Está en la página 1de 48

Tunnel IP traffic through DNS, to bypass captive portals(or firewalls

)
Stratos Psomadakis psomas@ece.ntua.gr

Free Open Source Software Community National Technical University of Athens

April 13, 2011

Stratos Psomadakis (foss@ntua)

Bypassing captive portals with tunneling – Part 1

April 13, 2011

1 / 21

Outline
. 1 DNS Tunneling DNS Tunneling DNS Tunneling DNS Tunneling DNS Tunneling Basics Limitations Implementations! – iodine

. 2

Captive Portals Captive Protals Basics Bypassing Captive Portals Countermeasures for DNS tunneling Summary Conclusion Questions

. 3

Stratos Psomadakis (foss@ntua)

Bypassing captive portals with tunneling – Part 1

April 13, 2011

2 / 21

DNS Tunneling Basics
.
The idea: Can we enscapulate IP traffic in DNS traffic?

.

Stratos Psomadakis (foss@ntua)

Bypassing captive portals with tunneling – Part 1

April 13, 2011

3 / 21

DNS Tunneling Basics
.
The idea: Can we enscapulate IP traffic in DNS traffic? Of course! :)

.

Stratos Psomadakis (foss@ntua)

Bypassing captive portals with tunneling – Part 1

April 13, 2011

3 / 21

2011 3 / 21 .DNS Tunneling Basics . Stratos Psomadakis (foss@ntua) Bypassing captive portals with tunneling – Part 1 April 13. . The idea: Can we enscapulate IP traffic in DNS traffic? Of course! :) We use DNS records(NULL/TXT/SRV/MX/CNAME) to enscapulate (downstream) IP traffic. Upstream traffic is enscapulated in the DNS requests issued on the client side.

2011 3 / 21 . The trick is to make DNS lookup requests to a zone controlled by us. Stratos Psomadakis (foss@ntua) Bypassing captive portals with tunneling – Part 1 April 13. which runs a ’fake’ DNS server. The idea: Can we enscapulate IP traffic in DNS traffic? Of course! :) We use DNS records(NULL/TXT/SRV/MX/CNAME) to enscapulate (downstream) IP traffic. The server will read our specially crafted requests. and answer with a DNS record which contains the data we requested.DNS Tunneling Basics . Upstream traffic is enscapulated in the DNS requests issued on the client side. .

1 DNS Tunneling DNS Tunneling DNS Tunneling DNS Tunneling DNS Tunneling Basics Limitations Implementations! – iodine . 2011 4 / 21 .Outline . 2 Captive Portals Captive Protals Basics Bypassing Captive Portals Countermeasures for DNS tunneling Summary Conclusion Questions . 3 Stratos Psomadakis (foss@ntua) Bypassing captive portals with tunneling – Part 1 April 13.

2011 5 / 21 . .DNS Tunneling Limitations . Upstream traffic must be base32 encoded. Stratos Psomadakis (foss@ntua) Bypassing captive portals with tunneling – Part 1 April 13.

Upstream traffic must be base32 encoded.DNS Tunneling Limitations . 255 char max length to DNS hostnames . Stratos Psomadakis (foss@ntua) Bypassing captive portals with tunneling – Part 1 April 13. 2011 5 / 21 .

2011 5 / 21 . Stratos Psomadakis (foss@ntua) Bypassing captive portals with tunneling – Part 1 April 13.DNS Tunneling Limitations . Upstream traffic must be base32 encoded.[strlen(ourdomain)] bytes . 255 char max length to DNS hostnames –> Upstream traffic can only use up to 255 .

DNS Tunneling Limitations . Upstream traffic must be base32 encoded. 2011 5 / 21 . 255 char max length to DNS hostnames –> Upstream traffic can only use up to 255 . . Stratos Psomadakis (foss@ntua) Bypassing captive portals with tunneling – Part 1 April 13.[strlen(ourdomain)] bytes –> Requests from the client must be fragmented and then sent as seperate DNS queries (gzipping the data before encoding can improve upstream bandwidth).

Stratos Psomadakis (foss@ntua) Bypassing captive portals with tunneling – Part 1 April 13.DNS Tunneling Limitations . Upstream traffic must be base32 encoded. 255 char max length to DNS hostnames –> Upstream traffic can only use up to 255 . DNS only allows packets of 512 bytes .[strlen(ourdomain)] bytes –> Requests from the client must be fragmented and then sent as seperate DNS queries (gzipping the data before encoding can improve upstream bandwidth). 2011 5 / 21 .

