L33ching the L33chers: Using a Portable Wireless Network
by DieselDragon (hyperspeed666@gmail.com)
0x00 - Introduction
If there is one truth in today's ever connected world, it's the fact that the general public loves free wireless Internet access. Public Wi-Fi networks now exist in almost every restaurant, every major railway station and airport, and even on board long-distance trains. However, with many of these public networks, such as "The Cloud" in London, charging users for their access, you can often see people scanning the airwaves in the hope of finding a free and open route to the Internet before they are forced to part with their hard-earned cash.
In this article, I will explore some of the basic principles of portable networks and the possibilities that they open up for many interesting and useful activities. Obviously, the standard disclaimers apply to this educational article, and you are the only one responsible for anything that you use the following information for. To try and keep this article to more readable proportions, I'm going to concentrate mainly on the theory behind portable networks and their uses... If you need more information on a specific aspect of this article, Google is your friend!
0x01 - Portable Networks, or "PortaNets"
As one may imagine from the name, a PortaNet is a complete network that exists in a portable and easily transportable form. Although potential variants of a PortaNet may run into the thousands, depending on what use they are intended for, a general purpose PortaNet might be composed of the following:
Uplink: A device that forms the upstream (Internet-side) connection to the PortaNet, such as a Wi-Fi card/dongle, GSM/GPRS data modem, or Ethernet link.
Downlink: As above, but forms the downstream (network-side) connection to the PortaNet. For having phun in public places, this should ideally be a Wi-Fi card/dongle that's capable of functioning in Access Point (AP) mode. For more overt applications, any old AP or wired switch/hub will do.
Server: A device used to connect the Uplink and Downlink together, and to host any applications (Such as Wireshark) or services (DNS, Apache etc.) that may be needed. In practice, this would be a laptop; preferably one with a decent amount of RAM and CPU power if anything more complex than general eavesdropping is planned.
Power Source: Even with the most modern batteries and power-saving techniques, a PortaNet will drink a lot of juice in general operation... so having a convenient power outlet at hand is most advisable.
The main principle of a PortaNet is that all traffic from the inside of the network passes across the server (laptop) as it goes to and from the Internet. This offers up a wide range of possibilities for what can be done with that traffic given that, in such a case, we have full control over the victim's Internet connection. Aside from the typical eavesdropping exercises, it is also theoretically possible to change and/or redirect content en-route, something that I outline in clearer detail in Section 0x03.
0x02 - Brief Scenario and Setup
The departures lounge at Stansted is typical of most U.K. airports. Thousands of travelers pass through it every day en-route to various destinations, and the captive audience of passengers awaiting their flights is a veritable goldmine for the operators of pay Wi-Fi hotspots. Many people will often reach for their laptops whilst awaiting departure, and it probably comes as no surprise to find that, no matter how much you scan the air, you won't find a cost-free route to the Internet in any departures lounge where pay Wi-Fi is available!
It is in these situations where our PortaNet comes in. By purchasing an access code for the pay Wi-Fi network (or firing up Wireshark and grabbing someone else's) and setting our uplink card to use that network, we give ourselves a route to the Internet. We then set up the downlink card to form a separate, open, and unsecured network that, to a casual observer, might look like an old AP that's simply been plugged in and long forgotten about. Of course, all communications between the two cards run across the laptop and it is here where our eavesdropping (or whatever) applications are being run.
As I said at the beginning of this article, Joe Public loves to have free Wi-Fi access... and he loves nothing better than to find a connection that appears to be running on default out-of-box settings. Therefore, setting the downlink card with a generic name like "linksys" or "belkin" will probably encourage more connections from unsuspecting users than the dangerously obvious "Free_WiFi". If you wanted to go the whole hog and fool those who may decide to double-check the network first, you could even spoof the MAC address of your downlink card and set up a web server with faked router config pages on the laptop!
