonardo Nve - Explotando cambios en servidores DNS [RootedSatellite Valencia]
Leonardo Nve - Explotando cambios en servidores DNS [RootedSatellite Valencia]Leonardo Nve - Explotando cambios en servidores DNS [RootedSatellite Valencia]
Leonardo Nve - Explotando cambios en servidores DNS [RootedSatellite Valencia]
 
Manu Quintans & Frank Ruiz – 50 shades of crimeware [Rooted CON 2014]
Manu Quintans & Frank Ruiz – 50 shades of crimeware [Rooted CON 2014]Manu Quintans & Frank Ruiz – 50 shades of crimeware [Rooted CON 2014]
Manu Quintans & Frank Ruiz – 50 shades of crimeware [Rooted CON 2014]
 
Lorenzo Martínez - Cooking an APT in the paranoid way [RootedSatellite Valen...
Lorenzo Martínez - Cooking an APT in the paranoid way [RootedSatellite Valen...Lorenzo Martínez - Cooking an APT in the paranoid way [RootedSatellite Valen...
Lorenzo Martínez - Cooking an APT in the paranoid way [RootedSatellite Valen...
 
Juan Vazquez & Julián Vilas – Tú a Barcelona y yo a Tejas, a patadas con mi S...
Juan Vazquez & Julián Vilas – Tú a Barcelona y yo a Tejas, a patadas con mi S...Juan Vazquez & Julián Vilas – Tú a Barcelona y yo a Tejas, a patadas con mi S...
Juan Vazquez & Julián Vilas – Tú a Barcelona y yo a Tejas, a patadas con mi S...
 
Joaquín Moreno Garijo – Forense a bajo nivel en Mac OS X [Rooted CON 2014]
Joaquín Moreno Garijo – Forense a bajo nivel en Mac OS X [Rooted CON 2014]Joaquín Moreno Garijo – Forense a bajo nivel en Mac OS X [Rooted CON 2014]
Joaquín Moreno Garijo – Forense a bajo nivel en Mac OS X [Rooted CON 2014]
 
Vicente Díaz - Birds, bots and machines - Fraud in Twitter and how to detect ...
Vicente Díaz - Birds, bots and machines - Fraud in Twitter and how to detect ...Vicente Díaz - Birds, bots and machines - Fraud in Twitter and how to detect ...
Vicente Díaz - Birds, bots and machines - Fraud in Twitter and how to detect ...
 
Conferencia de apertura [Rooted CON 2014]
Conferencia de apertura [Rooted CON 2014]Conferencia de apertura [Rooted CON 2014]
Conferencia de apertura [Rooted CON 2014]
 

Similar to Pau Oliva – Bypassing wifi pay-walls with Android [Rooted CON 2014]

June 2004 IPv6 – Hands on
June 2004 IPv6 – Hands on June 2004 IPv6 – Hands on
June 2004 IPv6 – Hands on
Videoguy
 
OpenStack Havana over IPv6
OpenStack Havana over IPv6OpenStack Havana over IPv6
OpenStack Havana over IPv6
Shixiong Shang
 
Swiss IPv6 Council: Konfusion um die Router Flags
Swiss IPv6 Council: Konfusion um die Router FlagsSwiss IPv6 Council: Konfusion um die Router Flags
Swiss IPv6 Council: Konfusion um die Router Flags
Digicomp Academy AG
 
Get Ready For Ipv6
Get Ready For Ipv6Get Ready For Ipv6
Get Ready For Ipv6
technext1
 
Get Ready For Ipv6
Get Ready For Ipv6Get Ready For Ipv6
Get Ready For Ipv6
Rishu Mehra
 

Similar to Pau Oliva – Bypassing wifi pay-walls with Android [Rooted CON 2014] (20)

RootedCON 2014 - Kicking around SCADA!
RootedCON 2014 - Kicking around SCADA!RootedCON 2014 - Kicking around SCADA!
RootedCON 2014 - Kicking around SCADA!
 
