X

Tags

This will be shown to users with no Flash or Javascript.

Page navigation


Pages home > Tutorials / HowTo´s > Wireless Lan (wlan) > Share wireless access on public hotspots

Share wireless access on public hotspots

Well i just document something in here, i urge everyone to not abuse the knowhow in stealing bandwidth from hotspot providers.

Most providers are validating the access using a website to which everyone will be redirect to automatically when opening a Webbrowser. Then they use a User/pass or similar.

When the login is verified the router/firewall etc stores the "validity" in combination with the IP/Mac address.

So this brings up the following procedure:

Take two wireless cards and run your desired sniffer/scanner and collect the information of a client. Lets assume the client that is autorized has the mac 00:11:22:33:44:55. In best cases you see the IP also.

To get the IP, default GW and DNS the quick way: Use deauthentication packets to drop the validated client and sniff out its dhcp packets he requests/sends. Voila everything inside.

Now just stop you sniffers etc and configure your wireless card to have the same credentials as the authenticated client. (IP,MAC, Subnet and routing and DNS)

So you know what you have then Smile

Well there are two issues, when the authenticated user logs out, you loose the authorization. But you can prevent him to do that by just deauthenticate him until hes bored or there are other possibilities. I dont want to guide here to much.

Well the connection will slow down a bit because there are some duplicates on the network but it ususaly works. (At least for me when i did testing)

Well there is another possiblity with dns tunneling but thats another storry.

so dont be a theft.

deauthentication

I assume you could do the deauthentication like this:

#file2air -i wlan0 -n 5000 -d YY:YY:YY:YY:YY:YY -s XX:XX:XX:XX:XX:XX -b XX:XX:XX:XX:XX:XX -f ./file2air/deauth.bin

where XX:XX:XX:XX:XX:XX is replaced by the MAC address of the AP and YY:YY:YY:YY:YY:YY is replaced by the MAC address of a client associated with the AP.

How do you then sniff for the DHCP IP address as the client attempts to reassociate with the AP? Do you use kismet? If so, do you take the kismet packets into ethereal to get the IP? If using ethereal is some filter applied so that you have to deal only with packets containing the DHCP data you want? Please explain that sniffing part a little more if you can.

Sniff for DHCP infos

There are several possibilities to sniff DHCP packets. Dump the traffic with kismet. Load the pcap file into ethereal, and search for DHCP traffic (find the client IP sending packets to broadcast address (255.255.255.255) and destination port 67 -> this is the DHCP request, so just follow the stream in ethereal)

Or you can filter directly on your wireless lan interface with tcpdump or tethereal to show you only dhcp traffic.

Source: http://forum.remote-exploit.org/viewtopic.php?t=50 Retrieved from "http://root.design-revolution.de/darklevel/index.php/Share_wireless_access_on_public_hotspots"

, , ,

Last updated 29 October 2009 by darklevel