Bypassare captive portal

http://blog.wains.be/2009/04/24/howto-setting-up-dns2tcp/

Howto : setting up dns2tcp

Posted on April 24, 2009
The following article has been tested on Debian Etch (server) and Debian Lenny and Mac OS X (clients).Edit 03/2011 : dns2tcp client v0.5 won’t work with dns2tcp server v0.4.I’m not gonna explain what dns2tcp is, just how to get it running in less than 30 minutes.
You need :
– a public server, reachable from anywhere, its UDP/53 port must be free (no DNS service running) and reachable (not filtered)
– a domain name or subdomain dedicated for dns2tcp
– a dns2tcp client computer, your laptop usually
– a “restricted” network (captive portal, firewalled network, paying hotspot) allowing DNS requests (in our examples, we’ll be using Google DNS server 8.8.8.8, but you can try to use the LAN DNS)
Considerations :
dns2tcp public server IP : srv1.example.org (IP 1.2.3.4)
dns2tcp subdomain : tunnel.example.org (this doesn’t need an A record, just a NS record pointing to srv1.example.org)
dns2tcp resources (services which dns2tcp will make available to us) :
– SSH on TCP/22 at srv1.example.org (same machine as dns2tcp)
– SSH on TCP/22 at srv2.example.org (1.2.3.5)
DNS :
Create a NS record for the subdomain tunnel.example.org pointing to address srv1.example.orgIn ISC BIND :
tunnel.example.org. IN NS srv1.example.org.The NS you specify is NOT a DNS server, it’s the dns2tcp server !Hint : everydns.net allows creation of NS records for subdomains. Not all control panels do (Enom for example).
Server :
Install dns2tcp on srv1.example.org (apt-get install dns2tcp on Debian)
Edit the file /etc/dns2tcpd.conf like this :listen = 0.0.0.0
port = 53
user = nobody
chroot = /some/directory/
domain = example.org
ressources = ssh-home:127.0.0.1:22 , ssh-work:srv2.example.org:22
Start dns2tcp server with /etc/init.d/dns2tcp start
Make sure it’s running with ps and listening with netstat.
Client :
Don’t forget the client must already be installed on your computer when you are on the restricted network :-)
Install it right now : apt-get install dns2tcp on Debian or build it through macports on Mac OS X.Connect to the restricted network.Run the command :
dns2tcpc -z example.org 8.8.8.8
If the system is working you should see :
Available connection(s) :
ssh-home
ssh-workRun the full command now :
dns2tcpc -z example.org -l 12345 -r ssh-home 8.8.8.8
8.8.8.8 is the DNS server that will relay the encapsulated DNS requests to our dns2tcp server.
If the network restricts the use of external DNS servers, check your /etc/resolv.conf to get the DNS servers on the local network.Now dns2tcp will listen on port TCP/12345 (option “-l 12345″) and will give you access to the resource “ssh-home” through that port.Now connect to your SSH server through dns2tcp on port TCP/12345 :
ssh user@localhost -p 12345 -D 1080
You should connect to your home server !The “-D 1080″ option will create a SOCKS proxy on your local machine on port TCP/1080.Now set up your browser or any other program (like Pidgin if you want to chat) to use the SOCKS proxy at address 127.0.0.1 and port 1080.
You can also set the systemwide parameter for SOCKS proxy from the preferences panel of your OS.You should now be able to browse the internet.You can store a config file on the client computer if you don’t want to type the command everytime.. this is the config corresponding to the command :/home/USER/.dns2tcprc :domain = example.org
ressource = ssh-home
local_port = 12345
server = 8.8.8.8
This way, you just need to run dns2tcpc without argument.
If you store the config file somewhere else, run dns2tcpc -f /where/the/config/resides/dns2tcp.conf
Please note :
Your traffic is encapsulated inside small DNS packets (some firewalls can drop unusually large DNS packets), is encrypted because of SSH, etc.
This adds overhead, which makes browsing the web a bit slow but still convenient.
I’ve been able to reach 25 KB/s down and 20 KB/s BUT I haven’t been able to transfer large files though, it was taking forever to attach a 3 MB pictures to a mail in Gmail (wifi + UDP + small packets is a terrible mix)
A good idea is to use mobile versions of websites, they load faster.
To give you an idea, it can take up to a minute to display maps on Google Maps.
Since you are going through the SOCKS proxy created by the SSH connection, your traffic is encrypted and wifi users can’t snoop on you.
Obviously you can define anything as a resource in dns2tcp, for example you can point to a public web proxy but your traffic wouldn’t be encrypted !
The owner of the restricted network may notice unusually high DNS traffic while you are surfing (especially if you’re the only person using the wifi network in the hotel).

http://www.fosk.it/how-to-bypass-firewalls-or-captive-portals-with-dns2tcp.html

Have you ever found an open wireless access and when opening your browser you get a nice login screen asking you a credit card number (a captive portal)? What’s next? Make your choice: fill the form with the magic numbers or try to bypass this security mechanism!

