Home page logo
/

pen-test logo Penetration Testing mailing list archives

Re: Wired captive portal pen-test
From: "Mike Hale" <eyeronic.design () gmail com>
Date: Mon, 14 Jul 2008 12:20:56 -0700

I've used a Nomadix system.  I don't know of any inherent
vulnerabilities, but the Nomadix is deployed as a Gateway with a
switch being necessary for overall connectivity.  The unit itself runs
on VxWorks.

If you are unable to ping any other IPs, it sounds like the actual
switch you're plugged is configured to deny that.

There's also a very good chance that you will be unable to access the
management features from the subscriber side of the network, as that's
a common thing to turn off.

I don't have any specs on the quadriga stuff, but you may have a tough
nut in front of you if it's anything similar to the Nomadix unit.

On Mon, Jul 14, 2008 at 8:41 AM, Roman Medina-Heigl Hernandez
<roman () rs-labs com> wrote:
Hello,

I'm looking for information about pen-testing a captive portal commonly used
in hotels. At least here in Spain I've seen that Quadriga (quadriga.com)
commercial solution is commonly used. If I attach a laptop to the RJ45 of
the room (with Quadriga), I receive an IP by DHCP. I can also ping the
gateway. But I cannot see other IPs. I suspect they're using some kind of L2
filtering (to disable ARP-requests except to the gateway), perhaps I'm
wrong, though. If I start a browser I'm redirected to a captive portal where
I can see my room number in one of the parameters, so (I think) they are
identifying my room by the switch port (I cannot figure other alternative
since my laptop/MAC is not pre-registered so it's unknown to them).

Any information about these systems and how to pen-test them? Do you know
which kind of security meassures does Quadriga apply in particular or more
technical specs about this kind of systems? Do they use some special network
hardware (hardened switch, etc)? Or are they deployed using common hardware
(Cisco, etc)? Any manuals, tech specs, etc?

Thanks in advance for your responses and have a nice day.
-r

------------------------------------------------------------------------
This list is sponsored by: Cenzic

Top 5 Common Mistakes in Securing Web Applications
Get 45 Min Video and PPT Slides

www.cenzic.com/landing/securityfocus/hackinar
------------------------------------------------------------------------





-- 
09 F9 11 02 9D 74 E3 5B D8 41 56 C5 63 56 88 C0

------------------------------------------------------------------------
This list is sponsored by: Cenzic

Top 5 Common Mistakes in 
Securing Web Applications
Get 45 Min Video and PPT Slides

www.cenzic.com/landing/securityfocus/hackinar
------------------------------------------------------------------------


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]