Monday 3 November 2014

Spoofing MAC filters and Captive Portals on Public Wifi Networks

Spoofing MAC filters and Captive Portals on Public WiFi Networks

MAC filters are implemented on the networks to white-list particular devices and restrict access to the access point. At many public internet access points, a Captive Portal service is used to authenticate users. But what this service does to maintain that session is track MAC addresses of the authorised devices. As MAC filters are not inherently implemented in WiFi 802.11 standards, spoofing the captive portals through masked or spoofed MAC addresses is fairly easy. Here is how..

1. Starting the Wireless Card in Monitor Mode 

To make the wireless card listen passively to the wireless transmissions happening around, we first need to start the wireless card in monitor mode. The command is as

airmon-ng start wlan0

Here, wlan0 is the name of the wireless card.

2. Obtaining the MAC Address of a Target Client

For spoofing the MAC filter, we need the MAC addresses of a client whom we would impersonate, or rather, our device would. So we start looking for wireless transmissions as 

airodump-ng wlan0

This presents us with BSSIDs of the access points in range and also the clients' Station IDs that are connected to these access points. Try and recognise the access point from its ESSID; it is generally a string name of the access point. Make your card switch to the same channel as the access point by

iwconfig mon0 channel 6

where mon0 is the monitoring interface created and channel 6 is the channel of transmission of the access point.

3. Spoofing

So now we try a fake authentication using the MAC address of an already logged in client as

aireplay-ng --fakeauth 10 -e MyWiFi -h 01:F6:45:E8:D6:09 mon0

where 10 is the number of seconds after which to resend the fake authentication request
MyWiFi is the ESSID of the access point and 
01:F6:45:E8:D6:09 is the MAC ID of the client whom we are impersonating
This would result in a successful authentication and association message which indicates a successful connection to the access point using the spoofed MAC ID.
So now that you are finally in, enjoy the free access !

Got any queries ?
How far could you follow ?
Leave your comments below.
Posted by at
Labels: , , , , ,

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)