Have you ever found an open wireless access and when opening your browser you get a nice login screen asking you a credit card number (a captive portal)? What’s next? Make your choice: fill the form with the magic numbers or try to bypass this security mechanism!
Classic wireless hot spots commonly allow two protocols: ICMP and DNS (UDP/53). ICMP (Internet Control Message Protocol) is used to report errors and warning to the client and DNS is mandatory to resolve hostnames. While ICMP can also be used as a transport protocol (see PTunnel), firewalls may block unusual ICMP packets (ex: suspicious big packets). On the other side, there are often less restriction regarding DNS traffic.
In the following tutorial, we will use the tool dns2tcp written by two guys working for HSC, a French security company.
Required components
- An official registered domain name. Example: mydomain.net
- A server with a public IP address not running any DNS service. The server must run UNIX[1]. Example: my.public.server.isp.com
[1] I successfully tested dns2tcp on Linux and client also on iPhone.
Domain name zone configuration
Choose a subdomain name for your domain. In this example, we will use a subdomain dnstunnel.mydomain.net. Add the following line in your zone file:
dnstunnel IN NS your.public.server.isp.com.
Don’t forget to increase the serial and to reload the zone. If you don’t manage the zone yourself, ask you ISP or hoster to do this for you.
Server configuration
(these operations are performed on your public server)
Download the tarball and compile the binaries:
# cd /tmp # tar xzvf dns2tcp-0.3.tar.gz # cd dns2tcp-0.3 # configure # make install
This will create two binaries (dns2tcpd and dns2tcpc) and their respective manpages. Now, we will create a configuration file /etc/dns2tcpd.conf:
# cat >/etc/dns2tcpd.conf <<EOF listen = w.x.y.z port = 53 user=nobody chroot = /var/empty/dns2tcp/ domain = dnstunnel.mydomain.net ressources = ssh:127.0.0.1:22 EOF #
Be sure to replace the domain and the IP address with your own values! The port must be 53!
Now, start the daemon:
# ./dns2tcpcd -F -d 1 -c dns2tcpd.conf
“-F” means to run in foreground and “-d 1? enables debugging.
Client configuration
Perform the same operations as on the server side. (configure && make install). Then create the client configuration file/etc/dns2tcpc.conf:
# cat >/etc/dns2tcpc.conf <<EOF domain = dnstunnel.mydomain.net ressource = ssh local_port = 2222 debug_level=1 EOF #
Be sure to replace the domain and the IP address with your own values! The local port must be free and above 1024 to be binded by a non-root user!
Now, check if we can communicate with the server:
# ./dns2tcpc -z dnstunnel.mydomain.net <dns_server> Available connection(s) : ssh
The dns_server can be your public server or, if you are forced, the local DNS.
Start a SSH session
Now, we are ready to start a tunnel with encapsulated SSH packet:
# ./dns2tcpd -c -f dns2tcpc.conf listening on port 2222 ...
Now, start your SSH session:
# ssh -p 2222 user@127.0.0.1 ...
Here we go! You’ve a session on your public server!
If you start your SSH as a socks proxy with the “-D” and configure your browser to surf thru this tunnel.
You can create as mush resources as you want on the server but packets send thru the DNS tunnel are not encrypted so SSH is recommanded as the best solution.
is there any way to bypass the password of the wireless connections ? I dont talk about firewalls or portals , just the pass required to gain access ?
can i use a free unix shell to do this???
Does this one works in dns proxy?
uhmm nice tutorial, same question with machunt does this one works in dns proxy?
Great post. Good thing I came across this page. This is exactly what I’ve been looking for. Thanks for sharing.
Great technique that continues to work on a large scale. it is suprising providers have not caught on to this.
thanks for your shell code! Very helpful, can’t wait to check it out.
Nice!! This was exactly what I’ve been looking for, big thanks.
What an epic post – really helpful! An entire good deal appreciated!
Thanks man. It helped me a lot!
How can I start dns2tcpc locally on the iPod touch? I can start it via SSH from a laptop and Safari can use it. But it does not work if I start it via TouchTerm and SSH to 127.0.0.1 or in MobileTerminal. There is a dns2tcpc process running, but Safari can’t open web pages.
I use an iPod touch 2G, a jailbroken iOS 4.2.1 with multitasking enabled.
This is awesome stuff – but I’m thinking the CC companies & maybe a few merchants aren’t going to be thrilled.
Thanks!
very nice post! I will try it :D
[...] http://www.fosk.it/how-to-bypass-firewalls-or-captive-portals-with-dns2tcp.html [...]
Thanks it worked very well!
Great post, this helped to figure this stuff out, thanks!
Nice Tutorial, thank you !
Thank you so much. It was so useful. Keep updating with more such useful info.
Thank you for sharing this stuff with line of commands for every configuration.
It is really helpful.
Very nice!! This was what I’ve been looking for. Thanks.