Hotspot IP Masking

Public Channel / Mikrotik User Meeting

Share on Social Networks

Share Link

Use permanent link to share in social media

Share with a friend

Please login to send this presentation by email!

Embed in your website

Select page to start with

15.

40.

42.

39. IP Hotspot Masking

41. Leave no trace!

43. More hiding

44. IP Masking Configuration

4. IP Hotspot Masking

5. IP Hotspot Masking

6. IP Hotspot Masking

16. Piggyback on Mikrotik Hotspot (using Standard Wizard Setup) Piggyback on Mikrotik Hotspot (using Standard Wizard Setup)

1. April 13 2016 Marco Polo Hotel Manila, Philippines

23. Simplified explanation of Mikrotik Hotspot Security 10.5.50.1/24 IP-Pool: 10.5.50.2 -10.5.50.254

24. 10.5.50.1/24 IP-Pool: 10.5.50.2 -10.5.50.254 Simplified explanation of Mikrotik Hotspot Security

12. • Passive Attack on wireless network, sniffing on Mikrotik Usermanager admin account accessed from the hotspot interface. Type of Attacks

60. Mikrotik User Meeting April 13 2016 Manila, Philippines -- END --

11. • Passive Attack on wireless network, sniffing on Mikrotik Usermanager admin account accessed from the hotspot interface. Type of Attacks Wireless listening + Wireshark

8. Is Mikrotik Hotspot secure? Can anyone penetrate the hotspot service and steal client’s data or disrupt the hotspot service? If so... by what methods? Is Mikrotik Hotspot secure? Can anyone penetrate the hotspot service and steal client’s data or disrupt the hotspot service? If so... by what methods?

30. What the “IP masking” can and can’t do What the “IP masking” can and can’t do • Cannot protect you from all known Passive and Active Attacks • Cannot stop attackers from MAC cloning and Piggybacking

45. Configuration (Interface and IP Addresses) RESET the RouterBoard without default configuration RESET the RouterBoard without default configuration

9. • Passive Attack The intent to steal information over wired or wireless communication by means of “eavesdropping” Type of Attacks Wired Ethernet Wireless Ethernet

56. Configuration (Hotspot Server Settings) Create a User Profile Create a User Profile Create Hotspot Server Profile Create Hotspot Server Profile Enable Hotspot Server Enable Hotspot Server

35. My solution is based on “ Misdirection ”, this solution is NOT 100% fool-proof but sufficient enough to keep “wannabee hackers”, “script kiddies”, and someone who has little knowledge of networking at bay, this could also make I.T professionals to scratch their heads when they see the IP addresses. The solution

51. Configuration (DHCP and DNS Settings) Create a DHCP server BINDED to the hs-bridge interface Create a DHCP server BINDED to the hs-bridge interface Select the hs-unauthenticated IP Pool the hs-unauthenticated pool will be handed out to all hotspot clients.

2. Introduction • Dan Santillan (owner of Cygnal Technologies) • A Dial-up ISP in the Middle East (1997-2000) (Providing internet access to Military bases and personnel) • A WISP operator from 2000 to 2013 • Mikrotik ROS user since late 1998 to present

17. How to secure? How to secure? Isolate and contain the network from external access (i.e. secured server room) Hide cables or use a conduits. Use 802.1x port authentication Wired Ethernet Wired Network is a lot easier to protect from A Direct Attack. Copper wire

46. Configuration (Interface and IP Addresses) 2 Bridge interface for the LAN and Hotspot RESET the RouterBoard without default configuration RESET the RouterBoard without default configuration Create a bridge interface Create a bridge interface

18. How to secure? How to secure? Isolate and contain the network from external access (i.e. secured server room) Hide cables or use a conduits. Use 802.1x port authentication Wired Ethernet Wired Network is a lot easier to protect from A Direct Attack. Copper wire Sheathing

25. DHCP Leases out IP Address from the ip-pool DHCP Leases out IP Address from the ip-pool 10.5.50.1/24 IP-Pool: 10.5.50.2 -10.5.50.254 hs-unauth: 10.5.50.3 Simplified explanation of Mikrotik Hotspot Security

