Never Pay for Wi-Fi Again!

by Ray Dios Haque  (rayhaque@gmail.com)

So how is it that a coffee shop that charges you $5 for a cup of "bean juice" can have the gall to charge you another $2.95 an hour to check your email?  How does a hotel that gets $200+ dollars per night justify another $10 per night for Wi-Fi?

Stealing Wi-Fi may make you a criminal.  But I think we all know who the real criminals are here.  Show corporate greed a thing or two and never pay for Wi-Fi again.

Here's what you need:

  • A Wi-Fi card and an OS that allows you to change the MAC address (typically Linux/UNIX).

  • A hotel that charges upwards of $200 a night and still wants 10 bucks more for Wi-Fi.

  • A customer who is using the Wi-Fi service now and has already paid for it (this can be difficult in hotels where guests aren't required to wear shirts).

The idea here is to assume the identity of a paying customer.  This is tougher than it sounds.

The access point will welcome you to the network by giving you an address through DHCP.  Now you can talk to the access point - and nobody else.

For that matter, even talking to the access point may be difficult.  If you try to ping one of the other users of the network, the access point will restrict you from gaining the MAC address of that other party.

It seems they are able to stop you from getting the MAC address of anyone but the access point itself.  If you were to fire up sniffing software (such as Ethereal) you could see this in action.

It's just clever reprogramming of the ARP protocol.  You are asking who certain parties are on the network and the access point is feeding you bullshit answers.  The problem at hand here is that you need the MAC address of a potential victim and you will not get that from the Wi-Fi access point.

Here is a quick lesson on Address Resolution Protocol (ARP) if you need it: Every network device in the world has a MAC address and it should be unique.

This hexadecimal address is burnt into your hardware and cannot be "physically changed" without some fancy electronic equipment and a fair bit of electronic knowledge.  We rely on the MAC address to identify hosts on a network.

For that matter, you also likely are using TCP/IP, in which case you have an IP address.  These only have to be unique to your network.  We use the MAC address as a way of determining that you are a unique user to a network and we can also send packets across the network knowing only your MAC address.  One key thing to point out here is that you cannot easily change your MAC address just as you can't easily change your Social Security number.  But you can "fake" it and send lies to a network.

Now, on with the fun.

First, you must become the access point momentarily.

In doing so, we will pick up details that the client thinks it's sending to the access point.  And for that matter, this information is going to the access point.  It will also be coming to you.  At this point, you must connect to the access point with your wireless card and obtain an IP address.

To learn the address that the access point is using, go into a terminal and run: netstat -rn

$ netstat -rn
Kernel IP routing table
Destination     Gateway         Genmask         Flags   MSS Window  irtt Iface
192.168.1.0     0.0.0.0         255.255.255.0   U         0 0          0 eth1
168.254.0.0     0.0.0.0         255.255.255.0   U         0 0          0 eth1
127.0.0.0       0.0.0.0         255.0.0.0       U         0 0          0 lo
0.0.0.0         192.168.1.1     0.0.0.0         UG        0 0          0 eth1

You will now be looking at your routing table.

In the second column, bottom line, you will find the address of the access point.  In our case, it's 192.168.1.1.  Also note the Ethernet interface name over there on the right, eth1.  This is how we will refer to our wireless card to configure it.

But not so fast...

We also need the MAC address of the access point.  You should have that because you have been "talking to" the access point and the MAC address has already been placed into your "ARP table."

The ARP table is a dynamic list (sometimes static) that contains a one to one mapping of MAC addresses and IP addresses.

Let's have a look at your ARP table using: arp -a

You should see something like this:

$ arp -a
accesspoint (192.168.1.1) at 00:01:02:A3:B4:C5 [ether] on eth0

Now to become the access point and steal its identity, we will:

  1. Shut down the wireless card (make sure you do this to avoid "IP conflicts").
  2. Configure our MAC address to match the access point (if you get an error on this step, read toward the end of this article).
  3. Configure our IP address to match the access point.
  4. Restart the wireless card.

Here is what that all looks like in a terminal window:

# ifconfig eth1 down
# ifconfig eth1 hw ether 00:01:02:A3:B4:C5
# ifconfig eth1 192.168.1.1
# ifconfig eth1 up

Congratulations!  You are the access point.

If there are other paying customers on this network, you ought to be able to pick up a bit of traffic from them by watching the packets passing overhead.

At this point, observation is important.

Try running tcpdump -i eth1 (as root).  Let a bit of traffic stroll by.