Upstream traffic must be base32 encoded.[strlen(ourdomain)] bytes –> Requests from the client must be fragmented and then sent as seperate DNS queries (gzipping the data before encoding can improve upstream bandwidth).DNS Tunneling Limitations . 2011 5 / 21 . DNS only allows packets of 512 bytes –> Downstream traffic must be fragmented too. 255 char max length to DNS hostnames –> Upstream traffic can only use up to 255 . . Stratos Psomadakis (foss@ntua) Bypassing captive portals with tunneling – Part 1 April 13.

[strlen(ourdomain)] bytes –> Requests from the client must be fragmented and then sent as seperate DNS queries (gzipping the data before encoding can improve upstream bandwidth). Upstream traffic must be base32 encoded. DNS only allows packets of 512 bytes –> Downstream traffic must be fragmented too. NULL records(deprecated) can provide better performance since there’s no need for the data to be encoded. 255 char max length to DNS hostnames –> Upstream traffic can only use up to 255 . .DNS Tunneling Limitations . Stratos Psomadakis (foss@ntua) Bypassing captive portals with tunneling – Part 1 April 13. downstream traffic may have to be encoded(ie base64 for TXT records). Depending on the record used to send the reply. 2011 5 / 21 .

downstream traffic may have to be encoded(ie base64 for TXT records).[strlen(ourdomain)] bytes –> Requests from the client must be fragmented and then sent as seperate DNS queries (gzipping the data before encoding can improve upstream bandwidth).DNS Tunneling Limitations . Stratos Psomadakis (foss@ntua) Bypassing captive portals with tunneling – Part 1 April 13. Depending on the record used to send the reply. NULL records(deprecated) can provide better performance since there’s no need for the data to be encoded. DNS only allows packets of 512 bytes –> Downstream traffic must be fragmented too. . 2011 5 / 21 . 255 char max length to DNS hostnames –> Upstream traffic can only use up to 255 . DNS uses UDP instead of TCP and thus fragmentation and correct reassembling of the packets must be implemented in the fake server. Upstream traffic must be base32 encoded.

1 DNS Tunneling DNS Tunneling DNS Tunneling DNS Tunneling DNS Tunneling Basics Limitations Implementations! – iodine . 3 Stratos Psomadakis (foss@ntua) Bypassing captive portals with tunneling – Part 1 April 13.Outline . 2 Captive Portals Captive Protals Basics Bypassing Captive Portals Countermeasures for DNS tunneling Summary Conclusion Questions . 2011 6 / 21 .

Stratos Psomadakis (foss@ntua) Bypassing captive portals with tunneling – Part 1 April 13.DNS Tunneling Implementations . 2011 7 / 21 . deprecated . NTSX(Namesever Transfer Protocol): the first implementation of DNS tunneling.

Stratos Psomadakis (foss@ntua) Bypassing captive portals with tunneling – Part 1 April 13. deprecated OzymanDNS by Dan Kaminsky: Perl scripts.DNS Tunneling Implementations . NTSX(Namesever Transfer Protocol): the first implementation of DNS tunneling. 2011 7 / 21 . easy to set up and run . not very stable.

DNS Tunneling Implementations . (the chemical element iodine has atomic number 53. deprecated OzymanDNS by Dan Kaminsky: Perl scripts. easy to set up and run iodine(IP over DNS): the most recent implementation of DNS tunneling. NTSX(Namesever Transfer Protocol): the first implementation of DNS tunneling. the same as the DNS default port :P) . including autodetecting optimal values for various paramters. with lots of optimizations and improvements. Stratos Psomadakis (foss@ntua) Bypassing captive portals with tunneling – Part 1 April 13. 2011 7 / 21 . not very stable.

easy to set up and run iodine(IP over DNS): the most recent implementation of DNS tunneling. 2011 7 / 21 . with lots of optimizations and improvements. the same as the DNS default port :P) And one note about security: OzymanDNS scripts provided no auth mechanisms.DNS Tunneling Implementations . he could send arbitrary commands/data to the fake DNS server(that doesn’t sound good :P) iodine has a very simple password auth mechanism which at least prevents such scenarios. Stratos Psomadakis (foss@ntua) Bypassing captive portals with tunneling – Part 1 April 13. . deprecated OzymanDNS by Dan Kaminsky: Perl scripts. (the chemical element iodine has atomic number 53. including autodetecting optimal values for various paramters. not very stable. NTSX(Namesever Transfer Protocol): the first implementation of DNS tunneling. and thus if someone found out the fake subdomain.

1 DNS Tunneling DNS Tunneling DNS Tunneling DNS Tunneling DNS Tunneling Basics Limitations Implementations! – iodine . 2011 8 / 21 . 2 Captive Portals Captive Protals Basics Bypassing Captive Portals Countermeasures for DNS tunneling Summary Conclusion Questions .Outline . 3 Stratos Psomadakis (foss@ntua) Bypassing captive portals with tunneling – Part 1 April 13.

The plan: we’ll run iodine on animal.gr We’ll set up a new zone.ntua.iodine. and delegate all requests to that zone. 2011 9 / 21 .foss.Setting Up iodine . .foss. .ntua. to the server running iodine(animal). Stratos Psomadakis (foss@ntua) Bypassing captive portals with tunneling – Part 1 April 13.gr.

gr. Stratos Psomadakis (foss@ntua) Bypassing captive portals with tunneling – Part 1 April 13. We use a small subdomain name. The plan: we’ll run iodine on animal.ntua. . and delegate all requests to that zone.ntua. .ntua. to the server running iodine(animal).foss.gr.gr server. 2011 9 / 21 . we must add this to the .ntua. To set up the new zone.Setting Up iodine .gr We’ll set up a new zone.foss.foss.ntua. in order to give upstream traffic more ’space’. running the primary authoratitve BIND for the zone): io IN NS animal.gr zone conf file(at foss.foss.iodine.

ntua.foss. Stratos Psomadakis (foss@ntua) Bypassing captive portals with tunneling – Part 1 April 13. running the primary authoratitve BIND for the zone): io IN NS animal. we reload BIND(rndc reload on foss.ntua. Now. And we’re ready to go! :) .gr zone conf file(at foss.foss. in order to give upstream traffic more ’space’. To set up the new zone. We use a small subdomain name.ntua.gr server.iodine.foss.ntua.ntua.gr).ntua. and delegate all requests to that zone.gr. to the server running iodine(animal). we must add this to the .Setting Up iodine . 2011 9 / 21 . .foss. The plan: we’ll run iodine on animal.gr.gr We’ll set up a new zone.

Running iodine .1 io. On the server side./iodined -P secretpassword 10. Stratos Psomadakis (foss@ntua) Bypassing captive portals with tunneling – Part 1 April 13. the subdomain we’ll use.10.foss.0. specifying a password.gr . 2011 10 / 21 . and an IP iodine will use inside the tunnel: . we’ll run iodined.ntua.

and an IP iodine will use inside the tunnel: . we’ll run iodined.gr ./iodined -P secretpassword 10.foss.0./iodine -P secretpassword io. On the server side.gr On the client side: .ntua. the subdomain we’ll use. 2011 10 / 21 .foss.Running iodine .1 io. specifying a password.10.ntua. Stratos Psomadakis (foss@ntua) Bypassing captive portals with tunneling – Part 1 April 13.

foss.0.gr Now we have set up a working (tun) tunnel. specifying a password. .gr On the client side: . Stratos Psomadakis (foss@ntua) Bypassing captive portals with tunneling – Part 1 April 13. The client will get an IP close to the server’s IP.Running iodine .ntua.1 io./iodine -P secretpassword io. we’ll run iodined. and they should be able to ping each other.foss. and an IP iodine will use inside the tunnel: . the subdomain we’ll use. On the server side./iodined -P secretpassword 10.10. 2011 10 / 21 .ntua.

Of course traffic is unencrypted. Stratos Psomadakis (foss@ntua) Bypassing captive portals with tunneling – Part 1 April 13. 2011 11 / 21 . .Network configuration . and we can’t trust all the DNS relays our traffic possibly goes through. Thus it’s a good idea to set up another ’secure’ tunnel(either with OpenVPN or with OpenSSH).

Stratos Psomadakis (foss@ntua) Bypassing captive portals with tunneling – Part 1 April 13.foss.gateway . 2011 11 / 21 .gr via default. the routing table would be like this: ip route add animal. and we can’t trust all the DNS relays our traffic possibly goes through.Network configuration . Thus it’s a good idea to set up another ’secure’ tunnel(either with OpenVPN or with OpenSSH).ntua.server via animal.foss.ntua. Of course traffic is unencrypted. For a VPN channel.vpn.gateway ip route add my.gr ip route add default via my.vpn.

