Free WiFi in Airports and Public Hotspots

| April 14, 2007

Active Image
Active Image del.icio.us

Discuss in Forums {mos_smf_discuss:Wilson}

By Brian Wilson, CCNA, CCSE, CCAI, MCP, Network+, Security+, JNCIA

apRecently while traveling I noticed a hot spot and wanted to surf the internet. Once I connected to the AP I had seen that they wanted to charge me $8 per day to surf the internet. I thought that was just too much money for a quick internet connection, and my layover between flights was about 3 hours. I decided to see what I could access while connected to there AP.

Disclaimer: This paper and the topics covered in the paper are just for educational purposes and should not be tried on a network without the permission from the owner of the network you plan on testing. I hold no responsibility for any actions or damage that might accrue if you try anything explained in this paper. “Do not do this at home kids” hacking/cracking/pen testing might be harmful to your health.


 

Well I got to their splash screen, and it would allow me to surf on that page and the local ISP's home page (the local ISP was their sponsor). Any other sites would not work and forced my browser back to the slash screen that was insistant that I pay them the eight dollars. With my experience in setting up content portals on APs, I noticed this portal acted a lot like Monowall (http://www.m0n0.ch/). Since I know how the security features in Monowall worked (using MAC addresses to block content), I wondered if I could get past the portal's firewall without paying the service fee. I wanted to do this just to see if it could be done and to gage the security of this network. Well first thing I did was scan the subnet I was on to see what I could access. For the scanning software I used Cain & Able (http://www.oxid.it/), and I also used SoftPerfect’s Network Scanner (http://www.softperfect.com/). The reason I used Cain & able was because it provided an easy to use interface. I also wanted to see if the hosts on the subnet with me were visible, and if they could be pinged.

 

1

Cain & Able Sniffers menu.

 

 

2

SoftPerfect Network Scanner

 

Once I received the results of the scanned subnet, I could see all of the other computers along side of me. I noted that the content filter/firewall claimed all of the unused IPs, but I was able to see the difference from the firewall's MAC address and the other PCs' MAC addresses. I then tried a ping test, and I got responses to my pings. I was able to verify the hosts were active, and, with a little sniffing, I could see who was pulling traffic outside of the firewalls restrictions. So thus far I have found that the firewall was not letting me out of the network freely, but I was able to play inside of the LAN subnet without interaction. I am able to scan and sniff the local subnet, and the firewall is not blocking me from the other hosts on the subnet. Now it is time to see if spoofing my MAC address with another paid PC would let me out to surf. I used EtherChange (www.ntsecurity.nu/toolbox) to clone my MAC address to match one of the other PCs I noticed pulling lots of traffic.

 

3

EtherChange by www.NTSecurity.NU

 

Low and behold this was the key to getting past the content filter firewall, and I am able to surf the internet without the firewall's blocks. I now checked with my sniffer to make sure I did not stop the internet connection from the nice PC that loaned me it’s MAC address. Good news was that the firewall let us both surf the internet with different IPs and the same MAC address. I conclude that this content filter was only blocking users by MAC address, and once you paid the fee and had your MAC address added to it's white list, any PC with that MAC was also free to surf the internet. This kind of MAC
security is the same that many home APs use to mislead customers into thinking that they are secure.

I see this as a real flaw, and it is not a real security feature as anyone that has basic skills can get around it. With this being the security on that network, I only hope the Airport uses better security on their internal network. I am now ready to test the next AP that blocks my internet to see how it implements security. Please note I did pay for service after testing the AP, and I was not cracking anything. Some day soon people will understand the need of real network security, and the internet will be a safer place. Remember that tricking a paid service for free service is stealing, and there are consequences. So be ready to pay the price if you get caught. I do not recommend trying anything that I have explained here without the specific permission of the owner of that network.


Brian Wilson (bwilson@ethicalhacker.net) has over 12 years experience in IT starting with a tour in the United States Army. He has worked in and out of the US Government in many different organizations and technical roles including a stint as a Cisco Certified Instructor. Currently he works for one of the largest US broadband providers (ISP) as a Senior Data/Voice Engineer supporting over 3 million High Speed Internet/ VoIP subscribers. He has attained a number of industry credentials covering many aspects of IT including CCNA, CCSE, CCAI, MCP, JNCIA, Network+, Security+, and many DoD Certifications. He also uses his knowledge of IT to benefit a number of charitable organizations. Clearly Brian's knowledge and interests are wide, and his affinity for philanthropy will be the overiding theme of his vast set of articles and videos. 

Category: Wilson

Comments are closed.