Often times when staying at a hotel or anywhere for that matter, you'll whip out your laptop and check the local area for Wi-Fi. I know you've all been in my shoes when you find an unsecured network that appears to be public Wi-Fi belonging to the hotel or airport, and you connect to it. You connect fast and perfectly, only to find that when you open your browser, it says you don't have an account, and are filtered from accessing the web. This is because the owners of the network want to keep things simple by having no password, but only want paying customers to be able to use their network.
As always, Null Byte has a way around it. The "security" on these access points work by filtering out MAC (Meda Access Control) addresses, which are your wired and wireless interfaces' unique addresses. They are burned in to your interfaces. However, you can temporarily change them from within your OS. Simply change yours to match a client that does get the paid service.
I'm going to go over how to do this in Arch Linux. This is possible in Windows, but requires a wireless interface capable of monitor mode. I can go over how to do it on Windows in IRC if you have the proper interface.
Step 1 Install Necessary Programs
You're going to need a few programs before we do this. We need to be able to sniff traffic and have our drivers set up to monitor traffic.
Download Wireshark, or use your package manager to install it. Linux users, download the source code and extract with (in a terminal):
tar zxvf <archive name>
Change to the new directory and install with this command:
./configure && make && sudo make install
Follow my guide on compat-wireless to make sure your card can go into monitor mode, and you will be ready to move forward.
Step 2 Enable Monitor Mode & Sniff Traffic
These are the commands to change your MAC address and enable monitor mode so you can sniff the traffic we are looking for:
sudo ifconfig wlan0 down && sudo ifconfig wlan0 mode monitor && sudo ifconfig wlan0 up
Now, start up wireshark and look for a client IP that is using the AP. Type "http" into the filter field to make sure you're only getting HTTP traffic.
Step 3 Spoof Your MAC
Wait for someone to make a request to the router. Any IP that doesn't end in ".1" should work. Click on that packet, and search for a MAC address in the hexadecimal field below. Then, make that your address with this command:
sudo ifconfig wlan0 down && sudo ifconfig hw ether <ST:OL:EN:MA:C!:!!> && sudo ifconfig wlan0 up
Now, just connect to the access point and you will see that you can get past the filter!
Here's a quick video showing you how to look through the packets, in case you don't understand.
I hope this was an informative Null Byte, come join the Forums!