As being discreet is vital, one of the two Wi-Fi cards should ideally be an internal one, as even the most uneducated of users might sense something odd about a laptop with two Wi-Fi dongles poking out of it. A separate AP cunningly hidden under a jacket or baseball cap might also be fine though, depending on the situation at hand.
0x03 - Uses of a PortaNet
So... just what exactly can a PortaNet be used for? The following are a number of interesting possible applications and, given the nature of computing, this list is probably just the tip of the proverbial iceberg.
Traffic and service re-routing.
99.9% of the time whenever a client connects to a network, they'll have their system set to obtain network info (IP address, DNS server address, etc) via DHCP, and this allows us to specify which DNS server the client will use for hostname resolution... which could easily be a DNS run on our laptop, and configured to our own ends. If you dislike PayPal for example, you could set-up the DNS to return the IP for paypalsucks.com in response to any requests for paypal.com.
Likewise, redirection to a spoofed login page for any website, on the laptop itself or elsewhere, could be done with the same approach, with the additional benefit that the address bar in the victims browser would still display the original, legit-looking URL.
Eavesdropping on "secure" communications.
The problem with conventional "passive" eavesdropping is that encrypted communications like HTTPS are exactly what they say on the tin. On the other hand, a PortaNet, as it is the user's connection, has the potential to record such transmissions in their original plain-text form. Although probably a complicated and rather tricky thing to set-up, the laptop could trap and encrypt/decrypt secure communications on-the-fly through the following process:
- The victim requests a secure web page using their browser.
- The laptop establishes a secure connection to the victim in response to their original request, then establishes.
- A separate secure connection to the requested website.
- Transmissions between the victims browser and site are decrypted by the laptop upon arrival, the plain-text is logged/recorded, then the data is re-encrypted for transmission to its intended destination via the second secure connection.
Obviously, for seamless operation and less chance of detection by the victim, you would also need to change (if necessary) and pass on any security certificates or other authentication tokens that the victim's browser would normally use to check that the connection is indeed "secure."
Content shaping and hi-jacking.
As whatever goes to the victim's browser has to pass through our laptop first, it is possible for us to change and generally mess about with whatever it is they are looking at. Simple changes for small profits could be the changing of all passing Google AdSense provider IDs to one of your own... meaning that you'd get credited with hits every time the victim clicks any AdSense ad. Other phun could be had in the swapping of Google's logo with Yahoo!'s and other little content injection/tampering jokes.
On a more serious note, of course, the same technique could also be used to substitute a requested application with a keylogger or similar nasty program, or to completely reverse the meaning of an e-mail from the victim's loved one.
Sharing the cost of Internet access.
A group of 50 people (those at a 2600 meeting, perhaps) enter a bar and settle down with their laptops and PDAs, only to find that the one available AP has some ridiculous charge of £10 per connection, or something like that. By connecting the PortaNet's upstream card as a single paid-for connection and routing it through the downstream card to everyone's devices, each user pays only 20p towards the cost of the connection... and the gr33dy so-and-so's running the AP only take £10 in total, instead of the £500 that they'd normally expect to make from such a large group.
Secure group communications over public Wi-Fi.
Following on from example D above, another headache with using public WLANs is that they generally have to be open and unsecured to allow users to connect to them in the first place... meaning that anything sent from the user's device has to be encrypted before transmission, to remain secure from anyone else on the network who may be running an eavesdropping tool. Using a PortaNet, it would be possible for the laptop to route all Internet traffic passing across it via an SSH tunnel, or similar encrypted medium, to a server running elsewhere for onward transmission, which would bypass the risk normally posed by the public WLAN being used.
Of course, one could normally do this from their own device anyway. But the added benefit of using a PortaNet to serve group communications in this way is that only one device (the PortaNet laptop) needs to be configured to use the SSH tunnel, and it affords protection for less skilled members of the group who may not know how to use such secured connections.