19. How to secure? How to secure? Isolate and contain the network from external access (i.e. secured server room) Hide cables or use a conduits. Use 802.1x port authentication Wired Ethernet Wired Network is a lot easier to protect from A Direct Attack. Copper wire Conduit Sheathing

20. How to secure? How to secure? Isolate and contain the network from external access (i.e. secured server room) Hide cables or use a conduits. Use 802.1x port authentication Wired Ethernet X X X Wired Network is a lot easier to protect from A Direct Attack. Copper wire Conduit Sheathing

54. Configuration (Hotspot Server Settings) Create a User Profile Create a User Profile At the user Profile, use the hs-authenticated pool, this pool will be assigned to users who passed the authentication, If you use usermanager, you can insert it at the IP-POOL field Insert the hs-authenticated-ipat the address list, it will be used for NAT purpose.

13. • Active Attack on an opened wireless network. Type of Attacks Similar to passive attack but with intention to disrupt the system, such as ARP Poisoning ARP Poisoning Malformed Packet Injection Malformed Packet Injection DNS Spoofing / Poisoning DNS Spoofing / Poisoning Broadcast Storm Broadcast Storm

31. What the “IP masking” can and can’t do What the “IP masking” can and can’t do • Cannot protect you from all known Passive and Active Attacks • Cannot stop attackers from MAC cloning and Piggybacking • Can make harder for attackers to figure-out your network layout, therefore; piggy backing is “twice as harder” to perform. • Can give you extra layer of defense aside from the built-in “security” • Can make network professionals scratched their heads when they see how you assign IP addresses to your clients. 

3. What we do... What we do... IT Solutions provider for SME and Corporate • System Integrator • P-t-P and P-MtPSolution Provider • Software Development and integration with Mikrotik products • IP-VPN Infra Provider (Traditional and Wireless) • VPN provider / Cloud hosting / Managed Services. • Hotspot Solution (Public Events , Schools, Hospitals, Resorts, Hotels, Manufacturing, Warehouse, etc..)

52. Configuration (DHCP and DNS Settings) Create a DHCP server BINDED to the hs-bridge interface Create a DHCP server BINDED to the hs-bridge interface Set the Network Settings for DHCP Set the Network Settings for DHCP Select the hs-unauthenticated IP Pool the hs-unauthenticated pool will be handed out to all hotspot clients. With the gateway, you can put anything here. Better to put something invalid , please note of the Netmask to set to 32

33. The solution My solution is based on “ Misdirection ”, this solution is NOT 100% fool-proof but sufficient enough to keep “wannabee hackers”, “script kiddies”, and someone who has little knowledge of networking at bay, this could also make I.T professionals to scratch their heads when they see the IP addresses. An opened Wireless AP cannot be protected at all, a series of Firewall rules and Redirections is the *only* way to “prevent” unauthorized users from using the hotspot service which can be easily circumvented. I called this solution as “ IP hotspot Masking ”, The idea is, we hide information as much as we could by providing the end users with false and invalid IP addresses and gateway address, hence; the “ masking ” , thus; it will create confusion and misdirection.

22. Things to remember! Things to remember! Public hotspot is inherently not secured as it must be open for public use. WPA/WPA2 and other encryptions cannot be used on Public Hotspot otherwise , the public cannot connect to it without the key. Public hotspot is inherently not secured as it must be open for public use. WPA/WPA2 and other encryptions cannot be used on Public Hotspot otherwise , the public cannot connect to it without the key. Mikrotik hotspot “Security” is based on a simple Firewall Rules manipulation and some internal process. Rejecting unauthenticated user’s IP address with TCP-RESET, ICMP 3:0, 3:1, etc. Mikrotik hotspot “Security” is based on a simple Firewall Rules manipulation and some internal process. Rejecting unauthenticated user’s IP address with TCP-RESET, ICMP 3:0, 3:1, etc. Can be circumvented by ignoring these flags

