I was looking forward to trying out some in-flight wifi on my flight to E3 today. Sadly, I have personal reservations about paying $10 for an hour worth of internet.
Why pay for internet when you can poke at their infrastructure for free?
See. I knew you would see it my way.
I wasn’t really interested in doing anything more than a passive wireless assessment here, so I didn’t uncover the hidden SSIDs.
It appears that DNS, like many captive portal sites, passes through without authentication. If you’re one of those people who has their DNS IP gateways, you can likely send your elite twitter updates for free.
Speaking of that gateway, let’s see what’s up with it in a somewhat less passive way:
bash-3.2# nmap -A 172.19.131.0/24 Starting Nmap 4.76 ( http://nmap.org ) at 2009-06-02 06:33 PDT Stats: 0:00:22 elapsed; 171 hosts completed (1 up), 1 undergoing Service Scan Service scan Timing: About 0.00% done Stats: 0:01:15 elapsed; 171 hosts completed (1 up), 1 undergoing Service Scan Service scan Timing: About 0.00% done Interesting ports on 172.19.131.2: Not shown: 999 filtered ports PORT STATE SERVICE VERSION 80/tcp open http? |_ HTML title: Site doesn't have a title. 1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at http://www.insecure.org/cgi-bin/servicefp-submit.cgi : MAC Address: 00:E0:4B:22:96:D9 (Jump Industrielle Computertechnik Gmbh) Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port Device type: general purpose|specialized|WAP Running (JUST GUESSING) : Linux 2.6.X (98%), Infoblox NIOS 4.X (91%), Siemens embedded (89%) Aggressive OS guesses: Linux 2.6.18 - 2.6.24 (98%), Linux 2.6.13 - 2.6.24 (94%), Linux 2.6.17 - 2.6.25 (94%), Linux 2.6.9 - 2.6.15 (93%), Linux 2.6.22 (93%), Linux 2.6.22 - 2.6.23 (93%), Linux 2.6.24 (Ubuntu 8.04) (93%), Linux 2.6.15 - 2.6.25 (92%), Linux 2.6.15 - 2.6.20 (92%), Linux 2.6.18 - 2.6.22 (92%) No exact OS matches for host (test conditions non-ideal). Network Distance: 1 hop
Okay. Cool enough. It’s some neat german embedded stuff. Possibly Siemens related. Sound about right for an airplane.
Just for good measure, lets take a quick look at the authorizing server that users get redirected directed.
bash-3.2# nmap -A airborne.gogoinflight.com Interesting ports on 10.241.41.4: Not shown: 998 filtered ports PORT STATE SERVICE VERSION 80/tcp open http Apache Tomcat/Coyote JSP engine 1.1 |_ HTML title: Site doesn't have a title. 443/tcp open ssl/http Apache Tomcat/Coyote JSP engine 1.1 |_ HTML title: Site doesn't have a title. Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port Device type: general purpose Running: Linux 2.6.X OS details: Linux 2.6.18 - 2.6.24 TRACEROUTE (using port 80/tcp) HOP RTT ADDRESS 1 1.37 10.241.41.4
Looks like some pretty good stuff, but to capture that last 0.01% of the market that runs OpenVPN on port 53 (assuming they don’t perform protocol inspection) or has a NSTX gateway, they’ll need to be a little trickier.