Results 1 to 6 of 6

Thread: Hotspot theory

  1. #1
    Just burned his ISO
    Join Date
    Aug 2009
    Posts
    16

    Default Hotspot theory

    Does anyone know how to set up one of those hotspot security things you see in some places where they charge you a few dollars to use it? I have an idea that I would like to test, but I don't want to use it against anyone's hotspot around town. I'd rather do it to my own.

    Or if anyone reading this has a hotspot, can you test this out for me? Forgive me if this has been discovered (I didn't bother looking it up to see if it has been yet).

    My idea:

    Ok, I'm assuming that the hotspot would verify a paid user based on their MAC address. So if we were to use airodump to scan the hotspot for active users, spoof our MAC to that of one of the paid users, we would have access, correct?

    Again, if anyone can guide me on setting this test up or test it themselves that would be great.

  2. #2
    Super Moderator Archangel-Amael's Avatar
    Join Date
    Jan 2010
    Location
    Somewhere
    Posts
    8,012

    Default

    Quote Originally Posted by Crash_Override View Post
    Ok, I'm assuming that the hotspot would verify a paid user based on their MAC address. So if we were to use airodump to scan the hotspot for active users, spoof our MAC to that of one of the paid users, we would have access, correct?
    Again, if anyone can guide me on setting this test up or test it themselves that would be great.
    Yes and no depending on the type.
    See also
    Captive portal - Wikipedia, the free encyclopedia
    especially the section labeled "limitations".
    To be successful here you should read all of the following.
    ForumRules
    ForumFAQ
    If you are new to Back|Track
    Back|Track Wiki
    Failure to do so will probably get your threads deleted or worse.

  3. #3
    Just burned his ISO
    Join Date
    Aug 2009
    Posts
    16

    Default

    Very interesting and helpful information. Thanks!

    I'm assuming I was half-way right about spoofing your MAC then? Under "Limitations" it said you'd have to spoof your IP too. So if both are spoofed then you'd be connected as an authorized user, or could someone get away with just spoofing one or the other?

  4. #4
    Senior Member Thorn's Avatar
    Join Date
    Jan 2010
    Location
    The Green Dome
    Posts
    1,509

    Default

    Quote Originally Posted by Crash_Override View Post
    Very interesting and helpful information. Thanks!

    I'm assuming I was half-way right about spoofing your MAC then? Under "Limitations" it said you'd have to spoof your IP too. So if both are spoofed then you'd be connected as an authorized user, or could someone get away with just spoofing one or the other?
    The problem that you run into with that kind of spoofing is that both machines, the legitimate user and the bad guy, receive the same packets since they have the "same" destination from a TCP/IP standpoint. For example, the first machine gets an HTTP response to an HTTP request sent by the second machine. Since the first machine never got the response, it sends another request. Then you start getting packet errors and retransmissions, and very soon all sorts of errors and retransmissions are flooding the airwaves. In severe cases, it can, effectively DoS the WLAN.

    This type of spoof is really only worth while if the bad guy waits for the legitimate user to get off the network.
    Thorn
    Stop the TSA now! Boycott the airlines.

  5. #5
    Junior Member
    Join Date
    Jan 2010
    Location
    Canada
    Posts
    84

    Default

    Um... no, Its called a Deauth & Spoof Combo:

    Step One: Find the BSSID of he AP, and the MAC of a connected user.
    Step Two: launch a deauth attack usin g aireplay-ng to keep the Connected user at bay.
    Step Three: Spoof and connect to the AP.

    Not Exactly Silent, but quick

  6. #6
    Senior Member Thorn's Avatar
    Join Date
    Jan 2010
    Location
    The Green Dome
    Posts
    1,509

    Default

    Quote Originally Posted by HitThemLow View Post
    Um... no, Its called a Deauth & Spoof Combo:

    Step One: Find the BSSID of he AP, and the MAC of a connected user.
    Step Two: launch a deauth attack usin g aireplay-ng to keep the Connected user at bay.
    Step Three: Spoof and connect to the AP.

    Not Exactly Silent, but quick
    The OP was asking about the limitations, and based on what was asked, I stand by the information presented. What you mentioned would be one way to get around the limitations, but as you said, it is very noticeable.
    Thorn
    Stop the TSA now! Boycott the airlines.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •