Monday, January 23, 2012

Guide: Bypass Captive Portals

Ever connected to an open WiFi somewhere, like hotels or airports, and you realize that it isn't open after all. Your browser is being redirected to a site which requires payment or some kind of authentication (Captive Portal). In this guide, I'll show you how to bypass these portals and freely surf the web.

The hack is to send traffic through the DNS protocol, disguising your surfing as a harmless DNS request. This guide does not endorce illegal activity.

A client bypassing the Captive Portal using DNS Tunneling

For this to work, you'll need the following:
  1. A Linux machine which will act as a server (A Windows machine is also possible, but not recommended). This server must have internet access and should be the computer which is always on, or better: a server. NOTE! If your server is already running a DNS service, this will not work.
  2. A client computer for testing.
  3. Port UDP 53 forwarded to server. Check Portforward.com for how to do this.
Let's begin..


1. Setting up domain

Our tunnel is going to request your domain name to be solved many times (it's in this traffic we send our web traffic). Therefore we need to register a domain. For this to work, it's required that the domain is registert as a NS type. For a free subdomain, visit freedns.afraid.org/subdomain, register an account and create your subdomain.



2. Setting up server

First you need to install iodine. You can install it from this .deb package (dpkg -i [package path]), or use either of these commands:

$ sudo aptitude install iodine
$ sudo apt-get install iodine


Once installed, edit the configuration file: /etc/default/iodine:

# Default settings for iodine. This file is sourced from
# /etc/init.d/iodined
START_IODINED="true"
IODINED_ARGS="192.168.10.101 mydomain.it.cx"
IODINED_PASSWORD="secret"



Start_iodined: This must be true to allow iodine daemon to start
Iodine_args: Arguments to pass iodine. First one is a local ip-address for your server, NOT THE ONE YOU USE! This address must be in a complete different range; this is iodine's network. Second one is the domain you registered.
Iodined_password: It's excactly what you think. Leave blank for no password.

Save your configuration file. We can now start iodine:

$ sudo /etc/init.d/iodined start


Check if your iodine server is available and correctly set-up here:


3. Setting up client

NOTE! The client must be set-up before you arrive at the Captive Portal WiFi!

3a. For iodine to work on Windows, you'll need to install TAP32 driver. Download OpenVPN at www.openvpn.net/index.php/open-source/downloads.html. You only need the TAP32 driver, so no need to install the rest.
TAP Virtual Ethernet Adapter


3b. After that, download iodine for Windows. It can be found here: code.kryo.se/iodine/. Excract the zip-file (7zip etc) and open an elevated prompt window in the iodine-0.6.0-rc1-win32\bin folder. Run the command:

C:\iodine\bin> iodine.exe -P secret mydomain.it.cx


Change "secret" with the password you wrote on the server and change "mydomain.it.cx" with the domain you registered.

Test your connection. Open another command window and ping your iodine server ip:

C:\iodine\bin> ping 192.168.10.101


3c. If you were successful the server will reply. Next we need to make this tunnel available for our system. Download Kitty (based on Putty), exctract and run it. Under Connection -> SSH -> Tunnels, set destination to Dynamic and Auto. Set Source Port to 9999 add click add.

Now click on top of the list, Session, and type the iodine server ip (in this example: 192.168.10.101) and click Connect. Log on with your normal server credentials and leave the window open.

3d. Last thing we need is to set our browser to use this tunnel. On Google Chrome, you may use Proxy Switchy! On Mozilla Firefox, open Options -> Advanced -> Network -> Connection -> Configure. Set configuration as shown on the picture bellow:


Kitty opens a socket proxy, 127.0.0.1 is a loopback address (meaning yourself), and the port 9999 was the port we chose in Kitty. As long as your Kitty stays connected to your server, this tunnel should be open for business, your business!


Image bellow shows speed achieved using iodine tunnel between work and home:

So there you go! If there is any question, just comment!


Regards
Tomas

6 comments:

  1. Does it work with internet speed of this server where I have iodine or with the speed of this captive portal internet connection?

    ReplyDelete
  2. Since it goes through both, either with the lowest connection speed sets the overall speed

    ReplyDelete
  3. Can u tell about the speed in details. By this method can we normal speed 60 kbps above or slow like 10 to 15?

    ReplyDelete
    Replies
    1. Well, that depends on several thing, but mainly:
      1. Bandwidth were your server is
      2. Bandwidth (and/or bandwidth limitations) on the site were the captive portal is
      3. And how large package size the firewall allows, the larger the better

      I've testet the tunnel at work against my iodine at home, and got 32 Mbps down and 44 Mbps up. I've tried it several other places too where there are live captive portal, and achieved everything between 10 Kpbs to 4 Mbps.

      Link to image from speedtest.net testing my tunnel between work and home.
      http://www.speedtest.net/result/3074834026.png

      Delete
    2. PLease am a little confused with the need for forwarded port and the local IP address to actually use, will appreciate your help

      Delete
    3. Forward (NAT) UDP port 53 to the local ip of your iodine-server. Check out Portforward.com for how to do this on your router/firewall.

      Delete