0x04 - Other Potential Uses of a PortaNet
Back in November 2008, I stayed in an Oslo youth hostel that ran a free and open Wi-Fi network for guest use, and a lot of people were using it for just about every possible activity. It naturally occurred to me that, assuming I was staying in a dorm within range of the AP, if I were to set up a laptop running Wireshark and simply leave it running in my locker or hidden under the bunk, then I could capture all manner of interesting traffic throughout the day without even having to be in the hostel.
On top of this, a PortaNet could be configured to capture traffic passing across the network in the conventional way for storage and transmission to another device across a separate, secure connection. Aside from providing you with a secure, encrypted connection, as suggested in point E above, it would also allow you to perform eavesdropping/traffic monitoring from anywhere within range of the PortaNet's AP card, meaning that you wouldn't be confined to the power outlet in the dorm all the time.
0x05 - Avoiding Dodgy Connections and Networks
Obviously, this article clarifies just how insecure and potentially dangerous public Wi-Fi networks can be for the unwary, so I will also give a few hints-n-tips for checking and avoiding malicious PortaNets and similar setups:
Check the MAC address for the connection that you are using.
If a network called "belkin" connects to an AP with a MAC address starting 00:07:0D, then you are actually connecting to a Cisco/Linksys device of some description. If the manufacturers ID code (generally the first three bytes of the MAC) doesn't match up with the brand of router that you seem to be connecting to, chances are that the network is a "fake."
Bear in mind, though, that MAC addresses can be spoofed and reconfigured by whoever has set up the device, so this isn't a comprehensive safety measure. It should protect you from any PortaNets set up by average Skr1pt K1dd1ez though. A list of vendor MAC codes can be found via tinyurl.com/vendor-MACs.
Encrypt as much of your traffic as possible, and use complicated/obscure/multi-layer methods of encryption.
Although a PortaNet could potentially decrypt/re-encrypt data en-route as outlined above, a rare encryption protocol (or one that uses pre-defined keys and sends encrypted data right from the get-go) stands less chance of being known and decryptable by anyone running a PortaNet.
Don't do anything risky in public!
The very nature of public WLANs means that they shouldn't be used for accessing private and confidential services such as PayPal and online banking sites, unless you are using a strongly encrypted tunnel connection for such things. Remember that a lot of online services such as Hotmail, eBay and Facebook only use HTTPS encryption for user authentication purposes, and then drop back to normal HTTP for sending general data, including the content of private pages and e-mails. In these situations, even if your username and password are protected with HTTPS, the unencrypted data in the pages that you load afterwards could still provide a lot of ammunition for an identity thief or similar individual.
Consider using your own network services whenever possible.
Setting up your own DNS and/or encrypted web-proxy on a machine at home, and only using those services, should afford a lot of protection from malicious DNS and similar attacks, with the added benefit that you have a greater level of control over the services that you may use whilst out and about. With a normal public Wi-Fi connection, you often have to put your trust in the DNS and other services provided by that network or the ISP serving the connection, and, while most commercial ISPs can generally be trusted to deliver legitimate responses to DNS and similar calls, it would be a very simple matter for the manager of a cafe to set up a maliciously configured DNS to route calls from customers' laptops to only the gods know where.
0xFF - The Final Word
Here's hoping that you all enjoyed this article on the theory and benefits of portable networks, the insecurity of public WLANS, and how to go about protecting yourself from the dangers posed by the above! I see that despite my original intentions, this article, like my previous ones, has run to somewhat epic proportions... but fingers crossed, this hasn't proved too long or tiresome for people to read and enjoy.
On a more personal note; I have unfortunately become rather badly hit by the recent "credit crunch," and I've actually had to lose my home Internet connection as a result. Consequently, I'm now having to do all of my Internet access and e-mail from public libraries, which often doesn't give me nearly enough time to do everything online that I need to. So, although comments and/or constructive critique on this article are more than welcome via e-mail, I'd like to ask people not to e-mail me with any in-depth questions about "How to do this..., How can I make that..." or similar, as I probably won't have nearly enough time available to answer them.
Farewell for now, have a lot of phun, and surf safe!