He doesn't have a passport.

This post is kind of a cheat-sheet on bypassing common used WiFi hotspot authentication method, I encountered so far.
The idea started a couple of weeks ago, in my trip to Saigon, Vietnam. I spent around 50 hours in airports or flying, and each time I needed to go online through some airport or airplane hotspot.
There are a milions of diffent kind of hotspots out there, and I'll focus on the most common ways to bypass authentication.
If you have any other methods, or any questions you can follow me on Twitter and ask me directly there.

What is an hotspot network?

An hotspot network is an Open WiFi network in which you will find a captive portal for authentication, usually, with your own user/password.

alt

You can find capitive portals everywhere around you, at McDonald's, at your Hospital, airports, in your park, etc.
The first thing to notice is that, since they are Open network you can connect without problem, and therefore you can scan connected hosts and sniff traffic.
The authentication instead is used to allow an user to go online. Often it is required to prevent abuse, of any kind: from people downloading porn, to people committing illegal stuff with your network.

Bypassing hotspot authentication

1. MAC Forgering

The open network authentication works linking your MAC address to your credentials. But since MAC address can be easily changed on any devices: laptop, smartphones, etc this is not a strong nor safe authentication method. The first thing to do is to scan the whole network looking for any others clients connected. The fastest way to do it is using ARP scanning technique which will give us a nice ARP table with IP and MAC address for each connected devices:

192.168.1.1      f8:1a:67:xx:xx:xx      TP-LINK TECHNOLOGIES CO., LTD.
192.168.1.111 00:08:9b:xx:xx:xx ICP Electronics Inc.
192.168.1.103 bc:f5:ac:xx:xx:xx Apple Inc.
192.168.1.105 bc:77:37:xx:xx:xx Intel Corporate

We can now try one by one those MACs and see if the client is already authenticated.
To speed-up the process we can try a couple of things:

  • Check if any of those clients is generating traffic.

  • If so, intercept it and see if this is Internet traffic.

If both those conditions are satisfied we can be 99% sure that that client is authenticated to the portal.

It also may happen that the hotspot gives out a certain amount, of time or data, of free traffic, in this particular case we can just randomize our MAC address once it is expired.

2. Set up a fake captive portal

An other way to obtain access to internet ( and not only to that ), is to set up a fake captive portal, force the users to use it in order to authenticate and steal their credentials.
As I wrote before, all the traffic in an Open network is in clear, therefore we can intercept it, modify it and do, almost, whatever we want. Sometime the captive portal has an HTTPS connection, but they use a custom certificate almost all the times.
In order to set up a fake captive portal we have to download the original one, using your favorite tool, and edit it to store somewhere the credentials entered by the user. Once we saved them, we should forward the user to the original captive portal for the real authentication.
But how can we force the user to use our captive portal instead of the proper one?
The easiest option is to do an ARP Poisoning attack against all the clients telling them that the captive portal MAC is now our own MAC address.

The following image should explain it a little better:

alt

After that, we set up a web server on our machine with the fake captive portal on it. And game over.

3. The "I forgot my password" features

I was almost forgetting this bypass method, but thankfully a friend of mine remembered me a few days ago on Twitter.
The idea is simple, several hotspots with authentication give you the option of reset your password if you have forgot it. Often it is done by your phone number, to which they send you a new one, but often too it is done sending you a new password by email, if this is the case then 99% they will allow you to connect with your email client to your IMAP/POP mail server, which means you will be able to check your email free of charge. Moreover very often they do not check if the traffic you are generating is real IMAP or POP traffic ( because of encryption mainly ), so you can set up a ssh server at your own VPS on port 995 or 993, which are default ports for respectively POP3 and IMAP encrypted traffic, and create an SSH tunnel to proxy your internet browsing.

4. Tell me, what's your IP?

The last method I'm gonna discuss in this post is the use of DNS tunneling to bypass the authentication. Most of the time, hotspot allows you to do DNS query and often they use a private DNS server, but just as often they also allow you to query an external DNS. A very interesting project, born several years ago, is Iodine, a software for DNS tunnelling, that means you can create a tunnel using the DNS protocol to your own server, and then use it to go on the internet; more or less is like what you do when you have a VPN connection to your work place. Once you have the tunnel established you can set up again a proxy over an SSH tunnel to your server to have a secure and encrypted channel to surf on the net.
There is just one more requirement to be able to use DNS tunnelling, you have to own a domain or be able to use some dynamic DNS provider and get a subdomain.