 So my name is Dean Pierce. This is Brandon Edwards. We're undergraduates at Portland State University and we're going to be talking about Yeah, you got that? I can hear myself. Everyone can hear me all right? Okay, how about now? Hear me all right? All right. We're here to talk on basically Mac authenticated wireless networks of all sorts. As he introduced ourselves, we're students at Portland State. Okay, basically what we're calling an authenticated network is a network that you need to log in with a username and password. So such like at a lot of universities now and stuff like that. Some people call it captive portal and yeah, there's many different implementations of it. Like there's open source ones like no cat and whatever and there's also a lot of other different companies that are coming out now that are implementing these captive portal systems. And they all essentially work in the same manner. Okay, so the one we're going to focus on for partially legal and partial just reference use is no cat. I don't know if any of you are familiar with it. Basically, no cat is a open source or at least free captive portal style authenticated network commonly used for wireless networks and cafes and universities. It's used schools, restaurants, community networks use all of the place. And that's what we are going to focus our talk on for the tool. Alright, let's go ahead and go into how this actually works. So we need to analyze how authentication works, realize how we're going to bypass it. If you look at the login process, what a user will have to do on one of these authenticated wireless networks, they'll obviously DHCP for an IP because they won't have predestined information about the network. They'll submit HTTP requests off and over SSL to a login page to login. And during authentication, once a username and password is accepted, their MAC and IP address are then added to an allow list on the firewall to forward traffic out to the internet. This is all pretty common stuff. It basically just forwards it through the gateway. So to look at how that has to be bypassed, you just have to analyze what the authentication is looking at. And basically for methods of bypassing to work, it will have to be on a non-switched or wireless network, which is what you guys are here for. And there has to be a currently or an about to authenticate user. So someone who is either sending user information or already has sent user information has been authenticated and is routing through the gateway to get access to the internet. Basically, there's three basic steps to bypassing authentication. You identify the MAC address of a target user, the IP address, and you set your route once you've spoofed as those MAC and IP. And to the gateway or to the authentication system, it looks as if you've already authenticated. It's not new, but it can become a little trickier than it seems to gather this information, which we'll go into. So essentially, the program that we wrote, what it does is it creates a database and it gathers information on the current network and it just watches the data flowing by. And it's kind of interesting because it's all completely silent, if you want it to be, where you don't actually have to send out any data on your network card to be able to gather enough information to spoof yourself onto the network. And it essentially just gathers the IP address and the MAC address of anyone that's using the internet or whatever. And when the program starts out, it spawns three threads that search for TCP, UDP, and ARP packets and then it desks them as they come in and then adds the information to the database as it comes by. So once you've gathered enough information to spoof yourself onto the network, you can use a spoof command that lets you spoof the identity of whatever user. And yeah, if the target was authenticated, then you'll also be authenticated so you can just bypass just like you're an authenticated user. So there's some very basic commands for the pickup line program, which is what we named it. And it's a command line program, so when you start it out it gives you a user prompt and then you type start and then it spawns off the three threads that are sniffing. And then you'll start seeing information coming in and it'll just print it off as it goes. And then once you've started to gather some information, you can type list to see all the targets that are available. And then once you think you have a target that you want to use and you use the spoof command to pick a target and then you just copy all of their information, like the IP address and the MAC address and you go through the gateway and then you're on the network and then the exit command will exit the program. Okay, so basically there aren't really many alternatives to the authenticated wireless networks that are in place. And I say that because as Dean believes if you're in any sort of wireless network you're shouting across a room and any way you try to cover that it's just not going to work. So if you say I'm someone and someone else says I'm that same someone it's going to work, they're going to be recognized. Wireless is just inherently insecure for that reason. Hot spots are considered to be a gamble for that. I'm quoting that from a security professional who works with wireless networks in the corporate field. And he's gone to implement similar methods and he's examined other things. I mean professionals will say it, hackers will say it. There's really not much that can be done to secure these. So some might say well what if you add encryption but that takes out the stupid end user who wants to go to Starbucks, plug in his laptop and just start using. There's variations of these authenticated networks. This tool will work on all of them or most of them. There's agreement of use policy authentication. Basically those are free networks you can go to. Say yes I agree I will not haxer the network with this access and they'll let you get on. And so I mean this tool will bypass you having to agree to that if you really want. There are ones that use user paths authentication which is the main method we've been describing. And the tool will observe the traffic, steal the information, figure