Getting through WiFi transparent proxies

[blessani]

Hi guys,

I used to be a member on here a while ago (before the forums went down). I am travelling in Germany at the moment (for the World Cup) and most of the hotels I have been staying in offer WiFi. BUT it is that stupid WiFi with the transparent proxies like T-Mobile-com or SwissCom, where you need to buy airtime to use it, otherwise all pages redirect back to their login page.

Does anyone know any ways of getting round this so I can enjoy some free internet? I tried using a simple proxy but that didn't work. I'm tempted to use a HTTP/SSH tunnel, but I have no other computer to connect to on the other end. All ideas are welcome (short of telling me to pay for it :p)

[Sparda]

First of all (since this is the usual responce to a first time poster that asks "How do I get the admin password at my school!?"), fuck off! Now, you have asked a genuinly interesting question. I suspect that an SSL connection MAY work. It depends on how the proxyis are set up. Perhaps what you should do is pay for it at one Hotal, analys the network (route tracing and that sort of thing) and figure out how your packets are making it out to the internet. Then see if you can by pass the system which redirects you.

[metatron]

Try setting your laptop up to look like the T-Mobile-com or SwissCom AP and when people with accounts enter there details you can log them and use them yourself to log in to the real AP.

[blessani]

Yeh, I wondered how touchy a subject it might be - I assumed from past posts on here I 'should' be alright asking.

I've just found a free connection (well, unsecured) and I've d/l'ed Ethereal TCPDump and Advanced Port Scanner. It should give me a bit more of an insight as to how these things work. I don't think it will be as simple as someone having an authorised IP address and just spoofing it, but anything is worth a try. Can you believe they charged 8 Euros for 1 HOUR in the Hilton!

And no, I'm not rich enough to stay in the Hilton AND pay for their WiFi

[blessani]

Try setting you laptop up to look like the T-Mobile-com or SwissCom AP and when people with accounts enter there details you can log them and use them yourself to log in to the real AP.

Setting up the webpage is easy enough for me, but how do you spoof the server? I would need my computer to act as the gateway (of sorts) so that their web requests are directed through my webserver. I remember seeing an episode on this a while ago, but can't remember for the life of me how to do it.

[metatron]

Try setting you laptop up to look like the T-Mobile-com or SwissCom AP and when people with accounts enter there details you can log them and use them yourself to log in to the real AP.

Setting up the webpage is easy enough for me, but how do you spoof the server? I would need my computer to act as the gateway (of sorts) so that their web requests are directed through my webserver. I remember seeing an episode on this a while ago, but can't remember for the life of me how to do it.

The fact that what I said could be considered to be fraud I will not post it hear but Google is your friend and it’s not difficult to find how to do it.

[stingwray]

Most likely they are using a Captive Portal with Radius Authentication, so probably your best bet is trying to sniff someones user name and password.

You won't get access to the internet until you are authenticated, so I can't see how you would get round it any other way.

[Darren Kitchen]

The interesting thing about most of these access points is that, while you can't get web traffic through, and proxies don't help, you are able to get DNS queries. Go ahead and try to nslookup something while on one of these.

I've actually seen a hack that is to setup a special DNS tunnel server at home. It may not be quite fast, but it may just work.

Another thing to look at is nocatauth. google and ye shall find. that might be of much help in phishing usernames and passwords from other tmobile users.

And of course there's always arp cache poisoning and packet sniffing.

/me bookmarks this thread and mods it +5 Interesting

[Snowy©]

Hey don't shoot me for saying this...

I know in the US in MacD's Tmob provides the WiFi Access and it's free through those access points for DS's to access (Opera is comming out soon for the DS aswell)

Maybe you could setup a connection to your home PC that looks to Nintendo like your are playing a game with a friend - but that would probably take lots of coding and Nintendo probably have checks in place lol

Just wait and see how Opera connects on a DS is the easiest thing. Following that you may then be able to rig up Natrium's Serial port addon and connect the DS to whatever you wish.

Ah Nintendo Free VoIP and soon maybe free web access :) you have to love them (for now)

[tx]

Hey,

Decided to sign up to the forums purley for this thread (tho the shows are great ;P)

First place i have stumbled accross that also realised the wonders of port 53 in this situation.

To expand on what aardwolf said, Port 53 is indeed open, i suppose its kinda needed to allow the first few pages of the captive portal where you can login or pay for minuites to be resolved to IP.

Now there is 'tunneling over DNS' software out there, that allows you to set up a fake DNS server at home, and actually use dns queries to this server to transmit/receive data. However, the software i have found is quite old and seems to be coded around getting approx 64kbs... which is crap.

However (and heres the useful bit boys and girls) all of these captive 'pay-for' wifi portals dont seem to do any level7 checking on port 53 (if at all) (Ie. Nothing checks that what is flowing through port 53 IS actually DNS requests)

so therefore, start ssh or a web proxy or a socks proxy (even through ssh for security + encryption)... on port 53 at home (guessing your not going to be hosting your own DNS server, therefore 53 should be free!) and then simply connect by editing your proxy settings from wherever you are to use your new proxy (be it starbucks, hilton's etc etc)

No logins, no paying, no captureing passwords.. simple!

(And if you need anonimity, you could always ssh through the wifi.. your your home box on 53... and then from there tunnel through TOR.. (Its not as complicated setup as it sounds!))

Anyway, just my 10p, for anyone thats bothered.

Cheers,

TX

[stingwray]

Its fine unless they have a more sophisticated setup with QoS and Stateful packet filtering. Then this whole is probably closed as it would be quite easy to tell the difference between DNS traffic and say SSH traffic.

[tx]

Yes, thats what im saying, level7 filtering to block on an application level instead of port levels (Stateful packet filtering wouldnt be any use unless used to block against a l7 packet match) (im sure you know the principals behind l7 filtering just trying to make the thread readable to everyone!) But on ALL the public hotspots ive found there is NEVER anything of the sort, im guessing its not financially viable to put that technology on the ap's for a company thats buying and installing thousands of them!

So for now anyway (and has been for a considerable time) it works well.

And also, since its usually one company with lots of IP's... (big ones are tmobile or btopenzone, or the cloud in the uk) You dont have to worry about different settings between places, as you know all the AP's for one particular companys wifi implimentation will be the same.

Have fun ppl :)

[stingwray]

im guessing its not financially viable to put that technology on the ap's for a company thats buying and installing thousands of them!

That would be because they are idiots and not using wonderful open-source software.

I'll have go and try this out sometime when my laptop has a operating system on it.

[tx]

See you in starbucks!

lmao