Why pay for internet when you can poke at their infrastructure for free?

See. I knew you would see it my way.

I wasn’t really interested in doing anything [...]]]> I was looking forward to trying out some in-flight wifi on my flight to E3 today. Sadly, I have personal reservations about paying $10 for an hour worth of internet.

Why pay for internet when you can poke at their infrastructure for free?

See. I knew you would see it my way.

I wasn’t really interested in doing anything more than a passive wireless assessment here, so I didn’t uncover the hidden SSIDs.

It appears that DNS, like many captive portal sites, passes through without authentication. If you’re one of those people who has their DNS <-> IP gateways, you can likely send your elite twitter updates for free.

Speaking of that gateway, let’s see what’s up with it in a somewhat less passive way:

bash-3.2# nmap -A 172.19.131.0/24
Starting Nmap 4.76 ( http://nmap.org ) at 2009-06-02 06:33 PDT
Stats: 0:00:22 elapsed; 171 hosts completed (1 up), 1 undergoing Service Scan Service scan Timing: About 0.00% done Stats: 0:01:15 elapsed; 171 hosts completed (1 up), 1 undergoing Service Scan Service scan Timing: About 0.00% done Interesting ports on 172.19.131.2:
Not shown: 999 filtered ports
PORT STATE SERVICE VERSION
80/tcp open http?
|_ HTML title: Site doesn’t have a title.
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at http://www.insecure.org/cgi-bin/servicefp-submit.cgi :
MAC Address: 00:E0:4B:22:96:D9 (Jump Industrielle Computertechnik Gmbh)
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: general purpose|specialized|WAP
Running (JUST GUESSING) : Linux 2.6.X (98%), Infoblox NIOS 4.X (91%), Siemens embedded (89%) Aggressive OS guesses: Linux 2.6.18 – 2.6.24 (98%), Linux 2.6.13 – 2.6.24 (94%), Linux 2.6.17 – 2.6.25 (94%), Linux 2.6.9 – 2.6.15 (93%), Linux 2.6.22 (93%), Linux 2.6.22 – 2.6.23 (93%), Linux 2.6.24 (Ubuntu 8.04) (93%), Linux 2.6.15 – 2.6.25 (92%), Linux 2.6.15 – 2.6.20 (92%), Linux 2.6.18 – 2.6.22 (92%)
No exact OS matches for host (test conditions non-ideal). Network Distance: 1 hop

Okay. Cool enough. It’s some neat german embedded stuff. Possibly Siemens related. Sound about right for an airplane.

Just for good measure, lets take a quick look at the authorizing server that users get redirected directed.

bash-3.2# nmap -A airborne.gogoinflight.com
Interesting ports on 10.241.41.4:
Not shown: 998 filtered ports
PORT STATE SERVICE VERSION
80/tcp open http Apache Tomcat/Coyote JSP engine 1.1
|_ HTML title: Site doesn’t have a title.
443/tcp open ssl/http Apache Tomcat/Coyote JSP engine 1.1
|_ HTML title: Site doesn’t have a title.
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: general purpose
Running: Linux 2.6.X
OS details: Linux 2.6.18 – 2.6.24

TRACEROUTE (using port 80/tcp)
HOP RTT ADDRESS
1 1.37 10.241.41.4

Looks like some pretty good stuff, but to capture that last 0.01% of the market that runs OpenVPN on port 53 (assuming they don’t perform protocol inspection) or has a NSTX gateway, they’ll need to be a little trickier.

Related posts:

1. The DNS Drama
2. Wii firmware upgrade and Apple Airport Extreme – unhappy together

Interestingly enough, the normal “off” with the Wii, is actually more like “standby” and is live on the network, [...]]]> So I hadn’t given my Wii much love lately, so I turned it on last night to try out the recent Prince of Persia port for a bit. I played for a bit and I turned it off.

Interestingly enough, the normal “off” with the Wii, is actually more like “standby” and is live on the network, checking for messages, and doing whatever Wiis do. This will be interesting a little later on.

While dorking around with my laptop in the living room doing some of my typical nerd things, I notice that I keep disassociating with my wifi network. There’s a bunch of competing wifi networks here, so I’ve become accustomed to a fair amount of fail related to it. Wifi is a convenience, but it was happening so much I thought that someone was using a deauthentication attack on my client.

I pulled the logs on my AP and saw this:

Well that looked a little slow for a typical attack. What else was happening?

The key was getting rotated every couple minutes and all the active clients were resetting their connections. What gives? What’s going on here?

Ok. So I threw laptop in passive mode and snooped on network traffic. So who’s this guy that’s flapping it’s connection every 10 seconds?

A Nintendo manufacturer MAC prefix? My Wii in suspended mode is breaking my WPA2 network? What the hell?

So apparently the Wii uPnP requests two TCP and one UDP ports on the router repeatedly, while in suspend mode, and the Apple Airport Extreme (that’s an 802.11n AP in mixed g/n mode) freaks out. This is clearly a new feature as I only updated my Wii’s firmware last week and would have been too annoying for me to miss previously.

In case you were wondering why your Wii was freaking out on your Airport or Airport Extreme network, hopefully you’ll have been able to find this and can troubleshoot further.

It might be the uPnP support for NAT port mapping, but my fix is to turn off the Wii fully when not in use. Hold down the power button until the LED is red instead of orange. I’m sure more people will complain and one or the other will update their firmware to compensate soon enough.

Related posts:

1. A new wii game and accessories
2. Next generation gaming and continued Linksys failures
3. Apple not interested in corporate customers