Tailored Cyber Security.

Social Engineering Saga – Part 3

We’re going to divert a little bit from the first two parts of this series. I’m writing this on my way to California… on a plane… with wifi… that’s “open”… but not free. If you’re unfamiliar with how that works I’ll give a quick rundown then get into the nitty gritty.

First, how can wifi be open but not let you out to the internet? Redirection. It’s kind of like a magic trick but not. The gateway to the internet has every port blocked except a few critical ones. Unsecured web traffic travels over TCP port 80 while secured traffic travels over TCP port 443. DNS does its resolution over UDP port 53. Likely those will be the only ports open. When you try to access the internet (port 80 or 443) it redirects you to their landing page. Sounds a lot like the Captive Portal we’ve been working on right? Right!

There are a few articles across the internet talking about how to do this on your different devices. They’re solid but I wanted to put together all of the good information from them into one article. We’ll go over smaller devices like phones and tablets first. After that we’ll talk about laptops or non “app store” based devices. These are little trickier and take some planning ahead. The best article I’ve found on the topic can be found here https://infosecdc.blogspot.com/2015/12/bypassing-gogo-in-flight-for-free.html.

Scenario: You’re traveling and all you care about is getting on the GoGo wifi from your phone or tablet. Nobody wants to pay bucks for what could (should) be offered for free. You’re in luck! From one of these devices GoGo depends on you having the GoGo app. How are apps downloaded? Over the internet! Most importantly they’re downloaded from somewhere OTHER than the splash page you’re being redirected to. Things should be starting to click now.

Step by step (from infosecdc.blogspot.com):
1 – Connect to the GoGo Wifi
2 – Browse to the GoGo Movie library (free or paid, it doesn’t matter, you wont be paying)
3 – Click on a movie and it will bring you to a page to download the GoGo app
4 – Enter the Captcha Code to access the app.
5 – Submit it
6 – Do not close the browser now! Open a new tab and start browsing the web. If you leave the auth window active, you will retain your authentication cookie! You can browse as much as you’d like now. Once you close out the browser window, you will lose your session.

If you haven’t put together how this works then here it is in human talk:

You: “Hey I want to browse the internet!”
GoGo: “Okay download my app”
You: “Okay great. Thanks but I’ll need to access the normal internet for that.”
GoGo: “Of course. Have this temporary pass to go download the app.”
You: “Oh thank you.”
GoGo: “I’m assuming you downloaded the app. Make sure you pay me money.”
You: “What? I can’t hear you over the sound of the internet.”

Win! Now you can browse from your phone/tablet/phablet etc. What about your laptop? That doesn’t play in the app store realm in the same way. That actually takes a little foresight and technical skill. Only a little though.

TL;DR:
Prerequisites:
1. Cloud-based server with SSH listening on port 3128
2. Cygwin on the computer you’ll use on the plane
3. Know the IP address of your cloud server
On Plane:
1. Connect to wifi
2. Cygwin: ssh -NfD 3128 USERNAME@IPADDRESS -p 3128
3. Set proxy to 127.0.0.1:3128
4. Browse

The biggest thing you’ll need setup before hand is a Linux-based server in the cloud. You could set up something at home if you’d prefer. Basically, you need something to act as a proxy for your connection. Now for the magic trick in all of this. GoGo Wifi utilizes a Squid proxy which uses TCP port 3128. You can jump out of the network through that port! On your Linux-based internet-connected server you need to run SSH on port 3128. If you don’t know what that is consult the oracle (Google). SSH normally runs on TCP port 22. Modify /etc/ssh/sshd_config to listen on port 3128 instead of 22 and you win. Lastly, ensure that you have a cygwin terminal (or similar) installed on your computer. I like Babun. Also, write down the IP address for your server.

Now you’re on the plane, you’ve reached 10,000 feet and the copilot says, “The inflight wifi system should now be enabled.” It’s time for you to burst into action! First you extract your laptop from your properly stowed bag and turn it on. Next, you connect to the wifi. You’ll see the little yellow triangle with an exclamation point in it saying you aren’t connected to the internet but you have network access. Forget the rabbit in the hat, we’ve got our own magic trick. Pop open Babun (or whatever you have) and type:

ssh -NfD 3128 USERNAME@IPADDRESS -p 3128

I hope it’s obvious that you need to replace “USERNAME” with your server’s username and “IPADDRESS” with it’s IP address. What this will do is set up an SSH tunnel over TCP port 3128 to your server without having an interactive SSH session to the machine. If you’d like an interactive session feel free to drop the “N” and “f” options from that command. The first “3128” in the command opens a port on your local machine to connect to the tunnel. Now to finish off this magic trick, set your browser to use a proxy of 127.0.0.1:3128.

Bam! YOU WIN!

A waning thought:
On my way home I’m going to test out having my own Squid proxy running on a cloud server over port 3128. Then I’d set my proxy settings the same way and see if it works. If it does (which I think it will) work it’ll minimize the work to do ahead of time. Perhaps I’ll even write a powershell script to change your systems proxy settings. That’d be easy right?

Let me know what you think. I’ll update this post next week after I try it!

Leave a Reply