__________ __ ________________ / _____/ \ / \/ _ \__ ___/___ _____ _____ \_____ \\ \/\/ / /_\ \| |_/ __ \\__ \ / \ / \\ / | \ |\ ___/ / __ \| Y Y \ /_______ / \__/\ /\____|__ /____| \___ >____ /__|_| / \/ \/ \/ \/ \/ \/ [ 1998 - 2010 - Hacking, Phreaking & Anarchy in the UK ] 14 April 2010 . Author -=The Firestarter=- ---------------------------------------------------------- [ iBahn Internet 0wnage ] ---------------------------------------------------------- After spending over two weeks in a Marriot hotel at the start of last month, it took me around 24 hours to realise i wasn't going to spend £15 a day for wireless internet access. The basic run down, there is wifi all over the 300+ room hotel, each room has these little router like box thingies in them - least thats what i assume they are, they all have ethernet ports in them and theres a free cable hanging up in the wardrode in its own bag, least mine was, for those that lack wifi cards. You login to one of these unencrypted channel boxes that are usually called ibahn or some shit like that. Anyhow, upon connection to these technological marvels and you attempt to browse the internet, we are instantly directed to a web page, its URL is something like this: https://secure35.ibahn.com/purchase/purchase?MA=00-15-af-93-bd-c2&SC=GLADT&DI=174631419&PN=1&BD=eba395b6&PX=false then it asks me to pay some shit like fifteen quid for 24 hours internet access. i meant WTF? who in there right mind is going to pay that much for accessing the internet for a mear 24 hours? sure as hell isn't going to be me. so lets look at it, i notice my MAC address (actually it isn't mine in there, its someone elses) is in the URL. So a quick assumtion might be that there whole internet security goes on the MAC address? (not unlike a certain type of kodak picture frame i know of). So what uber means can one utilize to bypass this k-rad security? well macchanger seems to be a good start. But how do we find out what mac addresses are active on there database of fools that pay for the internet? this ones simple, we use our favorite wifi scanners, or in this case- airodump-ng after putting your wireless card into monitor mode as one would do before going on any wardriving exercise, a command like: airmon-ng stop wlan0 airmon-ng start wlan0 then airodump-ng -w ./wifi/ibahnh4xx0r wlan0 now this will scan the channels for active wifi access points as well as people using them. i have noticed that a lot of the time they use channels 1 and 11, but i have seen them on channel 6 as well, so best guess is they could be on any channel, will probably all depend on your hotels set up once you see which channels the ibahn AP's are on and you see a fair loads of clients connected to them, close airodump and reopen it with a command like airodump-ng --channel 11 -w ./wifi/ibahnh4xx0r (that is assuming that the AP(s) you have found are on channel 11) now you wait, you see see people connect to the APs and recieve a few hundreds packets of data, this is from them logging in and seeing they have to pay a fortune for the service. Most will disconnect. But then you will notice (given time) that one of the machines is recieving thousands and thousands of packets, usually very very quickly. Bingo, some fool has paid for it. Write down his/her MAC address (or several of them, i used to find 3-4 a night within half an hour of monitoring the airwaves) Also make a note of which AP the machine is connected too. Now reboot back into HackMode and carry out the following commands: airmon-ng stop wlan0 macchanger --mac wlan0 airmon-ng start wlan0 now we type: start-network and finally startx now once KDE has loaded up, fire into the network manager proggy and connect to the specific ibahn router. Now go try surf the internet at your favorite sites.... it worked? bingo, you now have unlimited free wifi for the duration of your victims purchase. downloads are pretty fastish (well i say fastish about 4mb/s if its quiet - 512kbs at peak times). Running fasttrack on the entire IP subnet (which is asomething like 10.xx.x.xxx) yielded some interesting results like SQL servers and other such fun things, tho i suspect these might not have belonged to the hotel, but i might be wrong. One annoying factor about Ibahn is that it is a german company - not that it is a problem in itself, but visiting google.com always sends you too www.google.de - pretty good for our german speakers, but having to always go to www.google.co.uk for the rest of us will probably be a must. All in all i can't knock ibahn and there extortionate money making system for wifi, but if u can get around it, then i personally think you're earned the right to surf for free. Enjoy this little trick on your next hotel stay! OS used : backtrack 4.0 on eeePC 701