Posted by: tfabris
Airport Wireless Connections, a fun hack. - 24/10/2006 19:46
With all the traveling I've been doing over the past year, I've started to get annoyed at airports that don't have free wireless.
You know the drill: You open up the laptop, and it shows an unencrypted access point with five bars of signal strength. You cheer, only to find that the first web page that comes up is asking you for your credit card.
It's rarely worth it to me to pay $7.95 just to log in and check my email. That's just highway robbery.
Sometimes, you can connect to the airport wireless system, and usernames and passwords like "foobar" will work, but I've actually only done that trick successfully once.
So here's something fun to try. I read about this somewhere, and thought it would be a lot harder to do than it was. Turns out it worked like a charm, was easy to do, and I haven't got the slightest moral compunctions about doing it, for reasons which I shall explain below.
Okay, when you get that page that charges you $7.95, how does it authenticate you? Usually, by your wireless card's MAC address. And what do you do with that connection? You check your email, you answer it maybe, perhaps you surf the empeg BBS for 5 minutes, then your plane starts boarding and you have to shut down your laptop. You've still got an hour and a half of time left on that $7.95, and it's sitting there unused, like a parking meter with time left after you've pulled out of the parking spot.
I have no compunctions about grabbing that parking spot with time left on the meter. Do you? Here's how to do the 802.11 ethernet equivalent of snagging the parking spot (windows XP directions given):
- Before you leave on your trip, copy the ethereal installer to your laptop's hard disk. (And the installer for the Winpcap driver if ethereal still needs it to function... I have an older version of ethereal, I dunno if they've streamlined the product lately or not.)
- Connect to the wireless router.
- Surf to any web page so that the "enter your credit card number" screen appears.
- Install Winpcap and Ethereal. Packet sniff the wireless card for a moment. Promiscuous mode, with name-resolution turned off.
- Sort the data by Source Address.
- Some of those addresses will be MAC addresses instead of IP addresses. Copy them down.
- Supposedly, you're supposed to keep sniffing until you stop seeing one of those addresses, thus indicating that they've finished using their connection and the parking spot is now empty. I was in a hurry, and actually just went straight on to the next step, and I'm hoping to discuss the potential repercussions of doing this later in the thread.
- Go to your 802.11 card's advanced properties, and where the property of "Network address" says "Not Present", change it to one of the MAC addresses you just copied down. On my network card, I had to remove the colons and put it in uppercase, yours may be different. (Note: Some network cards don't have this option in their driver. There are supposedly third party tools that will help you spoof your mac address in that case. I never needed to try them.)
- The icon on the task bar will disappear and reappear, indicating that XP has reset the network card and is obtaining a new DHCP address. When it indicates it's connected, try surfing and see if you still get the payment options screen. If not, try another MAC address in the wireless card's properties.
- Lather, rinse, repeat until you get a working connection.
I did this in the Detroit airport yesterday, and it literally took me about three minutes to do, and that's counting the time it took me to install Winpcap and Ethereal.
Now, the first MAC address I tried didn't work. I'm assuming that was someone who tried to surf but didn't pay for the service. The second MAC address worked spotty, with timeouts and broken connections. Lots of red X's where graphics were supposed to be. I'm assuming this was someone who was still using the connection, and our browsers were fighting over who gets to keep the returned packets. I disconnected this and tried a third MAC address, which worked perfectly and with no lost data. I'm assuming this was someone who had just shut down, or at least had stopped surfing at that moment.
So does anyone have any better idea of what would happen if I used the MAC address of an existing, active user? Would it behave like the second address I tried in my example above?
You know the drill: You open up the laptop, and it shows an unencrypted access point with five bars of signal strength. You cheer, only to find that the first web page that comes up is asking you for your credit card.
It's rarely worth it to me to pay $7.95 just to log in and check my email. That's just highway robbery.
Sometimes, you can connect to the airport wireless system, and usernames and passwords like "foobar" will work, but I've actually only done that trick successfully once.
So here's something fun to try. I read about this somewhere, and thought it would be a lot harder to do than it was. Turns out it worked like a charm, was easy to do, and I haven't got the slightest moral compunctions about doing it, for reasons which I shall explain below.
Okay, when you get that page that charges you $7.95, how does it authenticate you? Usually, by your wireless card's MAC address. And what do you do with that connection? You check your email, you answer it maybe, perhaps you surf the empeg BBS for 5 minutes, then your plane starts boarding and you have to shut down your laptop. You've still got an hour and a half of time left on that $7.95, and it's sitting there unused, like a parking meter with time left after you've pulled out of the parking spot.
I have no compunctions about grabbing that parking spot with time left on the meter. Do you? Here's how to do the 802.11 ethernet equivalent of snagging the parking spot (windows XP directions given):
- Before you leave on your trip, copy the ethereal installer to your laptop's hard disk. (And the installer for the Winpcap driver if ethereal still needs it to function... I have an older version of ethereal, I dunno if they've streamlined the product lately or not.)
- Connect to the wireless router.
- Surf to any web page so that the "enter your credit card number" screen appears.
- Install Winpcap and Ethereal. Packet sniff the wireless card for a moment. Promiscuous mode, with name-resolution turned off.
- Sort the data by Source Address.
- Some of those addresses will be MAC addresses instead of IP addresses. Copy them down.
- Supposedly, you're supposed to keep sniffing until you stop seeing one of those addresses, thus indicating that they've finished using their connection and the parking spot is now empty. I was in a hurry, and actually just went straight on to the next step, and I'm hoping to discuss the potential repercussions of doing this later in the thread.
- Go to your 802.11 card's advanced properties, and where the property of "Network address" says "Not Present", change it to one of the MAC addresses you just copied down. On my network card, I had to remove the colons and put it in uppercase, yours may be different. (Note: Some network cards don't have this option in their driver. There are supposedly third party tools that will help you spoof your mac address in that case. I never needed to try them.)
- The icon on the task bar will disappear and reappear, indicating that XP has reset the network card and is obtaining a new DHCP address. When it indicates it's connected, try surfing and see if you still get the payment options screen. If not, try another MAC address in the wireless card's properties.
- Lather, rinse, repeat until you get a working connection.
I did this in the Detroit airport yesterday, and it literally took me about three minutes to do, and that's counting the time it took me to install Winpcap and Ethereal.
Now, the first MAC address I tried didn't work. I'm assuming that was someone who tried to surf but didn't pay for the service. The second MAC address worked spotty, with timeouts and broken connections. Lots of red X's where graphics were supposed to be. I'm assuming this was someone who was still using the connection, and our browsers were fighting over who gets to keep the returned packets. I disconnected this and tried a third MAC address, which worked perfectly and with no lost data. I'm assuming this was someone who had just shut down, or at least had stopped surfing at that moment.
So does anyone have any better idea of what would happen if I used the MAC address of an existing, active user? Would it behave like the second address I tried in my example above?