June 2004 IPv6 – Hands on
June 2004 IPv6 – Hands on June 2004 IPv6 – Hands on
June 2004 IPv6 – Hands on
 
Network Security Best Practice (BCP38 & 140)
Network Security Best Practice (BCP38 & 140) Network Security Best Practice (BCP38 & 140)
Network Security Best Practice (BCP38 & 140)
 
Designing of SDN-Assisted Bandwidth and Latency Aware Route Allocation
Designing of SDN-Assisted Bandwidth and Latency Aware Route AllocationDesigning of SDN-Assisted Bandwidth and Latency Aware Route Allocation
Designing of SDN-Assisted Bandwidth and Latency Aware Route Allocation
 
IPv6 for Pentesters
IPv6 for PentestersIPv6 for Pentesters
IPv6 for Pentesters
 
IPv6 for Pentesters
IPv6 for PentestersIPv6 for Pentesters
IPv6 for Pentesters
 
Getting started with IPv6
Getting started with IPv6Getting started with IPv6
Getting started with IPv6
 
OpenStack Havana over IPv6
OpenStack Havana over IPv6OpenStack Havana over IPv6
OpenStack Havana over IPv6
 
Chapter 6 : Network layer
Chapter 6 : Network layerChapter 6 : Network layer
Chapter 6 : Network layer
 
Chapter 06 - Network Layer
Chapter 06 - Network LayerChapter 06 - Network Layer
Chapter 06 - Network Layer
 
CCNAv5 - S1: Chapter 6 - Network Layer
CCNAv5 - S1: Chapter 6 - Network LayerCCNAv5 - S1: Chapter 6 - Network Layer
CCNAv5 - S1: Chapter 6 - Network Layer
 
Lightweight 4-over-6: One step further Dual-Stack Lite Networks (RIPE 76)
Lightweight 4-over-6: One step further Dual-Stack Lite Networks (RIPE 76)Lightweight 4-over-6: One step further Dual-Stack Lite Networks (RIPE 76)
Lightweight 4-over-6: One step further Dual-Stack Lite Networks (RIPE 76)
 
3hows
3hows3hows
3hows
 
AF-23- IPv6 Security_Final
AF-23- IPv6 Security_FinalAF-23- IPv6 Security_Final
AF-23- IPv6 Security_Final
 
Swiss IPv6 Council: Konfusion um die Router Flags
Swiss IPv6 Council: Konfusion um die Router FlagsSwiss IPv6 Council: Konfusion um die Router Flags
Swiss IPv6 Council: Konfusion um die Router Flags
 
Get Ready For Ipv6
Get Ready For Ipv6Get Ready For Ipv6
Get Ready For Ipv6
 
Get Ready For Ipv6
Get Ready For Ipv6Get Ready For Ipv6
Get Ready For Ipv6
 
IPv6 Security - Hacker Halted 2013
IPv6 Security - Hacker Halted 2013IPv6 Security - Hacker Halted 2013
IPv6 Security - Hacker Halted 2013
 
Icnd210 s07l02
Icnd210 s07l02Icnd210 s07l02
Icnd210 s07l02
 
Kendel Avaya-Fabric connect - Demo Lab Guide – Spoof Detect & SLPP-6
Kendel Avaya-Fabric connect - Demo Lab Guide – Spoof Detect & SLPP-6Kendel Avaya-Fabric connect - Demo Lab Guide – Spoof Detect & SLPP-6
Kendel Avaya-Fabric connect - Demo Lab Guide – Spoof Detect & SLPP-6
 

More from RootedCON

More from RootedCON (20)

Rooted2020 A clockwork pentester - Jose Carlos Moral & Alvaro Villaverde
Rooted2020 A clockwork pentester - Jose Carlos Moral & Alvaro VillaverdeRooted2020 A clockwork pentester - Jose Carlos Moral & Alvaro Villaverde
Rooted2020 A clockwork pentester - Jose Carlos Moral & Alvaro Villaverde
 
rooted2020 Sandbox fingerprinting -_evadiendo_entornos_de_analisis_-_victor_c...
rooted2020 Sandbox fingerprinting -_evadiendo_entornos_de_analisis_-_victor_c...rooted2020 Sandbox fingerprinting -_evadiendo_entornos_de_analisis_-_victor_c...
rooted2020 Sandbox fingerprinting -_evadiendo_entornos_de_analisis_-_victor_c...
 
