Hacking Hotel Internet

Hi I just came back from a hotel in Michigan it was fun.

I could not get internet there even though they had WIFI. It cost to much.

I was wondering does anyone know how to bypass paying and be able to use WIFI that charges.

Thanx

How would you have gotten access? Do they tell you the wep key? Or do they tell you the password for a login page?

I imagine they ask you for you name, address and bank details so they can charge you.

The best way i can think of is use a sniffer and find the WiFi router's IP then see if you could access the router config page. if you can you will need to try and login to access the config and unless they are very stupid they would have changed the login details from the default. This means you would need to find a way past the login.

If anyone knows of a better way (im sure they do) please post i would also be very interested! thanks all and i hoped that helped a little lol.

Relentless.

R3l3ntl3ss wrote: The best way i can think of is use a sniffer and find the WiFi router's IP then see if you could access the router config page. if you can you will need to try and login to access the config and unless they are very stupid they would have changed the login details from the default.

Sniffer? Yes. Router config page? Maybe. Defaults? No way. You have to assume that, when they're charging for wireless, they have taken at least the most basic precautions. Why not just crack the key and sniff the traffic? That will probably give you a good idea of what is required to access their wireless.

we had a similar problem at hbh con's due to "Cloud" internet. its quite popular in the UK. its a pay per use wifi network, most pubs have it.

however we found even PING was redirecting to cloud and any HTTP packet was going over to cloud to. so we came to the conclusion, cloud is software within the router and setup as a proxy, so you HAVE to login as a paying customer before you can have cloud start diverting its packets to the right place.

tried using TOR park to see if that would get around it. didnt work. another idea was coding a brute forcer, hosting it on a server on your own laptop and running it from the laptop. however the brute forcer would have to be HTTP, this was the only method we discussed would work, because atleast this way your allowed to send HTTP packets to the cloud login page.

because cloud is setup as a proxy, any other attempt to contact the "outside world" via cloud, it wont work.

Can't you imitate "Cloud"? Be "Cloud"? (pretend to be, anyway).

but what I was asking: do they give you a wep key, or a key for a login page? Ive seen it where its an unencrypted network, but as soon as you open your browser it asks for a password at a login screen.

I've heard one way of doing this is to spoof your DNS address to one that is already paying for the internet. For example, lets say, we have Bob and Tim. Bob hacks and Tim pays. Tims address is X, Bobs is Y. If Bob spoofs his to be X, the server will think Bob is Tim and grant him access. Thats about as much as I know on the topic, maybe someone can elaborate.

i've actually done this before, mind you i have linux and i imagine it would be harder on windows.

they used a basic login sort of thing, but it was just a frontend for an ACL (access control list)

Knowing that it was managed by MAC addresses, i started Kismet running and found the hotel's network. I was able to view the clients using that network and changed my MAC address to one of theirs.

Done. :D

only_samurai wrote: Knowing that it was managed by MAC addresses, i started Kismet running and found the hotel's network. I was able to view the clients using that network and changed my MAC address to one of theirs.

Speaking of MAC spoofing, what did you use to do it? I used a program a while back called MACSpoof (or something like that) that worked very well, maybe you should try that next time you're in a hotel ;)

i run linux, don't need a program. :D

@samurai, i believe that is article worthy :happy:

what part is?

sniffing the net to find other peoples MACs, then spoofing it to match your own as to get free internet at a hotel.

maybe show how to do it on both windows and linux? kismet is for windows as well, im not sure what other software you used.

well for me theres no way u can get their wep key setting unless they gave u an access

well i think u can get free access in hotels u dont have to pay for it c0z thats a part of ur rent…

Tk-m0nz wrote: well for me theres no way u can get their wep key setting unless they gave u an access

For you, maybe. For the rest of us, getting the WEP key would be cake. WPA2 would be more difficult, though. Regardless, you just have to analyze how they do their access there, then exploit the weakness. Whether it's forged MAC addresses, captured wireless keys, or compromised form logins, it's always possible.

wpa2 ain't too hard either, have a look at the wpa supplicant source..

richohealey wrote: wpa2 ain't too hard either, have a look at the wpa supplicant source..

Thanks for the tip… looks like good reading after a few beers. :happy:

You can use Cain and the AirPcap USB adapter to crack WPA/WPA2 also,kismet,airsnort also work. @only_samurai "I run linux so I don't need a program".? You can easily change your mac address on windows! Oh by the way Fuck linux!

korg wrote: Oh by the way Fuck linux!

Hehe, i know that you run a "modded beyond recognition" version of windows, i do too, but i still prefer nix any day.

E17 is just so shiny!!

That, and when you show me a version of windows that'll run on my pentium mmx laptop i'll convert..

richohealey wrote: i'll convert..

