Evading Captive Portal Story (Part 1)
When I traveled for vacation, my hotel asked for 20 bucks for internet access. I wondered why I should pay for a service that should be included in the hotel amenities. So, I started searching for possible ways to evade the Captive Portal.
There were some methods, such as running an Evil Twin (part 2) or Mac Spoofing (part 3), but I decided to explore better options, like gaining access from the router/AP or bypassing the HTTP proxy server mechanism.
While scanning the router for information gathering, I discovered that the DNS server was forwarding DNS records to the internet! This means we can obtain DNS data without authentication — perfect!
Now, all I need is a way to proxy data over DNS. Let’s get our hands dirty. There’s a project called Iodine, With Iodine, you can send and receive data over DNS to your server.
To use iodine you need a domain, and two DNS records on your domain.
TYPE HOSTNAME VALUE
A tunip YOUR_SERVER_ADDR
NS tun tunip.domain.tldNow all we need to do is install Iodine on the server and connect to it using our client. I’ve used Ubuntu as the server.
apt update && apt install iodine
sudo iodined -f -c -P YourSecurePassword 10.0.0.1 tun.domain.tldto check your iodine server setup, you can use the following URL https://code.kryo.se/iodine/check-it/ .
once the server setup got finished, now it’s time to setup the client side (Windows in my case)
iodine.exe -f -P YourSecurePassword tun.domain.tldOnce the connection setup was completed now you can access to your server via 10.0.0.1 to access your proxy server or use SSH for the SSH Tunnel.
now I’ve got connected to internet using my SSH Tunnel using following command:
ssh -D 9090 root@10.0.0.1Notes for windows users:
if you are using windows, you might need the TUN/TAP driver (that you can download it via OpenVPN website)
on windows you may get different address for your tap driver sometimes, so you should check your tap driver IP address manually.
if you have WSL already, it’s much better to use iodine under WSL and expose the service to the host.
On Next part I will tell my story about the Hotel Evil Twin.