out the route and set it. And there's variations about those. Certain networks will use just Mac, certain ones will use Mac and IP. And it becomes interesting because if you go to say a college network that has this, you can have the security, they did not design it with security in mind. And this is demonstrated because if they only authenticate based off of the Mac address, that means several computers could spoof as one Mac and each computer have a separate IP address and they all use the network. It's as if nobody seems to even notice that their access point is being completely abused. So there's multiple ways of doing it and there are alternatives but wireless is just inherently broken. This is a basic demonstration of a couple of screenshots of program and action. Essentially you execute the pickup line binary and you get the prompt and it says the version number. The current version number is 0.4.5 and it just assumes that you want ETH1. You can use the interface command to change which interface you want to use. And you can type help if you want a list of commands or whatever. And then you say start and it gives the thing that's guarding the sniffer and then it just starts gathering data on the network. Right here, the first thing it got was the gateway Mac address. Probably got that from seeing multiple TCP sessions from different people. And if there's a common Mac address in user source Mac addresses then you can pretty much verify that's going to be the gateway. And then it starts adding some targets. And these are people that are just logged on to the network checking email or whatever. And then after a while it gathers the gateway IP which can be used to route through. And then once you've gathered some information you use the list command and when you do a list it looks like this. It says 1, 2, 3 and it has the IP addresses that you can select from. And then what you just do is you use the spoof command and then it asks you what target you want. And then you say target number 3 and then 1 through 1, 2, 5, 2, 2, 5, 5, 0.7, 8 which is an IP address on the wireless network at Portland State University. And it's not actually a window, it's like a picture. It's just a screenshot, unfortunately. We couldn't get a demo, I'm sorry. Yeah, sorry about that. And yeah, so then once you say spoof and it brings down the interface spoof's the Mac address. Then it brings up the interface to the certain IP address. And then we've found out recently that there's a lot of different cathode portals that'll use different net masks. And so a lot of times it doesn't automatically detect it, but in this case it does. And it'll also grab net masks out of DNS requests, it'll notice those. But you haven't gathered the net mask at this point so it'll just guess it anyway. And it'll set the route through the 1, 3, 1, 2, 5, 2, 200.10 which is the local router on the wireless network there. And that's essentially it. And then you're online, you can browse Google or do whatever. So yeah, the attack can seem trivial if you're doing it. And it can easily be done by hand, but there are things that do make it a little trickier, like determining the route. Particularly if you want to make it a silent attack without actually DHCPing to that server. Therefore not giving out any of your personal information like your MAC address. And peas with that is that this tool will watch traffic go by and determine not just a target for you, but a route as well, which is beneficial. That entire demonstration that was shown didn't send out a single packet the whole time it was there. It doesn't even need an IP address. So yeah, all you need to do is bring up the interface and it'll sniff and get all the information it needs. And right now, okay, the required library is lidpickup so that it can sniff and then pthreads for the threading. And then, yeah, if anybody wants to like port it to OS 10 or like to Windows or anything like that, we'd be glad to help out. And we would love for you to help out. And right now it's written for Linux. It'll work in most Linux environments. It'll probably work in a lot of VSD environments or whatever. And there's our contact email addresses and pierce.de at pdx.edu. Okay. And then Brandon at datatactic.com. And if you want to download the latest version of the program, it's at that URL there that some of you might be able to see. It's at web.pdx.edu. Yeah, there. Tilde, pierce.de slash cs.peko. Okay. Is there any questions or anything interesting? Yeah. Do you know what the authentication methods are for that or how deep it gets? If it's a user, if it does authentication by adding a Mac to the IP tables allow list to route traffic, then yes, this will work on it. I mean, basically any implementation that doesn't do, I mean, any public implementation of such authentication will be broken simply because wireless, I mean, wireless, unless you use encryption, it's going to be. They broadcast, the information happens when they stream, when they go to any website, the information is shot out in the air because it's wireless. So if you can intercept it, you can figure out that they've been authenticated and what their route is for, you know, using, what was that? Right. Right. It's the user that you target, really. Yeah, we have also a question. Yeah, a question? You would think that and on our testing that hasn't happened in actual switch networks with Windows, Windows will pop up and say, yeah, there's another person using this IP address. But due to TCP using, you know, individual sequence numbers for each connection, we never get any collisions with that. And for some reason over wireless networks, Windows never seems to notice or Linux or BSD, never notice that they don't even get kicked off. They just share the connection with you. They pay for it, you use it. It figures out the route by watching the packets. I mean, he can tell you more of the logic behind that, but it watches the packet go through. And at the head of every packet, there's the MAC address of the gateway. We snag that gateway and then we ARP resolve the gateway to the IP to set our route. There's a lot of information in the ARP packets to travel around to, so it's pretty useful.