No0o00o0!

lol

richohealey wrote: That, and when you show me a version of windows that'll run on my pentium mmx laptop i'll convert..

Windows 98 SE… Now, convert. ;)

First you'll want backtrack linux and a decent wireless card. Then look around Backtract WAS MADE for this sorta stuff; there will be so many tuts on cracking WEP.

couldn't something along the lines of SLax work as its just a goober linux OS?

1st, i run backtrack2… so yes, it works. no, running it will not automatically make you a hacker or even good at it. im going to uninstall it soon enough for another distro (slackware 12 :D ) because its shit.

2ndly, i thought all windows needed some app to change the MAC address… whoever said it didnt, i would like to know how you managed without. i dont mean that as a "challenge" or "assault", i would just like to know how ya did it.

Is it really that easy to crack WPA/WPA2 too? I read about these from some writing a while ago (although it was written in 2005) and there read that it would be practically impossible to crack even WPA-PSK with current computers and WPA2 even more difficult o.o /me is confused

WPA/WPA2 are cracked based on handshakes, not on packets. so it takes more time, methinks, to gather these.

i have never managed to crack one, but i have done tons of WEPs. I would say its harder, but not impossible.

Ok; as for cracking WPA/WPA2 check out this video, Like I posted before using cain and airpcap. http://www.irongeek.com/i.php?page=videos/airpcap-cain-wpa-cracking

Had some success with this.

only_samurai wrote: i thought all windows needed some app to change the MAC address… whoever said it didnt, i would like to know how you managed without. i dont mean that as a "challenge" or "assault", i would just like to know how ya did it.

Programs are for Pussies;Theres 2 ways to achieve this,Let me fill you in:

1:Easy way>Open up your network connections, Rt click the nic you want to change. Rt click to properties,You will see your nic in the box click on configure, Go to advanced scroll done to Network Address, Check the value box and enter your new mac address.click ok to close, Then disable and reenable your connection. You can check it was changed by typing ipconfig /all in command line.

2:Hard way>Or easy if you like the registry: Navigate to HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\ Class\{4D36E972-E325-11CE-BFC1-08002bE10318}\. Navigate to sub keys labeled as 0000, 00001, 0002 and so forth. You can change your MAC address by finding the key that controls the NIC we want to change, By putting in a string value called “NetworkAddress” and setting it to the MAC address you want to use, using a twelve digit hex number (example: 000000000001). To find out which key is the one we want search through them looking at the value of “DriverDesc” until until you find your nic. Create your new "NetworkAddress" key. Then follow the same as above for restarting the nic.

NOTE:Remember to back-up your registry incase you Fuck-up or want to change it back real quick and easy!

KORG "Xp Pro Guru"

I know exactly what chris1022 is talking about, ive been trying to figure this one out for a very long time, and after lots of research i see that only_samurai is pretty much the only one that got it, probly cause hes done it, and cheese too.

it has nothing to do with wep/wpa/wpa2 or any type of encryption, the place uses some stupid redirect thing and whatever you type into the url it just redirects you back to their login page. so if you type in www.google.com itll redirect you back to http://10.200.84.12 (or whatever it may be). i just got off of a cruise and found that on all the servers and main computers they all had open telnet, ftp, and remote desktop connections, i have no idea if there is a way to "hack" a remote desktop connection but im sure that would help.

but yes the entire thing is based off of mac addresses, unless they allow you to login under multiple computers, ie==on my cruise they had a computer room that you could use to check the internet. if thats the case then maybe somehow your login details are sent to the server checked then it removes the redirect off your ip?? not sure, ive never actually have been able to get passed the login…..

@korg…

wow, didn't know you could do that. Excellent. Thanks.

BTW, wasn't trying to say i use apps for everything, just didn't know its possible. i learned something today. :D

back on track with the free internet.

If you connect to the AP and get routed to a DNS url to pay for some time ie BTOpenzone for us in the UK you can pretty much guess the setup allows DNS requests.

You can confirm this by opening nslookup and typing www.google.com see if it resolves that to an IP.

You then need 3 things

1: a remote box running linux with UDP port 52 forwarded and a service called iodine running (http://code.kryo.se/iodine/

2: a hosted website which you have control of the DNS records on. a site from 123reg should do this.

3: If you have a static IP then you dont need this if not use a NO-IP service to keep track of your IP if it changes.

You need to edit the DNS records so that your remotebox is the first nameserver.

all this needs to be set up PRE going on the BTopenzone i leave my box running 24/7 on the off chance i need this.

So once you get onto the btopenzone cat /etc/resove.conf and that will give you the nameserver the wifinetwork is set to use.

you then use iodine client to tunnel the DNS requests to your hosted address which bounces off to the remote server.

theres a better article here: http://www.daemon.be/maarten/dnstunnel.html

its as slow as hell too so dont be expecting to torrent anything lol