Denying Someone's Device from a Public WiFi
#1
Public WiFis are quite common nowadays because of the demand for internet connection through the use of devices like laptops, mobile phones, and a lot more. While this is giving convenience to people using the service, a lot of bad things can happen because a public WiFi basically means anyone that has a device capable of connecting to a WiFi network can fool around. In this article, I would like to point out how to deny other devices from a public WiFi service when connected to it and at the same time, how to defend yourself against it.

In technical terms, denying another device from using the public WiFi service can happen through ARP spoofing. In a nutshell, ARP spoofing is not a new technique. It has been around for quite some time already and here's a good reference about it. Basically, ARP spoofing can happen when we continuously tell a device something like "Hey! I'm the router! Send me the details that you wanna exchange in the network". This is by continuously sending that specific device an ARP packet containing spoofed details so it gets the belief that it is talking to the device that it should be talking with.

Since the goal of this article is denying a device from accessing the services of a public WiFi network as per device connected, once ARP packets are sent out to the target device and the user of that specific device starts using the WiFi service, the packets can easily be dropped when it sends network requests. This is better explained using a scenario:

Suppose the scenario is in a coffee shop. This coffee shop offers "free WiFi" so customers can connect to the internet. The "free WiFi" is offered as a service by an access point having an IP address of 192.168.1.1 in the local network while having a MAC address of 3E:4E:B5:47:39:62.

The following events then happen sequentially:

1. A legitimate user connects to the public WiFi network and gets assigned an IP address of 192.168.1.100. Let's say this user is using a mobile phone that has a MAC address of 7E:B0:45:8E:28:12.

[Image: publicwifidos_num1.png]

2. The user opens his mobile phone's browser and uses the public WiFi service to connect to the internet. In this case, his mobile phone knows that the access point's IP address is 192.168.1.1 and its MAC address is 3E:4E:B5:47:39:62 through an ARP table.

[Image: publicwifidos_num2.png]

3. An attacker connects to the same public WiFi network and gets assigned an IP address of 192.168.1.101. Let's say this user is using a laptop that has a MAC address of 1E:6E:F2:25:95:C8.

[Image: publicwifidos_num3.png]

4. The attacker crafts a fake ARP packet containing his MAC address 1E:6E:F2:25:95:C8 while using the IP address of the access point 192.168.1.1 instead of his assigned IP address 192.168.1.101. The attacker then uses this crafted packet to flood the legitimate user's mobile phone with the IP of 192.168.1.100 making it update its ARP table entry:

[Image: publicwifidos_num4.png]

Once the packets are sent, the mobile phone's ARP table gets updated with this information:

192.168.1.1 (Access Point's IP) <-> 1E:6E:F2:25:95:C8 (Attacker's MAC)

instead of having:

192.168.1.1 (Access Point's IP) <-> 3E:4E:B5:47:39:62 (Access Point's MAC)

When this happens, every time the user tries to connect to the internet, instead of the traffic being sent to the access point, the network will forward the packets to the attacker's device simply because the IP 192.168.1.1 is associated with the attacker's MAC address. This opens an opportunity for the attacker to either check out the packet before forwarding it to the access point (Man-In-The-Middle Attack) or just ignore the packet resulting to the user not being able to connect to the internet. 

A simple tool in C# has been created to provide convenience for this demonstration. It can be downloaded here.

To use the tool, simply run the executable file and enter the target IP address. Example: 

My mobile device's local IP address was 192.168.254.9:

[Image: publicwifidos_phoneaddr.png]

I ran the program in my computer having a local IP address of 192.168.254.10: 

[Image: publicwifidos_runprogram.png]

Once the program is running, browsing through mobile doesn't work anymore:

[Image: publicwifidos_fbloading.png]

This kind of attack is very easy to do so how should someone defend against it? Apart from buying some expensive hardware that "could probably" defend against this kind of attack, a very simple solution would be adding a static ARP entry on your machine so you won't get kicked off from this kind of denial of service. For example, in Windows, the command to add a static ARP entry is:

Code:
netsh -c interface ipv4 add neighbors "Network Interface" "IP" "MAC"

The network interface from the command above is the name of the network interface for the WiFi adapter. The IP and MAC on the other hand are the information that you want to associate together. This can be the IP and MAC of the access point or router.

When it comes to penetration testing, this method could assist in preventing the target from accessing the internet making it some kind of a decoy for other purposes required during the engagement.
Reply


Possibly Related Threads…
Thread Author Replies Views Last Post
  How far does wifi pineapple reach? QMark 4 7,909 03-14-2019, 02:42 PM
Last Post: MuddyBucket
  What are some of the most efficient ways to learn how to hack into residential WiFi's Lucy77x77 2 5,665 05-08-2018, 01:28 AM
Last Post: Lucy77x77
  Wifi usb antennas, which one?? overfl0wN 5 6,088 05-22-2017, 02:09 AM
Last Post: hotmagnet
  how to bypass hotspot login page of connected wifi network Kryptnix 21 22,256 05-21-2017, 11:04 AM
Last Post: hotmagnet