29. Why with the concern? Why with the concern? • Philippine is fairly new to Hotspot service, especially using Mikrotik products, most new comers to Mikrotik hotspot are unaware of its security issues. • Many Hotspot Operators are not Technical knowledgeable in networking • Even I.T professionals who are new to Mikrotik Hotspot are not aware of its vulnerabilities • Any opened wireless network is vulnerable to all kinds of attacks and it can compromise end user’s sensitive information and it can also lead to legal problems between the users and hotspot operators. • Anyone can freely use and abuse your Hotspot without you knowing it. (especially at night when you are not monitoring) 

47. Configuration (Interface and IP Addresses) The VLAN will only act as a dummy interface to hold the IP addresses for hs-unauthenticated and hs-authenticated 2 Bridge interface for the LAN and Hotspot RESET the RouterBoard without default configuration RESET the RouterBoard without default configuration Create a bridge interface Create a bridge interface Create a VLAN interface attached it to WLAN1 interface Create a VLAN interface attached it to WLAN1 interface

36. My solution is based on “ Misdirection ”, this solution is NOT 100% fool-proof but sufficient enough to keep “wannabee hackers”, “script kiddies”, and someone who has little knowledge of networking at bay, this could also make I.T professionals to scratch their heads when they see the IP addresses. Lease out an Invalid Subnet and Gateways Lease out an Invalid Subnet and Gateways Networking 101: • Taught us that gateway and IP Address must be on the same subnet. • Last octet of the IP Address and Gateway cannot be set to all 1’s (255) The solution

7. Why hotspot security topic? Why hotspot security topic? There’s an increase demand for Mikrotik AP’s for hotspot purpose. Philippines is new to hotspot service and majority of hotspot operators do not fully understand the security of a public hotspot or the lack of it Who can benefit from this topic? • Malls and Store Chains who offer Limited Free Internet Access • Hotel, Restaurants and Resorts • Small Business Owners • WISP’s and ISP’s • Government and Private Companies • Home users • OR anyone who already deployed a Mikrotik hotspot but lacking of security

57. Configuration (NAT Settings) Set the chain to SRCNAT Set the chain to SRCNAT Use the SRC Address list to limit the authenticated user’s IP to be NATTED Use the SRC Address list to limit the authenticated user’s IP to be NATTED Use the MASQUERADE action Use the MASQUERADE action The Mikrotik Hotspot Wizard setup uses the entire subnet to be natted (eg. 10.5.0.0/24) , this can pose a problem. The Mikrotik Hotspot Wizard setup uses the entire subnet to be natted (eg. 10.5.0.0/24) , this can pose a problem.

38. The solution My solution is based on “ Misdirection ”, this solution is NOT 100% fool-proof but sufficient enough to keep “wannabee hackers”, “script kiddies”, and someone who has little knowledge of networking at bay, this could also make I.T professionals to scratch their heads. Lease out an Invalid Subnet and Gateways Lease out an Invalid Subnet and Gateways Remove any footprint of router/ gateway addresses Remove any footprint of router/ gateway addresses Give-out a “hidden routable IP addresses” to hotspot authenticated users. Give-out a “hidden routable IP addresses” to hotspot authenticated users.

26. DHCP Leases out IP Address from the ip-pool DHCP Leases out IP Address from the ip-pool While user is not logged -in yet, FW rule will send the IP to hs-unauthchain and reject all packets with TCP-RST, ICMP 3:0-9 While user is not logged -in yet, FW rule will send the IP to hs-unauthchain and reject all packets with TCP-RST, ICMP 3:0-9 10.5.50.1/24 IP-Pool: 10.5.50.2 -10.5.50.254 Pinging any sites will result to Destination net unreachable hs-unauth: 10.5.50.3 Simplified explanation of Mikrotik Hotspot Security

55. Configuration (Hotspot Server Settings) Create a User Profile Create a User Profile Create Hotspot Server Profile Create Hotspot Server Profile Cookie is used to allow mobile/tablet users to be logged-in automatically without entering the username and password, when the cookie is checked, mobile users do not need to re-login again until the cookie lifetime expires. I recommend to unchecked it, as it can pose a problem, let the mobile users to be logged-out automatically when idle in a certain amount of time. Cookie is used to allow mobile/tablet users to be logged-in automatically without entering the username and password, when the cookie is checked, mobile users do not need to re-login again until the cookie lifetime expires. I recommend to unchecked it, as it can pose a problem, let the mobile users to be logged-out automatically when idle in a certain amount of time.