Rooted2020 hunting malware-using_process_behavior-roberto_amado
Rooted2020 hunting malware-using_process_behavior-roberto_amadoRooted2020 hunting malware-using_process_behavior-roberto_amado
Rooted2020 hunting malware-using_process_behavior-roberto_amado
 
Rooted2020 compliance as-code_-_guillermo_obispo_-_jose_mariaperez_-_
Rooted2020 compliance as-code_-_guillermo_obispo_-_jose_mariaperez_-_Rooted2020 compliance as-code_-_guillermo_obispo_-_jose_mariaperez_-_
Rooted2020 compliance as-code_-_guillermo_obispo_-_jose_mariaperez_-_
 
Rooted2020 the day i_ruled_the_world_deceiving_software_developers_through_op...
Rooted2020 the day i_ruled_the_world_deceiving_software_developers_through_op...Rooted2020 the day i_ruled_the_world_deceiving_software_developers_through_op...
Rooted2020 the day i_ruled_the_world_deceiving_software_developers_through_op...
 
Rooted2020 si la-empresa_ha_ocultado_el_ciberataque,_como_se_ha_enterado_el_r...
Rooted2020 si la-empresa_ha_ocultado_el_ciberataque,_como_se_ha_enterado_el_r...Rooted2020 si la-empresa_ha_ocultado_el_ciberataque,_como_se_ha_enterado_el_r...
Rooted2020 si la-empresa_ha_ocultado_el_ciberataque,_como_se_ha_enterado_el_r...
 
Rooted2020 wordpress-another_terror_story_-_manuel_garcia_-_jacinto_sergio_ca...
Rooted2020 wordpress-another_terror_story_-_manuel_garcia_-_jacinto_sergio_ca...Rooted2020 wordpress-another_terror_story_-_manuel_garcia_-_jacinto_sergio_ca...
Rooted2020 wordpress-another_terror_story_-_manuel_garcia_-_jacinto_sergio_ca...
 
Rooted2020 Atacando comunicaciones-de_voz_cifradas_-_jose_luis_verdeguer
Rooted2020 Atacando comunicaciones-de_voz_cifradas_-_jose_luis_verdeguerRooted2020 Atacando comunicaciones-de_voz_cifradas_-_jose_luis_verdeguer
Rooted2020 Atacando comunicaciones-de_voz_cifradas_-_jose_luis_verdeguer
 
rooted2020-Rootkit necurs no_es_un_bug,_es_una_feature_-_roberto_santos_-_jav...
rooted2020-Rootkit necurs no_es_un_bug,_es_una_feature_-_roberto_santos_-_jav...rooted2020-Rootkit necurs no_es_un_bug,_es_una_feature_-_roberto_santos_-_jav...
rooted2020-Rootkit necurs no_es_un_bug,_es_una_feature_-_roberto_santos_-_jav...
 
Rooted2020 stefano maccaglia--_the_enemy_of_my_enemy
Rooted2020 stefano maccaglia--_the_enemy_of_my_enemyRooted2020 stefano maccaglia--_the_enemy_of_my_enemy
Rooted2020 stefano maccaglia--_the_enemy_of_my_enemy
 
Rooted2020 taller de-reversing_de_binarios_escritos_en_golang_-_mariano_palom...
Rooted2020 taller de-reversing_de_binarios_escritos_en_golang_-_mariano_palom...Rooted2020 taller de-reversing_de_binarios_escritos_en_golang_-_mariano_palom...
Rooted2020 taller de-reversing_de_binarios_escritos_en_golang_-_mariano_palom...
 
