I was looking forward to trying out some in-flight wifi on my flight to E3 today. Sadly, I have personal reservations about paying $10 for an hour worth of internet.
Why pay for internet when you can poke at their infrastructure for free?
See. I knew you would see it my way.
I wasn’t really interested in doing anything more than a passive wireless assessment here, so I didn’t uncover the hidden SSIDs.
It appears that DNS, like many captive portal sites, passes through without authentication. If you’re one of those people who has their DNS <-> IP gateways, you can likely send your elite twitter updates for free.
Speaking of that gateway, let’s see what’s up with it in a somewhat less passive way:
bash-3.2# nmap -A 172.19.131.0/24
Starting Nmap 4.76 ( http://nmap.org ) at 2009-06-02 06:33 PDT
Stats: 0:00:22 elapsed; 171 hosts completed (1 up), 1 undergoing Service Scan Service scan Timing: About 0.00% done Stats: 0:01:15 elapsed; 171 hosts completed (1 up), 1 undergoing Service Scan Service scan Timing: About 0.00% done Interesting ports on 172.19.131.2:
Not shown: 999 filtered ports
PORT STATE SERVICE VERSION
80/tcp open http?
|_ HTML title: Site doesn’t have a title.
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at http://www.insecure.org/cgi-bin/servicefp-submit.cgi :
MAC Address: 00:E0:4B:22:96:D9 (Jump Industrielle Computertechnik Gmbh)
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: general purpose|specialized|WAP
Running (JUST GUESSING) : Linux 2.6.X (98%), Infoblox NIOS 4.X (91%), Siemens embedded (89%) Aggressive OS guesses: Linux 2.6.18 – 2.6.24 (98%), Linux 2.6.13 – 2.6.24 (94%), Linux 2.6.17 – 2.6.25 (94%), Linux 2.6.9 – 2.6.15 (93%), Linux 2.6.22 (93%), Linux 2.6.22 – 2.6.23 (93%), Linux 2.6.24 (Ubuntu 8.04) (93%), Linux 2.6.15 – 2.6.25 (92%), Linux 2.6.15 – 2.6.20 (92%), Linux 2.6.18 – 2.6.22 (92%)
No exact OS matches for host (test conditions non-ideal). Network Distance: 1 hop
Okay. Cool enough. It’s some neat german embedded stuff. Possibly Siemens related. Sound about right for an airplane.
Just for good measure, lets take a quick look at the authorizing server that users get redirected directed.
bash-3.2# nmap -A airborne.gogoinflight.com
Interesting ports on 10.241.41.4:
Not shown: 998 filtered ports
PORT STATE SERVICE VERSION
80/tcp open http Apache Tomcat/Coyote JSP engine 1.1
|_ HTML title: Site doesn’t have a title.
443/tcp open ssl/http Apache Tomcat/Coyote JSP engine 1.1
|_ HTML title: Site doesn’t have a title.
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: general purpose
Running: Linux 2.6.X
OS details: Linux 2.6.18 – 2.6.24TRACEROUTE (using port 80/tcp)
HOP RTT ADDRESS
1 1.37 10.241.41.4
Looks like some pretty good stuff, but to capture that last 0.01% of the market that runs OpenVPN on port 53 (assuming they don’t perform protocol inspection) or has a NSTX gateway, they’ll need to be a little trickier.
Related posts:
Nice one bro! Did the same thing on my recent travel to Florida (from SFO). I was aboard American Airlines, sniffed the WiFi traffic on-flight, made an NMAP scan like what you did, and made an awesome Wireshark Capture for almost 45 minutes
.
I’ll post my adventure on my blog in a few days.
Ron