ROBIN -  Open Source Mesh Network Forum Index ROBIN - Open Source Mesh Network
users community forum
 
 FAQFAQ   SearchSearch   MemberlistMemberlist   UsergroupsUsergroups   RegisterRegister 
 ProfileProfile   Log in to check your private messagesLog in to check your private messages   Log inLog in 

Can this Captive Portal prevent MAC spoofing?

 
Post new topic   Reply to topic    ROBIN - Open Source Mesh Network Forum Index -> CoovaOM
View previous topic :: View next topic  
Author Message
Ads






Posted: Mon Sep 25, 2017 11:12 pm    Post subject: Ads

Back to top
bingjiw
User
User


Joined: 03 Nov 2008
Posts: 40

PostPosted: Tue Jun 09, 2009 2:52 am    Post subject: Can this Captive Portal prevent MAC spoofing? Reply with quote

If a bad guy listen and spoof someone's MAC that's already logged in on the portal. So the bad guy can bypass the CoovaOM captive portal and surf the Internet.

How to prevent this from happening?

thanks
Back to top
View user's profile Send private message
foxtroop11
Service Provider
Service Provider


Joined: 22 Mar 2009
Posts: 1168
Location: Ansbach, Germany and sometimes the States

PostPosted: Tue Jun 09, 2009 5:20 pm    Post subject: Reply with quote

I'm pretty paranoid myself, but most people have no idea how to do this. I would talk about some stuff I've had to do in the past, but then that would give away info to the bad guys Smile

The only way someone prevented this in a situation I know of was went with WPA Enterprise or something like that and it was a big pain on windows to actually setup and get online, almost to the point it wasn't worth trying to connect.
Back to top
View user's profile Send private message
ezyfi-sc
Moderator
Moderator


Joined: 22 May 2009
Posts: 545

PostPosted: Tue Jun 09, 2009 5:24 pm    Post subject: Reply with quote

Pro-Mesh has optional MAC Address Authentication, so you can turn off Mac auth completely.

Only registered users can see links on this forum!
Register or Login on forum!



Last edited by ezyfi-sc on Sun Apr 25, 2010 6:23 pm; edited 1 time in total
Back to top
View user's profile Send private message
foxtroop11
Service Provider
Service Provider


Joined: 22 Mar 2009
Posts: 1168
Location: Ansbach, Germany and sometimes the States

PostPosted: Tue Jun 09, 2009 6:45 pm    Post subject: Reply with quote

Once the person is logged it doesn't matter what you do with mac auth. If you have it set for like one simulation login then yes, maybe then you could stop it. Once the person is in coova/chilli and actually online and someone else spoofs the same mac it will let them in. If you really want to get yourself worried, think of this. Take a router in client mode that does not pass the macs behind it through to the connection. Then connect your laptop to it and tell the router to connect to the hotspot. Login to that hotspot and then any computer plugged into that router will be online. Or heck, run it in repeater mode and connect then repeat out your own signal and charge for it, lol.

Trust me, messed with it all.... It's always good to know what the enemy is capable of. That's why I mess with just about everything. Just limit logins and use bandwidth limit so even if 5 people are logged in they only get like 128 or something, that will teach them to share out the connection. Great product by the way you mention, running strong for over 2 years and helped me block and lock down everything I need.
Back to top
View user's profile Send private message
beone
Skilled User
Skilled User


Joined: 12 Apr 2009
Posts: 207

PostPosted: Tue Jun 09, 2009 9:21 pm    Post subject: Reply with quote

All true, but I bumped into a potentially nice feature lately, included in zeroshell captive portal. It would be nice to have something like this implemented in coova / uam authentication in general.

From the zeroshell website:
Quote:

The clients are identified by their IP and MAC address. However, these two parameters can easily be spoofed. In order to solve later problem, the Captive Gateway requires that the user's web browser have an authenticator, that is an encrypted message generated by the Authentication Server and that periodically has to be renewed and sent to the gateway. The authenticator is encrypted using AES256 encryption algorithm and cannot easily be counterfeited before it expires. The validity of the authenticator can be configured by the administrator. Notice that the management of the authenticator is transparent to the end user of the Captive Portal that could ignore its presence.

after the authentication, a popup window appears to the user to guarantee the renewing of the authenticator and to allow him to force a disconnection request by clicking a button. ZeroShell uses special techniques in order to avoid that the anti-popup systems, that are present in the most browsers, block this window causing a premature disconnection due to the expiration of the authenticator;


I know there are many people against the use of popup's, but this way it would be possible to completely beat mac spoofing. It's sure worth to take a look at in my opinion.
(as i will do myself when i find the time...)


