Free Access on Boingo Wireless
by ZoDiaC13
Preface
This article is about how to hack Boingo Wireless hotspots to gain free Internet access.
For those that don't know about Boingo Wireless, it is a wireless hotspot service provider for many major hotels, airports and coffee shops. This story will explain my experience encountering it and what I did to unintentionally circumvent it.
Introduction
I work as a network technician at a company on the east coast of Canada.
My job requires me to maintain connectivity from our site to many remote sites, via VPN, to offer up a Citrix web interface that hosts peoples' daily applications. I am also required to set up and maintain our and our users' hardware to adhere to a strict PC standard. This requires users to be set up on a company PC with limited user rights, restricting their PCs to be almost thin clients.
My first encounter with Boingo Wireless trouble was when a user who was traveling across the U.S. sent myself and others an email, upset about the fact that he paid to use Boingo Wireless at an airport and then was unable to install the required software on his laptop.
Upon investigation, I found out that there seemed to be an installation required in order to use the hotspot. I think that this procedure is stupid because I'm strictly a Linux user, on my PCs anyway, and, from what I saw, they didn't offer an option to Linux users.
My Encounter
Fast-forward to two weeks later.
I was sitting in the Toronto Airport, passing the time by trying to get my girlfriend's iPod Touch onto the Boingo Wireless network. I recalled, from an article in 2600, that disabling something in Safari on an iPod Touch let you somehow circumvent the pay-for option on certain wireless hotspots.
I couldn't exactly remember what the hack was and, after some time, I gave up and decided to play games on it instead. My girlfriend soon piped up and said "Don't drain the battery; I want it for the plane ride." I told her to plug it into my father's netbook to recharge. I asked my father for his Windows XP netbook and plugged it in to recharge.
The Hack
While I was watching the iPod charge, my curiosity piqued and I decided to play around again.
I always love scanning networks just for the hell of it to see what I can find. Since I had been using my father's netbook in my hotel room all week, I had installed Advanced Port Scanner (available at www.radmin.com/products/utilities/portscanner.php). This is a free, small, and robust port scanner for Windows.
I decided to do a simple ipconfig in the command prompt window to see my assigned IP address and the gateway IP address. I then plugged the network range into Advanced Port Scanner to scan the /24 subnet mask (essentially 255 hosts). This included the gateway (which was the wireless access point).
To my surprise, it showed me all the associated wireless devices connected to the access point and the software started to probe them for open ports.
I figured there would have been some security measure in place on the access point, to circumvent such a scan. It also started resolving the computer hostnames on some computers, which was also helpful. I found one that looked interesting.
The host was named WINDOWSMOBILE96 and, based on the name, I could assume it was someone with a Windows laptop. The name seemed somewhat professional and logical, so the owner could be a business traveler. I assumed that if this person was on business, chances were they had probably legitimately paid for the wireless. So I decided that WINDOWSMOBILE96 would be my target.
I opened up the command prompt and issued the command:
For those that don't know, nbtstat is a Windows utility to help troubleshoot NetBIOS name resolution problems.
The -a switch returns the NetBIOS name table and the MAC address of the network card on the named computer (i.e. WINDOWSMOBILE96). So now, after issuing the command, I knew the MAC address of the remote computer.
Now all I had to do was simply change the MAC address of my wireless card to the one that the nbtstat command spit out.
I did this by going to "Network Connections" in the Control Panel, right-clicking on my network card, and going to "Properties."
Under the "General" tab, I clicked the "Configure" button to configure my wireless card. I then chose the "Advanced" tab and went down to the "Network Address" property.
Not all network cards have this ability, but the one in my father's netbook did and I think it's a pretty standard setting. There are two values you can have with this property: "Not Present," which uses the burnt-in MAC address on the network card, and "Value," which allows you to set a different MAC address for your network card.
I input the MAC address that I had obtained from the nbtstat command and saved the changes. My wireless card then disconnected from the access point and re-associated itself.
Now, for the moment of truth. I opened up Firefox, typed in google.com, and voilà! I was online. Like an idiot, I shot my fists up in the air and screamed, "Yes!"
This raised my father's suspicions, so I turned the computer around and showed him Google's homepage, declaring, "I got on!" My father just shook his head.
Conclusion
I know this is a long-winded article to explain such a simple procedure but, like Hunter S. Thompson, I am writing more about the experience than the hack.
The hack is about the experience. Like I said earlier in the article, I did this unintentionally, as I never really intended to "hack" wireless access but, based on previous experience, knowledge from reading many past issues of 2600, and a basic curiosity, I stumbled upon a procedure that worked.
I used the same troubleshooting and reasoning I would have used at a day in the office if I were faced with a similar issue. In my mind, I simply "fixed the problem."
But that is what hacking is all about; a never-ending thirst for knowledge and the curiosity to take you to the next level. It's all about the mindset and how you look at things.
Also, as I mentioned previously in the article, I am mainly a Linux user and will install Linux on anything and everything I can get my hands on, provided the opportunity. I know there is a similar method that could be used in Linux to achieve the same results, but that is for another article.
There are other articles online about how to hack Boingo Wireless, but none that I could find used this procedure, which is mostly using the operating system and software as it was intended to be used, and thus exposing a vulnerability or loophole in the Boingo Wireless system.
I hope you enjoyed reading my article and may you all carry on the hacker mindset.
Thank you, and happy hacking!