Rooted2020 virtual pwned-network_-_manel_molina
Rooted2020 virtual pwned-network_-_manel_molinaRooted2020 virtual pwned-network_-_manel_molina
Rooted2020 virtual pwned-network_-_manel_molina
 
Rooted2020 van a-mear_sangre_como_hacer_que_los_malos_lo_paguen_muy_caro_-_an...
Rooted2020 van a-mear_sangre_como_hacer_que_los_malos_lo_paguen_muy_caro_-_an...Rooted2020 van a-mear_sangre_como_hacer_que_los_malos_lo_paguen_muy_caro_-_an...
Rooted2020 van a-mear_sangre_como_hacer_que_los_malos_lo_paguen_muy_caro_-_an...
 
Rooted2020 todo a-siem_-_marta_lopez
Rooted2020 todo a-siem_-_marta_lopezRooted2020 todo a-siem_-_marta_lopez
Rooted2020 todo a-siem_-_marta_lopez
 
Rooted2020 roapt evil-mass_storage_-_tu-ya_aqui_-_david_reguera_-_abel_valero
Rooted2020 roapt evil-mass_storage_-_tu-ya_aqui_-_david_reguera_-_abel_valeroRooted2020 roapt evil-mass_storage_-_tu-ya_aqui_-_david_reguera_-_abel_valero
Rooted2020 roapt evil-mass_storage_-_tu-ya_aqui_-_david_reguera_-_abel_valero
 
Rooted2020 live coding--_jesus_jara
Rooted2020 live coding--_jesus_jaraRooted2020 live coding--_jesus_jara
Rooted2020 live coding--_jesus_jara
 
Rooted2020 legalidad de-la_prueba_tecnologica_indiciaria_cuando_tu_papi_es_un...
Rooted2020 legalidad de-la_prueba_tecnologica_indiciaria_cuando_tu_papi_es_un...Rooted2020 legalidad de-la_prueba_tecnologica_indiciaria_cuando_tu_papi_es_un...
Rooted2020 legalidad de-la_prueba_tecnologica_indiciaria_cuando_tu_papi_es_un...
 
Rooted2020 hackeando el-mundo_exterior_a_traves_de_bluetooth_low-energy_ble_-...
Rooted2020 hackeando el-mundo_exterior_a_traves_de_bluetooth_low-energy_ble_-...Rooted2020 hackeando el-mundo_exterior_a_traves_de_bluetooth_low-energy_ble_-...
Rooted2020 hackeando el-mundo_exterior_a_traves_de_bluetooth_low-energy_ble_-...
 
Rooted2020 evading deep-learning_malware_detectors_-_javier_yuste
Rooted2020 evading deep-learning_malware_detectors_-_javier_yusteRooted2020 evading deep-learning_malware_detectors_-_javier_yuste
Rooted2020 evading deep-learning_malware_detectors_-_javier_yuste
 
Rooted2020 encontrando 0days-en_2020_-_antonio_morales
Rooted2020 encontrando 0days-en_2020_-_antonio_moralesRooted2020 encontrando 0days-en_2020_-_antonio_morales
Rooted2020 encontrando 0days-en_2020_-_antonio_morales
 

Recently uploaded

Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUnderstanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
UK Journal
 
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
Delhi Call girls
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Miguel Araújo
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
Safe Software
 
CNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of ServiceCNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of Service
giselly40
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc
 

Recently uploaded (20)

GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day Presentation
 
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUnderstanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
 
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
 
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organization
 
🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘
 
Evaluating the top large language models.pdf
Evaluating the top large language models.pdfEvaluating the top large language models.pdf
Evaluating the top large language models.pdf
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
 
[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf
 
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
 
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processors
 
CNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of ServiceCNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of Service
 
Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps ScriptAutomating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Script
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
 
Tech Trends Report 2024 Future Today Institute.pdf
Tech Trends Report 2024 Future Today Institute.pdfTech Trends Report 2024 Future Today Institute.pdf
Tech Trends Report 2024 Future Today Institute.pdf
 
Presentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreterPresentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreter
 
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
 
What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt Robison
 

Pau Oliva – Bypassing wifi pay-walls with Android [Rooted CON 2014]