34. My solution is based on “ Misdirection ”, this solution is NOT 100% fool-proof but sufficient enough to keep “wannabee hackers”, “script kiddies”, and someone who has little knowledge of networking at bay, this could also make I.T professionals to scratch their heads when they see the IP addresses. An opened Wireless AP cannot be protected at all, a series of Firewall rules and Redirections is the *only* way to “prevent” unauthorized users from using the hotspot service which can be easily circumvented. I called this solution as “ IP hotspot Masking ”, The idea is, we hide information as much as we could by providing the end users with false and invalid IP addresses and gateway address, hence; the “ masking ” , thus; it will create confusion and misdirection. IP Address: 10.5.50.253 Subnet Mask: 255.255.255.255 Gateway: 1.255.255.255 Is this a correct format? The solution

37. My solution is based on “ Misdirection ”, this solution is NOT 100% fool-proof but sufficient enough to keep “wannabee hackers”, “script kiddies”, and someone who has little knowledge of networking at bay, this could also make I.T professionals to scratch their heads. Give-out a “hidden routable IP addresses” to hotspot authenticated users. Give-out a “hidden routable IP addresses” to hotspot authenticated users. We can edit the status.html file and remove the IP address. The IP address is a dead-give away of the network layout and the possible gateway address. We can edit the status.html file and remove the IP address. The IP address is a dead-give away of the network layout and the possible gateway address. The solution

21. How to secure? How to secure? Isolate and contain the network from external access (i.e. secured server room) Hide cables or use a conduits. Use 802.1x port authentication Wired Ethernet X X X Wireless cannot be contained or isolated, as radio waves can pass through walls and obstructions Wireless Ethernet Wired Network is a lot easier to protect from A Direct Attack. An open wireless network is 100% vulnerable to all kinds of Direct Attack. Radio signal do not have a “physical protection ” like the sheathing and conduit to protect it, instead, we encapsulate the data with an encryption such as WEP/WPA/WPA2 etc.. Conduit Copper wire Sheathing

53. Configuration (DHCP and DNS Settings) Create a DHCP server BINDED to the hs-bridge interface Create a DHCP server BINDED to the hs-bridge interface Set the Network Settings for DHCP Set the Network Settings for DHCP Set the DNS to allow request and create a static DNS entry Set the DNS to allow request and create a static DNS entry Select the hs-unauthenticated IP Pool the hs-unauthenticated pool will be handed out to all hotspot clients. With the gateway, you can put anything here. Better to put something invalid , please note of the Netmask to set to 32 The static DNS entry hotspot.portal is what will appear in the URL bar

27. DHCP Leases out IP Address from the ip-pool DHCP Leases out IP Address from the ip-pool While user is not logged -in yet, FW rule will send the IP to hs-unauthchain and reject all packets with TCP-RST, ICMP 3:0-9 While user is not logged -in yet, FW rule will send the IP to hs-unauthchain and reject all packets with TCP-RST, ICMP 3:0-9 Hotspot server redirect user’s request to login servlet Hotspot server redirect user’s request to login servlet 10.5.50.1/24 IP-Pool: 10.5.50.2 -10.5.50.254 hs-unauth: 10.5.50.3 Simplified explanation of Mikrotik Hotspot Security

48. Configuration (Interface and IP Addresses) 2 Bridge interface for the LAN and Hotspot Assign your own IP for the LAN and VLAN, DO NOT assign any IP to hs-bridge. RESET the RouterBoard without default configuration RESET the RouterBoard without default configuration Create a bridge interface Create a bridge interface Create a VLAN interface attached it to WLAN1 interface Create a VLAN interface attached it to WLAN1 interface Assign IP addresses to VLAN interface Assign IP addresses to VLAN interface The VLAN will only act as a dummy interface to hold the IP addresses for hs-unauthenticated and hs-authenticated

