Bored on a plane: Gogo wireless on Virgin America

I was looking forward to trying out some in-flight wifi on my flight to E3 today. Sadly, I have personal reservations about paying $10 for an hour worth of internet.

FirefoxScreenSnapz033.jpg

Why pay for internet when you can poke at their infrastructure for free?

See. I knew you would see it my way.

KisMACScreenSnapz001.jpg

I wasn’t really interested in doing anything more than a passive wireless assessment here, so I didn’t uncover the hidden SSIDs.

It appears that DNS, like many captive portal sites, passes through without authentication. If you’re one of those people who has their DNS <-> IP gateways, you can likely send your elite twitter updates for free.

iTermScreenSnapz002.jpg

Speaking of that gateway, let’s see what’s up with it in a somewhat less passive way:

bash-3.2# nmap -A 172.19.131.0/24
Starting Nmap 4.76 ( http://nmap.org ) at 2009-06-02 06:33 PDT
Stats: 0:00:22 elapsed; 171 hosts completed (1 up), 1 undergoing Service Scan Service scan Timing: About 0.00% done Stats: 0:01:15 elapsed; 171 hosts completed (1 up), 1 undergoing Service Scan Service scan Timing: About 0.00% done Interesting ports on 172.19.131.2:
Not shown: 999 filtered ports
PORT STATE SERVICE VERSION
80/tcp open http?
|_ HTML title: Site doesn’t have a title.
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at http://www.insecure.org/cgi-bin/servicefp-submit.cgi :
MAC Address: 00:E0:4B:22:96:D9 (Jump Industrielle Computertechnik Gmbh)
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: general purpose|specialized|WAP
Running (JUST GUESSING) : Linux 2.6.X (98%), Infoblox NIOS 4.X (91%), Siemens embedded (89%) Aggressive OS guesses: Linux 2.6.18 – 2.6.24 (98%), Linux 2.6.13 – 2.6.24 (94%), Linux 2.6.17 – 2.6.25 (94%), Linux 2.6.9 – 2.6.15 (93%), Linux 2.6.22 (93%), Linux 2.6.22 – 2.6.23 (93%), Linux 2.6.24 (Ubuntu 8.04) (93%), Linux 2.6.15 – 2.6.25 (92%), Linux 2.6.15 – 2.6.20 (92%), Linux 2.6.18 – 2.6.22 (92%)
No exact OS matches for host (test conditions non-ideal). Network Distance: 1 hop

Okay. Cool enough. It’s some neat german embedded stuff. Possibly Siemens related. Sound about right for an airplane.

Just for good measure, lets take a quick look at the authorizing server that users get redirected directed.

bash-3.2# nmap -A airborne.gogoinflight.com
Interesting ports on 10.241.41.4:
Not shown: 998 filtered ports
PORT STATE SERVICE VERSION
80/tcp open http Apache Tomcat/Coyote JSP engine 1.1
|_ HTML title: Site doesn’t have a title.
443/tcp open ssl/http Apache Tomcat/Coyote JSP engine 1.1
|_ HTML title: Site doesn’t have a title.
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: general purpose
Running: Linux 2.6.X
OS details: Linux 2.6.18 – 2.6.24

TRACEROUTE (using port 80/tcp)
HOP RTT ADDRESS
1 1.37 10.241.41.4

Looks like some pretty good stuff, but to capture that last 0.01% of the market that runs OpenVPN on port 53 (assuming they don’t perform protocol inspection) or has a NSTX gateway, they’ll need to be a little trickier.

5 comments to Bored on a plane: Gogo wireless on Virgin America

  • Ron

    Nice one bro! Did the same thing on my recent travel to Florida (from SFO). I was aboard American Airlines, sniffed the WiFi traffic on-flight, made an NMAP scan like what you did, and made an awesome Wireshark Capture for almost 45 minutes :-).

    I’ll post my adventure on my blog in a few days.

    Ron

  • nice work on hacking this. wish i followed your tech talk better and had seen this before I dove in for $13. And also wish their outgoing ports were not blocked, as I am not able to send out emails from my client on port 80.

    Good work.

    But #Lame gogo’s part!

    • If it was a longer flight or I was on expenses, I’d likely pay for it. I like wifi being offered in the air. It should be encouraged if they deliver a good service at a fair price.

      Usually it’s only the challenge to get around these things that’s the most entertaining. Picking on the work of someone else is only a passtime ;)

  • Al

    What about changing you MAC address to the same as someone who bought an access?
    Would it do the trick?

    • It’s something to try, but it doesn’t tend to work well when both are active on the network (wireless or otherwise) at the same time. Odds favor that a captive portal will have other methods to prevent unauthorized traffic as well.

      It’s been a pretty long time since authentication has been by MAC alone so most implementations have other tricks in their bag as well. If you want to look at how PacketFence (a opensource freeware NAC system) recommends doing things, this may shed light on what other more proprietary vendors are doing. MAC spoofing is mentioned in their installation guide.

      I only made this posting when I was bored and felt like poking around. I haven’t performed a more exhaustive assessment as I was not getting paid to do so :D

Leave a Reply

  

  

  

You can use these HTML tags

<a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>