You should be watching for HTTP traffic (web), SMTP (email), VPN connections, etc.  Basically we are looking for an active paying customer.  Once you have found one, you can hit Ctrl+C to stop tcpdump and move on.

Now we have an idea of who we want to be.  Joe Schmoe the paying Wi-Fi customer.  He has paid that $2.95 to $10 so you don't have to.  Remember that when you are depleting the bandwidth to download your favorite music and pornography (be nice).  To become this person, we will use the same trick we did earlier to become the access point.

We should be able to find the MAC address of this person in our ARP table since we have had communication with them.  You can find that by doing an arp -a again.  If you don't have their MAC address just yet, try pinging them and do the arp -a once more.

$ arp -a
accesspoint (192.168.1.1) at 00:01:02:A3:B4:C5 [ether] on eth1
cust1 (192.168.1.105) at 00:01:02:A3:B4:D5 [ether] on eth1
cust5 (192.168.1.110) at 00:01:02:A3:B4:E5 [ether] on eth1

Let's say that cust1 or 192.168.1.105 is our pick, based on our tcpdump survey from earlier.

Here is how we will become cust1:

# ifconfig eth1 down
# ifconfig eth1 hw ether 00:01:02:A3:B4:D5
# ifconfig eth1 192.168.1.105
# ifconfig eth1 up

Now what?  Surf the web.  You have "become the customer."  You may have some issues, so read on if things don't work as planned.

It's not working, I have "no Internet access."  Do you have a default route (gateway) configured?  You should have received one from the access point when it assigned you an address.  But since we started configuring things by hand, we might have screwed that up.

To check for the existence of a gateway, do a netstat -rn and watch that second column, last line.  If you need to add a default gateway, do either route add default 192.168.1.1 or route add default gw 192.168.1.1 (one of those might give you an error).

I still don't have Internet access!  Do you have name servers configured?  Do a cat /etc/resolv.conf and check it out.  If you have nothing there, type echo "nameserver 192.168.1.1" > /etc/resolv.conf and try again.

I can't change my MAC address!  I'm getting errors!  Et tu, Brute?  I was initially trying to do all this using my iBook running OS X.  It seems that Apple removed the ability to change the MAC address of AirPort cards sometime back in Mac OS X Jaguar.  I figured this was a limitation of the hardware.  But I was able to get it working.  How?  I went out and got Ubuntu Linux (from www.ubuntu.com).  They have a Mac PowerPC version.  And if you don't want to install it to your Mac, you can boot up their PowerPC Live distribution.  Problem solved.  If you can't change your MAC address, you might have been screwed over by your OS.  Of course, your syntax could be off as well.  Perhaps try ifconfig eth1 hwaddr 00:01:02:A3:B4:D5.  Still doesn't work?  Try ifconfig eth1 lladdr 00:01:02:A3:B4:D5.  Still doesn't work?  For God's sake, read the man page then (man ifconfig).

What are the repercussions?  There are a few.

For one, your paying friend is probably still trying to use the Wi-Fi access that they paid for (they were just a moment ago which is how you found them).  You are using it too... assuming their identity.

So imagine what the access point must be thinking.  To the access point, one person is requesting all of the traffic that is actually coming from two different people.  It happily answers each request.

Once the traffic comes back the other way, the access point sends the traffic to that "single person" which is actually the two of you.

So that is to say, if I bring up Yahoo.com, the web page comes back to both of you.  Your victim's workstation is probably confused by this, as he didn't request that site.

If your victim is especially savvy, you may become his victim as he can see all of this traffic that only you should be seeing.  If you would like to avoid all this nonsense, just wait an hour or more until this person is done and then use his identity.

I consider this "recycling bandwidth."  We recycle cardboard, aluminum, automobiles, etc.  Why not Wi-Fi connections?

Realize that we are only able to accomplish this because of the lack of physical connections.

If we were all plugged into a switching device, it would scream bloody murder as it would see two physical connections with a single MAC address being used.

For that matter, an intelligent Intrusion Detection System (IDS) would likely also catch onto the crap we are pulling here.  But since you are hiding in the corner of this public establishment, drinking your coffee, reading your copy of 2600, and otherwise seeming completely inconspicuous... you should be safe from authority figures.

I'd like to give shouts to r0t4ry_g1rl (you're hawt), morbie, herf, the Phrightener, and the rest of the defunct UPS crew (I'm including you Lucky225).  I miss you nerds - why'd you all grow up?
Return to $2600 Index