Whatever we choose. Thus it’s a good idea to set up another ’secure’ tunnel(either with OpenVPN or with OpenSSH).ntua.Network configuration . Stratos Psomadakis (foss@ntua) Bypassing captive portals with tunneling – Part 1 April 13.server via animal.gateway We could have also used an SSH tunnel instead.vpn.gr via default. 2011 11 / 21 .ntua. and we can’t trust all the DNS relays our traffic possibly goes through.foss. we are now ready to bypass NTUA Wifi Captive Portal(hopefully :P)! . Of course traffic is unencrypted. the routing table would be like this: ip route add animal. For a VPN channel.gateway ip route add my.vpn.foss.gr ip route add default via my.

gr via default. For a VPN channel. Thus it’s a good idea to set up another ’secure’ tunnel(either with OpenVPN or with OpenSSH). Whatever we choose.vpn.vpn. Stratos Psomadakis (foss@ntua) Bypassing captive portals with tunneling – Part 1 April 13.foss.gr ip route add default via my.gateway ip route add my. 2011 11 / 21 .ntua.gateway We could have also used an SSH tunnel instead.Network configuration .) .ntua.foss. we are now ready to bypass NTUA Wifi Captive Portal(hopefully :P)! (and maybe use netperf for bandwidth benchmarks . Of course traffic is unencrypted. and we can’t trust all the DNS relays our traffic possibly goes through. the routing table would be like this: ip route add animal.server via animal.

1 DNS Tunneling DNS Tunneling DNS Tunneling DNS Tunneling DNS Tunneling Basics Limitations Implementations! – iodine . 2011 12 / 21 . 3 Stratos Psomadakis (foss@ntua) Bypassing captive portals with tunneling – Part 1 April 13.Outline . 2 Captive Portals Captive Protals Basics Bypassing Captive Portals Countermeasures for DNS tunneling Summary Conclusion Questions .

before it can access the Internet(usually for authentication purposes) . to restrict access to the Internet Captive Portals redirect an HTTP client to a special web page. 2011 13 / 21 . Usually deployed with Wifi hotspots. Stratos Psomadakis (foss@ntua) Bypassing captive portals with tunneling – Part 1 April 13.Captive Portals Basics .

Captive Portals Basics . to restrict access to the Internet Captive Portals redirect an HTTP client to a special web page. Stratos Psomadakis (foss@ntua) Bypassing captive portals with tunneling – Part 1 April 13. which redirect the client with various techniques: –> HTTP Redirection: a firewall intercepts the HTTP request by the client. Usually deployed with Wifi hotspots. . 2011 13 / 21 . –> DNS Redirection: all DNS queries are answered by the DNS server within the local (wireless) network. before it can access the Internet(usually for authentication purposes) There are many different implementation. which responds with a HTTP 302 status code. –> IP Redirection: the request is redirected on the layer 3 level(IP) by a firewall. and forwards it to the redirect server. and the answer is always the IP of the captive portal.

2 Captive Portals Captive Protals Basics Bypassing Captive Portals Countermeasures for DNS tunneling Summary Conclusion Questions .Outline . 3 Stratos Psomadakis (foss@ntua) Bypassing captive portals with tunneling – Part 1 April 13. 2011 14 / 21 . 1 DNS Tunneling DNS Tunneling DNS Tunneling DNS Tunneling DNS Tunneling Basics Limitations Implementations! – iodine .

Bypassing Captive Portals . There are several ways to bypass a captive portal. for instance it’s not very difficult to find unpatched Windoze hosts within the network. :P Besides that. And of course DNS tunneling! :) . many captive portals authenticate users based on their IP/MAC. Stratos Psomadakis (foss@ntua) Bypassing captive portals with tunneling – Part 1 April 13. making thus IP/MAC spoofing work too. 2011 15 / 21 .

