Monday, January 23, 2012

Guide: Bypass Captive Portals

Ever connected to an open WiFi somewhere, like hotels or airports, and you realize that it isn't open after all. Your browser is being redirected to a site which requires payment or some kind of authentication (Captive Portal). In this guide, I'll show you how to bypass these portals and freely surf the web.

The hack is to send traffic through the DNS protocol, disguising your surfing as a harmless DNS request. This guide does not endorce illegal activity.

A client bypassing the Captive Portal using DNS Tunneling

For this to work, you'll need the following:
  1. A Linux machine which will act as a server (A Windows machine is also possible, but not recommended). This server must have internet access and should be the computer which is always on, or better: a server. NOTE! If your server is already running a DNS service, this will not work.
  2. A client computer for testing.
  3. Port UDP 53 forwarded to server. Check Portforward.com for how to do this.
Let's begin..


1. Setting up domain

Our tunnel is going to request your domain name to be solved many times (it's in this traffic we send our web traffic). Therefore we need to register a domain. For this to work, it's required that the domain is registert as a NS type. For a free subdomain, visit freedns.afraid.org/subdomain, register an account and create your subdomain.



2. Setting up server

First you need to install iodine. You can install it from this .deb package (dpkg -i [package path]), or use either of these commands:

$ sudo aptitude install iodine
$ sudo apt-get install iodine


Once installed, edit the configuration file: /etc/default/iodine:

# Default settings for iodine. This file is sourced from
# /etc/init.d/iodined
START_IODINED="true"
IODINED_ARGS="192.168.10.101 mydomain.it.cx"
IODINED_PASSWORD="secret"



Start_iodined: This must be true to allow iodine daemon to start
Iodine_args: Arguments to pass iodine. First one is a local ip-address for your server, NOT THE ONE YOU USE! This address must be in a complete different range; this is iodine's network. Second one is the domain you registered.
Iodined_password: It's excactly what you think. Leave blank for no password.

Save your configuration file. We can now start iodine:

$ sudo /etc/init.d/iodined start


Check if your iodine server is available and correctly set-up here:


3. Setting up client

NOTE! The client must be set-up before you arrive at the Captive Portal WiFi!

3a. For iodine to work on Windows, you'll need to install TAP32 driver. Download OpenVPN at www.openvpn.net/index.php/open-source/downloads.html. You only need the TAP32 driver, so no need to install the rest.
TAP Virtual Ethernet Adapter


3b. After that, download iodine for Windows. It can be found here: code.kryo.se/iodine/. Excract the zip-file (7zip etc) and open an elevated prompt window in the iodine-0.6.0-rc1-win32\bin folder. Run the command:

C:\iodine\bin> iodine.exe -P secret mydomain.it.cx


Change "secret" with the password you wrote on the server and change "mydomain.it.cx" with the domain you registered.

Test your connection. Open another command window and ping your iodine server ip:

C:\iodine\bin> ping 192.168.10.101


3c. If you were successful the server will reply. Next we need to make this tunnel available for our system. Download Kitty (based on Putty), exctract and run it. Under Connection -> SSH -> Tunnels, set destination to Dynamic and Auto. Set Source Port to 9999 add click add.

Now click on top of the list, Session, and type the iodine server ip (in this example: 192.168.10.101) and click Connect. Log on with your normal server credentials and leave the window open.

3d. Last thing we need is to set our browser to use this tunnel. On Google Chrome, you may use Proxy Switchy! On Mozilla Firefox, open Options -> Advanced -> Network -> Connection -> Configure. Set configuration as shown on the picture bellow:


Kitty opens a socket proxy, 127.0.0.1 is a loopback address (meaning yourself), and the port 9999 was the port we chose in Kitty. As long as your Kitty stays connected to your server, this tunnel should be open for business, your business!


Image bellow shows speed achieved using iodine tunnel between work and home:

So there you go! If there is any question, just comment!


Regards
Tomas

21 comments:

  1. Does it work with internet speed of this server where I have iodine or with the speed of this captive portal internet connection?

    ReplyDelete
  2. Since it goes through both, either with the lowest connection speed sets the overall speed

    ReplyDelete
  3. Can u tell about the speed in details. By this method can we normal speed 60 kbps above or slow like 10 to 15?

    ReplyDelete
    Replies
    1. Well, that depends on several thing, but mainly:
      1. Bandwidth were your server is
      2. Bandwidth (and/or bandwidth limitations) on the site were the captive portal is
      3. And how large package size the firewall allows, the larger the better

      I've testet the tunnel at work against my iodine at home, and got 32 Mbps down and 44 Mbps up. I've tried it several other places too where there are live captive portal, and achieved everything between 10 Kpbs to 4 Mbps.

      Link to image from speedtest.net testing my tunnel between work and home.
      http://www.speedtest.net/result/3074834026.png

      Delete
    2. PLease am a little confused with the need for forwarded port and the local IP address to actually use, will appreciate your help

      Delete
    3. Forward (NAT) UDP port 53 to the local ip of your iodine-server. Check out Portforward.com for how to do this on your router/firewall.

      Delete
  4. I've got iodine setup on a server. The tunnel is created properly, but once it is setup I cannot ping the server side of the tunnel.

    my friend using the same iodine server is able to connect with a jailbroken ipod.

    I've tried wireshark, two different internet connections and changing some of the syntaxes. if you have any suggestions, I'd love to pick your brain. Cheers

    ReplyDelete
    Replies
    1. Could be a firewall problem on your server (iptables).. What OS do you use, what is your config?

      Delete
  5. hi dude i get error like this Analyzing DNS setup for tunnel domain 'lets.linuxx.org'... (might take some time)

    Looking for nameserver for linuxx.org.. got ns4.afraid.org (at 70.39.97.253).
    Resolving delegation of lets.linuxx.org at 70.39.97.253... to supriadi.ga (at 202.138.232.39).

    Expecting iodined to be accessible at 202.138.232.39... no reply.

    Error: Make sure iodined is running and the firewall accepts UDP port 53. Also check any port forwards in use.

    what is wrong dude ?

    thanks in advanced

    ReplyDelete
    Replies
    1. Is the server running? Have you forwarded UDP port 53 correctly? What firewall are you using?

      Delete
    2. yes dude iodine server is running
      im using ubuntu 14 as server and iptables as firewall

      Delete
    3. Yeah, but you probably have a firewall (or modem) from your ISP? You need to setup NAT on this one.

      Delete
    4. http://pasteboard.co/sqzGk4l.png

      Delete
  6. no dude i put directly my public address on iodine server

    ReplyDelete
  7. here my public ip address on iodine server dude
    Link encap:Ethernet HWaddr 08:00:27:2d:1e:08
    inet addr:202.138.232.39 Bcast:202.138.232.63 Mask:255.255.255.192
    inet6 addr: fe80::a00:27ff:fe2d:1e08/64 Scope:Link
    UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
    RX packets:2435 errors:0 dropped:2 overruns:0 frame:0
    TX packets:141 errors:0 dropped:0 overruns:0 carrier:0

    ReplyDelete
    Replies
    1. I haven't tried using iodine with a public facing ubuntu-server and IP-tables, so I don't have any suggestion right now

      Delete
    2. heeeemm thank you dude

      any sugestion so this can works ?


      what is server dou you use on this case (on your tutorial) ===> netcros ?

      Delete
  8. How you reach that speed. It's theoretically impossible because of the length of DNS packet.

    ReplyDelete
    Replies
    1. In my test, I had fiber broadband in both ends. The packet size is determined by Iodine.

      http://code.kryo.se/iodine/
      "Packet size is automatically probed for maximum downstream throughput."

      Delete