10. Type of Attacks MAC = 0A:1B:CC:45:F5:FC IP = 192.168.1.1 ARP Broadcast MAC = 0A:0B:ED:45:A5:8C IP = 192.168.1.2 Port MAC IP 1 0A:1B:CC:45:F5:FC 192.168.1.1 2 0A:0B:ED:45:A5:8C 192.168.1.2 MAC = AE:32:45:1D:CE:EE 192.168.1.2 is at AE:32:45:1D:CE:EE 192.168.1.2 is at AE:32:45:1D:CE:EE 192.168.1.1 is at AE:32:45:1D:CE:EE 192.168.1.1 is at AE:32:45:1D:CE:EE ARP Poisoning Internal ARPTable MAC IP AE:32:45:1D:CE:EE 192.168.1.2 Internal ARPTable MAC IP AE:32:45:1D:CE:EE 192.168.1.1 • Passive Attack The intent to steal information over wired or wireless communication by means of “eavesdropping” ARP Poisoning is one of the oldest method of redirecting packets.

49. Configuration (Interface and IP Addresses) 2 Bridge interface for the LAN and Hotspot RESET the RouterBoard without default configuration RESET the RouterBoard without default configuration Create a bridge interface Create a bridge interface Create a VLAN interface attached it to WLAN1 interface Create a VLAN interface attached it to WLAN1 interface Assign IP addresses to VLAN interface Assign IP addresses to VLAN interface Add the WLAN1 and VLAN interface to the hs-bridge Add the WLAN1 and VLAN interface to the hs-bridge Assign your own IP for the LAN and VLAN, DO NOT assign any IP to hs-bridge. The VLAN will only act as a dummy interface to hold the IP addresses for hs-unauthenticated and hs-authenticated

50. Configuration (Interface and IP Addresses) RESET the RouterBoard without default configuration RESET the RouterBoard without default configuration Create a bridge interface Create a bridge interface Create a VLAN interface attached it to WLAN1 interface Create a VLAN interface attached it to WLAN1 interface Assign IP addresses to VLAN interface Assign IP addresses to VLAN interface Add the WLAN1 and VLAN interface to the hs-bridge Add the WLAN1 and VLAN interface to the hs-bridge Create IP Pool for hs-unauthand hs-auth Create IP Pool for hs-unauthand hs-auth 2 Bridge interface for the LAN and Hotspot Assign your own IP for the LAN and VLAN, DO NOT assign any IP to hs-bridge. The VLAN will only act as a dummy interface to hold the IP addresses for hs-unauthenticated and hs-authenticated

59. Additional Hotspot Security Additional Hotspot Security Disable Default Forward (similar to AP Isolation) What to do... What it does... Disable DefaultForward Similarto AP Isolation (prevents wireless user from seeing each other at Layer-2 ) Set hotspotinterface to ARP-REPLY only It prevents user from poisoning the Router’s ARP Table Set DHCP to “AddARP Address” Let the router to add client’s ARP to its table, (must be used with ARP-REPLY only) Usea bigger IP pool like /23 or /22 and do not always use the first and last host address for the router Typically, router always end in xxx.xxx.xxx.1 or xxx.xxx.xxx.254, this make it easier for anyone to attack the router. Use the Netmask 32 at the DHCPserver setting It will assign the end user with 255.255.255.255 subnet mask. Use my “IPhotspot Masking” This will give another layer of defense by confusing the users of your network layout Makeuse of HTTPS for hotspot login page This will provide your end user a secured login process DO NOT ACCESSyour Userman page at your hotspot interface. Limit your administrative webfig within your internal network, if you really need to access it from the hotspot interface, create a virtual AP with security and bind it to you local network interface. Use HTTPS onall RouterOS web services and disable local web port 80, including other services SSH, TELNET, API. Do not let these services to run on all interface especially the hotspot interface, limit it within your internal network User RADIUSAAA for your authentication RADIUS can provide you Authorization, Accounting and Access, a complete RADIUS package allows you to manage all kinds of services like your hotspot, VPN, dial-up, 802.1x etc..etc.. It also provide you a billing system.