Bypassing Captive Portals . for instance it’s not very difficult to find unpatched Windoze hosts within the network. many captive portals authenticate users based on their IP/MAC. Stratos Psomadakis (foss@ntua) Bypassing captive portals with tunneling – Part 1 April 13. we won’t be able to use DNS tunneling. . And of course DNS tunneling! :) Not all captive portals/configurations can be bypassed with DNS tunneling. 2011 15 / 21 . There are several ways to bypass a captive portal. :P Besides that. ie if the captive portal uses DNS redirection. making thus IP/MAC spoofing work too.

many captive portals authenticate users based on their IP/MAC. which is very similar as a concept to DNS tunneling. :P Besides that. making thus IP/MAC spoofing work too. If DNS tunneling doesn’t work. There are several ways to bypass a captive portal. we won’t be able to use DNS tunneling. However. for instance it’s not very difficult to find unpatched Windoze hosts within the network. which then will relay the replies back to us. . Stratos Psomadakis (foss@ntua) Bypassing captive portals with tunneling – Part 1 April 13. 2011 15 / 21 . if a captive portal uses HTTP/IP redirection. we can also use ICMP(ping) tunneling. ie if the captive portal uses DNS redirection. And of course DNS tunneling! :) Not all captive portals/configurations can be bypassed with DNS tunneling. it’s almost certain that we’ll be able to issue DNS queries to the ’local’ DNS server.Bypassing Captive Portals .

Outline . 2 Captive Portals Captive Protals Basics Bypassing Captive Portals Countermeasures for DNS tunneling Summary Conclusion Questions . 1 DNS Tunneling DNS Tunneling DNS Tunneling DNS Tunneling DNS Tunneling Basics Limitations Implementations! – iodine . 2011 16 / 21 . 3 Stratos Psomadakis (foss@ntua) Bypassing captive portals with tunneling – Part 1 April 13.

Countermeasures for DNS tunneling . If a captive portal allows DNS lookups by the clients. there’s not much admins can do to prevent tunneling. . 2011 17 / 21 . Stratos Psomadakis (foss@ntua) Bypassing captive portals with tunneling – Part 1 April 13.

but it can by risky (ie blocking ’valid’ DNS traffic by mistake) Or you can have an admin sniffing all day DNS traffic.Countermeasures for DNS tunneling . there’s not much admins can do to prevent tunneling. Setting up firewall filters to check for ’suspicious’ hostname lookups or TXT/NULL records may help. :P . If a captive portal allows DNS lookups by the clients. 2011 17 / 21 . and searching for suspicious packets. Stratos Psomadakis (foss@ntua) Bypassing captive portals with tunneling – Part 1 April 13.

Outline . 2 Captive Portals Captive Protals Basics Bypassing Captive Portals Countermeasures for DNS tunneling Summary Conclusion Questions . 1 DNS Tunneling DNS Tunneling DNS Tunneling DNS Tunneling DNS Tunneling Basics Limitations Implementations! – iodine . 2011 18 / 21 . 3 Stratos Psomadakis (foss@ntua) Bypassing captive portals with tunneling – Part 1 April 13.

DNS tunneling can be a very effective way to bypass captive portals(or firewalls).Conclusion . . Stratos Psomadakis (foss@ntua) Bypassing captive portals with tunneling – Part 1 April 13. 2011 19 / 21 .

it comes with a cost in bandwidth/perfomance. Howerver. DNS tunneling can be a very effective way to bypass captive portals(or firewalls). and connection is not always very stable. Stratos Psomadakis (foss@ntua) Bypassing captive portals with tunneling – Part 1 April 13. we usually have enough bandwidth to browse the Web. Nevetheless. 2011 19 / 21 . for free! .Conclusion . or check our mail.) .

2 Captive Portals Captive Protals Basics Bypassing Captive Portals Countermeasures for DNS tunneling Summary Conclusion Questions . 1 DNS Tunneling DNS Tunneling DNS Tunneling DNS Tunneling DNS Tunneling Basics Limitations Implementations! – iodine . 3 Stratos Psomadakis (foss@ntua) Bypassing captive portals with tunneling – Part 1 April 13. 2011 20 / 21 .Outline .

2011 21 / 21 .Questions? Stratos Psomadakis (foss@ntua) Bypassing captive portals with tunneling – Part 1 April 13.

.Questions? . 2011 21 / 21 . Thank You! Stratos Psomadakis (foss@ntua) Bypassing captive portals with tunneling – Part 1 April 13.

Questions? . . .) Stratos Psomadakis (foss@ntua) Bypassing captive portals with tunneling – Part 1 April 13. 2011 21 / 21 . Thank You! Now let’s try to hack NTUA Wifi! . .