Classic wireless hot spots commonly allow two protocols: ICMP and DNS (UDP/53). ICMP (Internet Control Message Protocol) is used to report errors and warning to the client and DNS is mandatory to resolve hostnames. While ICMP can also be used as a transport protocol (see PTunnel), firewalls may block unusual ICMP packets (ex: suspicious big packets). On the other side, there are often less restriction regarding DNS traffic.

In the following tutorial, we will use the tool dns2tcp written by two guys working for HSC, a French security company.

Required components

  • An official registered domain name. Example: mydomain.net
  • A server with a public IP address not running any DNS service. The server must run UNIX[1]. Example: my.public.server.isp.com

[1] I successfully tested dns2tcp on Linux and client also on iPhone.

Domain name zone configuration

Choose a subdomain name for your domain. In this example, we will use a subdomain dnstunnel.mydomain.net. Add the following line in your zone file:

dnstunnel    IN     NS your.public.server.isp.com.

Don’t forget to increase the serial and to reload the zone. If you don’t manage the zone yourself, ask you ISP or hoster to do this for you.

Server configuration

(these operations are performed on your public server)

Download the tarball and compile the binaries:

# cd /tmp
# tar xzvf dns2tcp-0.3.tar.gz
# cd dns2tcp-0.3
# configure
# make install

This will create two binaries (dns2tcpd and dns2tcpc) and their respective manpages. Now, we will create a configuration file /etc/dns2tcpd.conf:

# cat >/etc/dns2tcpd.conf <<EOF
listen = w.x.y.z
port = 53
user=nobody
chroot = /var/empty/dns2tcp/
domain = dnstunnel.mydomain.net
ressources = ssh:127.0.0.1:22
EOF
#

Be sure to replace the domain and the IP address with your own values! The port must be 53!

Now, start the daemon:

# ./dns2tcpcd -F -d 1 -c dns2tcpd.conf

“-F” means to run in foreground and “-d 1? enables debugging.

Client configuration

Perform the same operations as on the server side. (configure && make install). Then create the client configuration file/etc/dns2tcpc.conf:

# cat >/etc/dns2tcpc.conf <<EOF
domain = dnstunnel.mydomain.net
ressource = ssh
local_port = 2222
debug_level=1
EOF
#

Be sure to replace the domain and the IP address with your own values! The local port must be free and above 1024 to be binded by a non-root user!

Now, check if we can communicate with the server:

# ./dns2tcpc -z dnstunnel.mydomain.net <dns_server>
Available connection(s) :
	        ssh

The dns_server can be your public server or, if you are forced, the local DNS.

Start a SSH session

Now, we are ready to start a tunnel with encapsulated SSH packet:

# ./dns2tcpd -c -f dns2tcpc.conf
listening on port 2222
...

Now, start your SSH session:

# ssh -p 2222 user@127.0.0.1
...

Here we go! You’ve a session on your public server!

If you start your SSH as a socks proxy with the “-D” and configure your browser to surf thru this tunnel.

You can create as mush resources as you want on the server but packets send thru the DNS tunnel are not encrypted so SSH is recommanded as the best solution.

http://blog.rootshell.be/2007/03/22/dns2tcp-how-to-bypass-firewalls-or-captive-portals/

dns2tcp: How to bypass firewalls or captive portals?

Imagine, you are in your hotel room in a foreign country, your laptop detects a wireless access. You open your browser and get a nice login screen asking you a credit card number (a captive portal). What’s next? Make your choice: fill the form with the magic numbers or try to bypass this security mechanism.

This tutorial is provided “as is” for who are interested in encapsulating TCP into DNS traffic. I could not be held responsible for any misusage of this tutorial!