32. What the “IP masking” can and can’t do What the “IP masking” can and can’t do • Cannot protect you from all known Passive and Active Attacks • Cannot stop attackers from MAC cloning and Piggybacking • Can make harder for attackers to figure-out your network layout therefore, piggy backing is “twice as harder” to perform. • Can give you extra layer of defense aside from the built-in “security” • Can make network professionals scratched their heads when they see how you assign IP addresses to your clients.  IP Masking IP Masking Mikrotik Built-in Hotspot security Mikrotik Built-in Hotspot security Level 1 Level 1 Level 2 Level 2 IP Masking IP Masking Level 3 Level 3 Assign initial DHCP configuration with invalid addresses Assign authenticated users with Different IP addresses, away from the Subnet range of the DHCP assigned settings

58. Further Security Measures Further Security Measures Service PublicHotspot PrivateCompanies Hotspot Unsecured NOT recommended for accessing companydata Level of Security:Extremely Poor Level of Security:Extremely Poor VPN over opened wireless NOTrecommended Highly Recommended with L2 security Level of Security:Practically useless if used with an open AP Level of Security: Highly secure with L2 encryptions, can result to slow access due to high VPNoverhead and lower payload size (ranging from 1300-1450) PPPoEover wireless Recommended for apermanent subscribers Can be used with L2 Security Level of Security: Almost useless if used with an open AP, prone to rouge PPPoEserver and ARP poisoning. I do not know, who would use PPPoE on an encrypted Layer 2? (except if you want to have a control for the user account usage.) 802.1x with RadiusAAA Possibleto use but not recommended Recommended Level of Security: High but requires external server, not applicable for Public Hotspot Level of Security: High but requires external server.

28. DHCP Leases out IP Address from the ip-pool DHCP Leases out IP Address from the ip-pool While user is not logged -in yet, FW rule will send the IP to hs-unauthchain and reject all packets with TCP-RST, ICMP 3:0-9 While user is not logged -in yet, FW rule will send the IP to hs-unauthchain and reject all packets with TCP-RST, ICMP 3:0-9 Hotspot server redirect user’s request to login servlet Hotspot server redirect user’s request to login servlet User is authenticated , assign a new IP drawn from the ip-pool and perform a host-nat translation. User is authenticated , assign a new IP drawn from the ip-pool and perform a host-nat translation. 10.5.50.1/24 IP-Pool: 10.5.50.2 -10.5.50.254 With Mikrotik Standard hotspot wizard setup, the hs-unauthand hs-auth IP addresses will be drawn from the same ippool of 10.5.50.0/24. By default, the entire subnet is masqueraded hs-unauth: 10.5.50.3 hs-auth: 10.5.50.4 Simplified explanation of Mikrotik Hotspot Security

14. • Piggybacking (the most common form of attack used by freeloaders) Type of Attacks An attack with the intent to use the internet for free, not to steal data or disrupt the system. The topic we will focused on... To prevent “attacker/ script kiddies” to clone client MAC and IP address by confusing them with invalid information. Connect to AP Connect to AP Listen to router’s ARP broadcast Listen to router’s ARP broadcast Collect MAC and IP Addresses of clients Collect MAC and IP Addresses of clients Clone MAC and IP address Clone MAC and IP address Surf for FREE! Surf for FREE! Attackers main objective is to collect the following. • MAC Address • IP Address / Subnet • Gateway Address • DHCP and DNS Addresses Attackers main objective is to collect the following. • MAC Address • IP Address / Subnet • Gateway Address • DHCP and DNS Addresses

Views

  • 115 Total Views
  • 90 Website Views
  • 25 Embeded Views

Actions

  • 0 Social Shares
  • 0 Likes
  • 0 Dislikes
  • 0 Comments

Share count

  • 0 Facebook
  • 0 Twitter
  • 0 LinkedIn
  • 0 Google+