  • 1. 1 Rooted CON 2014 6-7-8 Marzo // 6-7-8 March Bypassing wifi pay-walls with Android Pau Oliva Fora <pof@eslack.org> @pof
  • 2. 2 Rooted CON 2014 6-7-8 Marzo // 6-7-8 March Agenda Typical wifi pay-wall solutions Networking 101: understanding the weaknesses Abusing the weaknesses with a shell script Android port (for fun and no-profit) Attack mitigation recommendations
  • 3. 3 Rooted CON 2014 6-7-8 Marzo // 6-7-8 March TYPICAL WIFI PAY-WALL SOLUTIONS
  • 4. 4 Rooted CON 2014 6-7-8 Marzo // 6-7-8 March Typical wifi pay-wall solutions Unauthenticated users redirected to a captive portal website, asking for credentials or payment
  • 5. 5 Rooted CON 2014 6-7-8 Marzo // 6-7-8 March Typical wifi pay-wall solutions
  • 6. 6 Rooted CON 2014 6-7-8 Marzo // 6-7-8 March Typical wifi pay-wall solutions
  • 7. 7 Rooted CON 2014 6-7-8 Marzo // 6-7-8 March Typical wifi pay-wall solutions Gateway replies to all ARP requests with its own MAC address (used for client isolation): Who has 192.168.30.15? 192.168.30.15 is at 1e:a7:de:ad:be:ef Who has 192.168.30.32? 192.168.30.32 is at 1e:a7:de:ad:be:ef Who has 192.168.30.77? 192.168.30.77 is at 1e:a7:de:ad:be:ef
  • 8. 8 Rooted CON 2014 6-7-8 Marzo // 6-7-8 March Typical wifi pay-wall solutions iptables - HTTP traffic
  • 9. 9 Rooted CON 2014 6-7-8 Marzo // 6-7-8 March Typical wifi pay-wall solutions iptables - HTTP traffic Sends a 301 to an HTTPs webserver
  • 10. 10 Rooted CON 2014 6-7-8 Marzo // 6-7-8 March Typical wifi pay-wall solutions iptables - HTTP traffic Sends a 301 to an HTTPs webserver
  • 11. 11 Rooted CON 2014 6-7-8 Marzo // 6-7-8 March Typical wifi pay-wall solutions
  • 12. 12 Rooted CON 2014 6-7-8 Marzo // 6-7-8 March Typical wifi pay-wall solutions
  • 13. 13 Rooted CON 2014 6-7-8 Marzo // 6-7-8 March Typical wifi pay-wall solutions Authenticate the user via RADIUS
  • 14. 14 Rooted CON 2014 6-7-8 Marzo // 6-7-8 March Typical wifi pay-wall solutions
  • 15. 15 Rooted CON 2014 6-7-8 Marzo // 6-7-8 March Typical wifi pay-wall solutions Authenticate the user via RADIUS Once the user is authenticated, the gateway (NAS) knows about it by a combination of: IP Address MAC Address HTTPS Cookie Authenticated sessions Unauthenticated sessions
  • 16. 16 Rooted CON 2014 6-7-8 Marzo // 6-7-8 March Typical wifi pay-wall solutions
  • 17. 17 Rooted CON 2014 6-7-8 Marzo // 6-7-8 March NETWORKING 101: UNDERSTANDING THE WEAKNESSES
  • 18. 18 Rooted CON 2014 6-7-8 Marzo // 6-7-8 March Networking 101: understanding the weaknesses MAC addresses can be spoofed ifconfig wlan0 hw ether 00:00:8b:ad:f0:0d ip link set dev wlan0 address 00:00:8b:ad:f0:0d IP addresses can be spoofed ifconfig wlan0 192.168.30.49 ip addr add 192.168.30.49 dev wlan0
  • 19. 19 Rooted CON 2014 6-7-8 Marzo // 6-7-8 March Networking 101: understanding the weaknesses MAC addresses can be spoofed IP addresses can be spoofed We only need to find an authenticated host
  • 20. 20 Rooted CON 2014 6-7-8 Marzo // 6-7-8 March Networking 101: understanding the weaknesses MAC addresses can be spoofed IP addresses can be spoofed We only need to find an authenticated host Bonus: Sometimes APs or switches can reach the internet! :)