Classic wireless hot spots commonly allow two protocols: ICMP and DNS (UDP/53). ICMP (Internet Control Message Protocol) is used to report errors and warning to the client and DNS is mandatory to resolve hostnames. While ICMP can also be used as a transport protocol (see PTunnel), firewalls may block unusual ICMP packets (ex: suspicious big packets). On the other side, there are often less restriction regarding DNS traffic.

In the following tutorial, we will use the tool dns2tcp written by two guys working for HSC, a French security company.

Required components

  • An official registered domain name. Example: mydomain.net
  • A server with a public IP address not running any DNS service. The server must run UNIX[1]. Example: my.public.server.isp.com

[1] I successfully tested dns2tcp on Linux and OpenBSD.

Domain name zone configuration

Choose a subdomain name for your domain. In this example, we will use a subdomain dnstunnel.mydomain.net. Add the following line in your zone file:

dnstunnel    IN     NS your.public.server.isp.com.

Don’t forget to increase the serial and to reload the zone. If you don’t manage the zone yourself, ask you ISP or hoster to do this for you.

Server configuration

(these operations are performed on your public server)
Download the tarball and compile the binaries:

# cd /tmp
# tar xzvf dns2tcp-0.3.tar.gz
# cd dns2tcp-0.3
# configure
# make install

This will create two binaries (dns2tcpd and dns2tcpc) and their respective manpages. Now, we will create a configuration file /etc/dns2tcpd.conf:

# cat >/etc/dns2tcpd.conf <<EOF
listen = w.x.y.z
port = 53
user=nobody
chroot = /var/empty/dns2tcp/
domain = dnstunnel.mydomain.net
ressources = ssh:127.0.0.1:22
EOF
#

Be sure to replace the domain and the IP address with your own values! The port must be 53!
Now, start the daemon:

# ./dns2tcpd -F -d 1 -c dns2tcpd.conf

“-F” means to run in foreground and “-d 1″ enables debugging.

Client configuration

Perform the same operations as on the server side. (configure && make install). Then create the client configuration file/etc/dns2tcpc.conf:

# cat >/etc/dns2tcpc.conf <<EOF
domain = dnstunnel.mydomain.net
ressource = ssh
local_port = 2222
debug_level=1
EOF
#

Be sure to replace the domain and the IP address with your own values! The local port must be free and above 1024 to be binded by a non-root user!
Now, check if we can communicate with the server:

# ./dns2tcpc -z dnstunnel.mydomain.net <dns_server>
Available connection(s) :
	        ssh

The dns_server can be your public server or, if you are forced, the local DNS.

Start a SSH session

Now, we are ready to start a tunnel with encapsulated SSH packet:

# ./dns2tcpd -c -f dns2tcpc.conf
listening on port 2222
...

Now, start your SSH session:

# ssh -p 2222 user@127.0.0.1
...

Here we go! You’ve a session on your public server!
If you start your SSH as a socks proxy with the “-D” and configure your browser to surf thru this tunnel.
You can create as mush resources as you want on the server but packets send thru the DNS tunnel are not encrypted so SSH is recommanded as the best solution.
Enjoy!

http://karn-bttools.blogspot.com/2011/09/bypass-captive-portal-authentication.html

Bypass Captive Portal Authentication

1. Captive portal-
open authentication
mac filtering
no encryption

2. Four ways to do bypass the restriction of captive portal-
1. Session stealing
2. DNS tunneling
3. Ping tunneling
4. Evil-Twin method

Session Stealing method


1. Install Backtrack
2. Turn wifi card up – ifconfig wlan0 up
3. Turn wifi card into monitor mode- airmon-ng start wlan0
4. airodump-ng mon0
5. airodump-ng –bssid macaddress mon0
6. copy the mac address of active client associateed with that
7. mon0 interface down
8. wlan0 interface down
9. macchanger -m clientmacaddress wlan0
10. wlan0 interface up
11. wicd
12. wireless manager- connect the network

Un pensiero su “Bypassare captive portal”

Lascia un commento

Inserisci i tuoi dati qui sotto o clicca su un'icona per effettuare l'accesso:

Logo WordPress.com

Stai commentando usando il tuo account WordPress.com. Chiudi sessione / Modifica )

Foto Twitter

Stai commentando usando il tuo account Twitter. Chiudi sessione / Modifica )

Foto di Facebook

Stai commentando usando il tuo account Facebook. Chiudi sessione / Modifica )

Google+ photo

Stai commentando usando il tuo account Google+. Chiudi sessione / Modifica )

Connessione a %s...