I was looking forward to trying out some in-flight wifi on my flight to E3 today. Sadly, I have personal reservations about paying $10 for an hour worth of internet.
Why pay for internet when you can poke at their infrastructure for free?
See. I knew you would see it my way.
I wasn’t really interested in doing anything more than a passive wireless assessment here, so I didn’t uncover the hidden SSIDs.
It appears that DNS, like many captive portal sites, passes through without authentication. If you’re one of those people who has their DNS IP gateways, you can likely send your elite twitter updates for free.
Speaking of that gateway, let’s see what’s up with it in a somewhat less passive way:
bash-3.2# nmap -A 172.19.131.0/24 Starting Nmap 4.76 ( http://nmap.org ) at 2009-06-02 06:33 PDT Stats: 0:00:22 elapsed; 171 hosts completed (1 up), 1 undergoing Service Scan Service scan Timing: About 0.00% done Stats: 0:01:15 elapsed; 171 hosts completed (1 up), 1 undergoing Service Scan Service scan Timing: About 0.00% done Interesting ports on 172.19.131.2: Not shown: 999 filtered ports PORT STATE SERVICE VERSION 80/tcp open http? |_ HTML title: Site doesn't have a title. 1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at http://www.insecure.org/cgi-bin/servicefp-submit.cgi : MAC Address: 00:E0:4B:22:96:D9 (Jump Industrielle Computertechnik Gmbh) Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port Device type: general purpose|specialized|WAP Running (JUST GUESSING) : Linux 2.6.X (98%), Infoblox NIOS 4.X (91%), Siemens embedded (89%) Aggressive OS guesses: Linux 2.6.18 - 2.6.24 (98%), Linux 2.6.13 - 2.6.24 (94%), Linux 2.6.17 - 2.6.25 (94%), Linux 2.6.9 - 2.6.15 (93%), Linux 2.6.22 (93%), Linux 2.6.22 - 2.6.23 (93%), Linux 2.6.24 (Ubuntu 8.04) (93%), Linux 2.6.15 - 2.6.25 (92%), Linux 2.6.15 - 2.6.20 (92%), Linux 2.6.18 - 2.6.22 (92%) No exact OS matches for host (test conditions non-ideal). Network Distance: 1 hop
Okay. Cool enough. It’s some neat german embedded stuff. Possibly Siemens related. Sound about right for an airplane.
Just for good measure, lets take a quick look at the authorizing server that users get redirected directed.
bash-3.2# nmap -A airborne.gogoinflight.com Interesting ports on 10.241.41.4: Not shown: 998 filtered ports PORT STATE SERVICE VERSION 80/tcp open http Apache Tomcat/Coyote JSP engine 1.1 |_ HTML title: Site doesn't have a title. 443/tcp open ssl/http Apache Tomcat/Coyote JSP engine 1.1 |_ HTML title: Site doesn't have a title. Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port Device type: general purpose Running: Linux 2.6.X OS details: Linux 2.6.18 - 2.6.24 TRACEROUTE (using port 80/tcp) HOP RTT ADDRESS 1 1.37 10.241.41.4
Looks like some pretty good stuff, but to capture that last 0.01% of the market that runs OpenVPN on port 53 (assuming they don’t perform protocol inspection) or has a NSTX gateway, they’ll need to be a little trickier.
Nice one bro! Did the same thing on my recent travel to Florida (from SFO). I was aboard American Airlines, sniffed the WiFi traffic on-flight, made an NMAP scan like what you did, and made an awesome Wireshark Capture for almost 45 minutes :-).
I’ll post my adventure on my blog in a few days.
nice work on hacking this. wish i followed your tech talk better and had seen this before I dove in for $13. And also wish their outgoing ports were not blocked, as I am not able to send out emails from my client on port 80.
But #Lame gogo’s part!
If it was a longer flight or I was on expenses, I’d likely pay for it. I like wifi being offered in the air. It should be encouraged if they deliver a good service at a fair price.
Usually it’s only the challenge to get around these things that’s the most entertaining. Picking on the work of someone else is only a passtime 😉
What about changing you MAC address to the same as someone who bought an access?
Would it do the trick?
It’s something to try, but it doesn’t tend to work well when both are active on the network (wireless or otherwise) at the same time. Odds favor that a captive portal will have other methods to prevent unauthorized traffic as well.
It’s been a pretty long time since authentication has been by MAC alone so most implementations have other tricks in their bag as well. If you want to look at how PacketFence (a opensource freeware NAC system) recommends doing things, this may shed light on what other more proprietary vendors are doing. MAC spoofing is mentioned in their installation guide.
I only made this posting when I was bored and felt like poking around. I haven’t performed a more exhaustive assessment as I was not getting paid to do so 😀