  • 21. 21 Rooted CON 2014 6-7-8 Marzo // 6-7-8 March ABUSING THE WEAKNESSES WITH A SHELL SCRIPT
  • 22. 22 Rooted CON 2014 6-7-8 Marzo // 6-7-8 March Abusing the weaknesses with a shell script Loop through all IP addresses
  • 23. 23 Rooted CON 2014 6-7-8 Marzo // 6-7-8 March Abusing the weaknesses with a shell script Loop through all IP addresses Get the MAC address for each IP If MAC == Gateway MAC: use arping and discard the
  • 24. 24 Rooted CON 2014 6-7-8 Marzo // 6-7-8 March Abusing the weaknesses with a shell script Loop through all IP addresses Get the MAC address for each IP If MAC == Gateway MAC: use arping and discard the host IP/MAC
  • 25. 25 Rooted CON 2014 6-7-8 Marzo // 6-7-8 March Abusing the weaknesses with a shell script Loop through all IP addresses Get the MAC address for each IP If MAC == Gateway MAC: use arping and discard the host IP/MAC Test for internet access (eg: ping 8.8.8.8)
  • 26. 26 Rooted CON 2014 6-7-8 Marzo // 6-7-8 March Abusing the weaknesses with a shell script
  • 27. 27 Rooted CON 2014 6-7-8 Marzo // 6-7-8 March ANDROID PORT (FOR FUN AND NO-PROFIT)
  • 28. 28 Rooted CON 2014 6-7-8 Marzo // 6-7-8 March Android port (for fun and no-profit)
  • 29. 29 Rooted CON 2014 6-7-8 Marzo // 6-7-8 March Android port (for fun and no-profit)
  • 30. 30 Rooted CON 2014 6-7-8 Marzo // 6-7-8 March Android port (for fun and no-profit)
  • 31. 31 Rooted CON 2014 6-7-8 Marzo // 6-7-8 March ATTACK MITIGATION RECOMMENDATIONS
  • 32. 32 Rooted CON 2014 6-7-8 Marzo // 6-7-8 March Attack mitigation recommendations 1. Use a proper layer 2 user isolation (eg: PSPF on Cisco gear) 2. Use switchport on Cisco gear)
  • 33. 33 Rooted CON 2014 6-7-8 Marzo // 6-7-8 March Attack mitigation recommendations 1. Use a proper layer 2 user isolation (eg: PSPF on Cisco gear) 2. Use switchport on Cisco gear) Extra protection (sniff wlan traffic): Do not allow traffic from the same MAC address on different switchport port- causes
  • 34. 34 Rooted CON 2014 6-7-8 Marzo // 6-7-8 March Attack mitigation recommendations 1. Use a proper layer 2 user isolation (eg: PSPF on Cisco gear) 2. Use switchport on Cisco gear) Extra protection (sniff wlan traffic): Do not allow traffic from the same MAC address on different switchport port- causes All major WISP in Spain are vulnerable to this attack (*except one)
  • 35. 35 Rooted CON 2014 6-7-8 Marzo // 6-7-8 March Attack mitigation recommendations 1. Use a proper layer 2 user isolation (eg: PSPF on Cisco gear) 2. Use switchport on Cisco gear) Extra protection (sniff wlan traffic): Do not allow traffic from the same MAC address on different switchport port- causes All major WISP in Spain are vulnerable to this attack (*except one)
  • 36. 36 Rooted CON 2014 6-7-8 Marzo // 6-7-8 March Attack mitigation recommendations 1. Use a proper layer 2 user isolation (eg: PSPF on Cisco gear) 2. Use switchport on Cisco gear) Extra protection (sniff wlan traffic): Do not allow traffic from the same MAC address on different switchport port- causes All major WISP in Spain are vulnerable to this attack (*except one)
  • 37. 37 Rooted CON 2014 6-7-8 Marzo // 6-7-8 March Contact: @pof | <pof@eslack.org> | github.com/poliva