Full Report
The author of this post was on a twelve hour trip from Canada to Hong Kong. The plane had WiFi but it was a requirement to pay $30.75 For everyone else on the WiFi, it offered free texting. acwifi.com is the captive portal and asks for a Aeroplan payment. So, some websites work, such as https://acwifi.com, but others do not? For instance, github.com. Can we circumvent this!? Initially, they tried to disguise the domain. They set the /etc/hosts to be acwifi.com to go to a proxy server. By doing this, the DNS record would be rebinded. When they tried to ping the IP, this failed. Their best hypothesis was that ICMP and TLS were blocked. Much of the time, DNS arbitrarily works. This was the case here as well. This was both UDP and TCP-based DNS queries. This tells us one thing: the firewall allows all data through port 53. So, they setup a proxy on port 53 and connect to it. Boom! WiFi without paying for it ;) They also think that DNS tunneling would have worked as well. Another mechanism for bypassing the protections would be to use ARP Spoofing. By becoming a different MAC address you can simply become another user who is paid, as far as the network is concerned. This is a slightly more criminal so they decided not to do this though.
Analysis Summary
# Tool/Technique: DNS Tunneling and Service Port Exploitation
## Overview
This technique involves bypassing captive portals and network access controls (NAC) by leveraging "holes" in firewall configurations—specifically, the common practice of allowing unrestricted traffic on Port 53 (DNS) or exploiting the lack of authentication in the ARP protocol to impersonate authorized users.
## Technical Details
- **Type:** Technique / Network Protocol Abuse
- **Platform:** Any platform with network access (Linux/macOS used in this instance)
- **Capabilities:** Bypassing paywalls, circumventing firewalls, unauthorized internet access.
- **First Seen:** DNS tunneling has been a known technique since the late 1990s; this specific implementation was documented in October 2024.
## MITRE ATT&CK Mapping
- **[TA0008 - Exfiltration]** or **[TA0011 - Command and Control]**
- **[T1071.004 - Application Layer Protocol: DNS]**: Using DNS traffic to bypass network security measures.
- **[T1132 - Data Encoding]**: Disguising traffic within standard protocols.
- **[TA0001 - Initial Access]**
- **[T1557.002 - Adversary-in-the-Middle: ARP Cache Poisoning]**: Impersonating other devices on the local network.
## Functionality
### Core Capabilities
- **Port 53 Proxying:** Diverting non-DNS traffic (TCP/UDP) through Port 53 to bypass firewalls that only whitelist specific ports for "free" services (like messaging).
- **DNS Rebinding (Attempted):** Modifying `/etc/hosts` to point restricted domains to an attacker-controlled proxy IP in an attempt to trick the browser and network into allowing the connection.
### Advanced Features
- **ARP Spoofing (Theoretical):** Monitoring the local network to identify MAC addresses belonging to "paid" users and then cloning those MAC addresses to inherit their authenticated session status.
- **Bypassing Captive Portals:** Exploiting the fact that many captive portals allow DNS queries to resolve before the user has authenticated.
## Indicators of Compromise
- **Network Indicators:**
- High volume of DNS traffic to a single external IP: `137.184.231[.]87`.
- Non-DNS traffic (TLS/HTTP signatures) detected on Port 53.
- Presence of `acwifi[.]com` mapped to non-Air Canada IPs in local configuration files.
- **Behavioral Indicators:**
- Frequent ARP replies without corresponding ARP requests (indicative of spoofing).
- Single MAC address associated with multiple IP addresses in short succession.
## Associated Threat Actors
- While this specific instance was a security researcher/hobbyist, these techniques are widely used by:
- **General threat actors** for C2 (Command and Control) communication.
- **Red Teams** for initial network persistence and data exfiltration.
## Detection Methods
- **Signature-based detection:** Identifying non-DNS protocol headers (like TLS handshakes) occurring on Port 53.
- **Behavioral detection:** Monitoring for unusually large DNS packets or high-frequency TXT record queries, which are typical of DNS tunneling.
- **Network Inspection:** Deploying Deep Packet Inspection (DPI) to validate that traffic on Port 53 conforms to the DNS protocol.
## Mitigation Strategies
- **DNS Filtering:** Force all DNS traffic through an internal, inspected DNS resolver rather than allowing direct communication to external IPs on Port 53.
- **MAC Locking/Sticky MAC:** On managed switches, limit the number of MAC addresses allowed per port (though less effective in wireless environments).
- **Encrypted DNS:** Implement DNS over HTTPS (DoH) or DNS over TLS (DoT) to ensure integrity, though this can also be used by attackers to hide tunneling.
- **VLAN Isolation:** Isolate unauthenticated users into a restricted VLAN where Port 53 is only allowed to reach a trusted internal DNS server.
## Related Tools/Techniques
- **Xray-core / V2Ray:** Frameworks used for building proxies to bypass network censorship.
- **Iodine:** A popular tool specifically designed for tunneling IPv4 data through DNS servers.
- **Ettercap / Bettercap:** Tools used for performing ARP spoofing and Man-in-the-Middle attacks.