Kind regards
Back to top
View user's profile Send private message
bingjiw
User
User


Joined: 03 Nov 2008
Posts: 40

PostPosted: Wed Jun 10, 2009 3:34 pm    Post subject: Reply with quote

I like the idea how zeroshell prevent MAC spoofing. But I don’t like keep a popup browser window always open on client’s computer. If you could include this feature like zeroshell, but make it in a windows service to do the authenticate request, not a popup window, that would be better.
Back to top
View user's profile Send private message
RR
Moderator
Moderator


Joined: 16 May 2009
Posts: 49
Location: Montréal, Québec, Canada

PostPosted: Wed Jun 10, 2009 6:33 pm    Post subject: Reply with quote

I don't see how zeroshell prevents anything ... If someone keeps authenticating, in the mean time between auths you can still spoof the mac and IP or whatever.

The only real security will be to run a VPN to the wifi AP i think and then only real encrypted/validated packet can get through.

_________________

Only registered users can see links on this forum!
Register or Login on forum!

Back to top
View user's profile Send private message
beone
Skilled User
Skilled User


Joined: 12 Apr 2009
Posts: 207

PostPosted: Wed Jun 10, 2009 6:39 pm    Post subject: Reply with quote

bingjiw wrote:
I like the idea how zeroshell prevent MAC spoofing. But I don’t like keep a popup browser window always open on client’s computer. If you could include this feature like zeroshell, but make it in a windows service to do the authenticate request, not a popup window, that would be better.


1. I run linux most of the times, so I wouldn't be able to use the hotspot, the same counts for mac users.
2. I would definately never trust a hotspot trying to or asking me to install a service/daemon on my notebook.

I agree popup's aren't the perfect solution, but if we implement something else it definately has to be platform independant and without the need of installing extra software. Anyway this isn't really an open-mesh thing, but more a coova-chilli / hotspot-in-general thing.

Maybe i'll try to make a modified version of hotspotlogin one day.


Kind regards
B
Back to top
View user's profile Send private message
beone
Skilled User
Skilled User


Joined: 12 Apr 2009
Posts: 207

PostPosted: Wed Jun 10, 2009 6:42 pm    Post subject: Reply with quote

RR wrote:
I don't see how zeroshell prevents anything ... If someone keeps authenticating, in the mean time between auths you can still spoof the mac and IP or whatever.


No, no popup is no key, so logged out.
If I would be a spoofer and get logged out every 2 minutes or so, I would definately not continue with it. Smile
Re-authentication could even be done in shorter intervals, 10 seconds for example Wink
Back to top
View user's profile Send private message
RR
Moderator
Moderator


Joined: 16 May 2009
Posts: 49
Location: Montréal, Québec, Canada

PostPosted: Wed Jun 10, 2009 6:45 pm    Post subject: Reply with quote

But the key just validates an IP and a MAC for X minutes...
That doesn't change anything, it just knows that you're active and can shut the connection faster afterword. The single individual packet are not more signed by that key because there is a popup, so it's just a fake security.

In the mean time: while(true); spoof; done , you won't even get disconnected... Smile

_________________

Only registered users can see links on this forum!
Register or Login on forum!

Back to top
View user's profile Send private message
beone
Skilled User
Skilled User


Joined: 12 Apr 2009
Posts: 207

PostPosted: Wed Jun 10, 2009 9:01 pm    Post subject: Reply with quote

RR wrote:
But the key just validates an IP and a MAC for X minutes...
That doesn't change anything, it just knows that you're active and can shut the connection faster afterword. The single individual packet are not more signed by that key because there is a popup, so it's just a fake security.

In the mean time: while(true); spoof; done , you won't even get disconnected... Smile


Oh yes, I got your point, true.
pity, it would have been nice.
Back to top
View user's profile Send private message
Display posts from previous:   
Post new topic   Reply to topic    ROBIN - Open Source Mesh Network Forum Index -> CoovaOM All times are GMT + 1 Hour
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
c d
e



Powered by phpBB © 2001, 2005 phpBB Group

Abuse - Report Abuse - TOS & Privacy.
Powered by forumup.it free forum, create your free forum! Created by Hyarbor & Qooqoa
Confirmed

Page generation time: 1.106