This article will help you gain free access to pay-for-use wireless hotspots such as in the airport or the local coffee shops. Many articles I have read on how to gain free Internet access deal with creating ssh tunnels and concatenating characters onto the URL to bypass the router. However, I will be detailing a well known technique of MAC spoofing to gain access.
In this article, I will be using OS X. However, these commands can easily be ported to any *nix machine. On Windows, simply follow the same steps by issuing the equivalent commands in a command window and using the program SMAC to spoof your MAC address.
The first step is to connect to the wireless hotspot as you would if you were going to pay for access. When you have successfully connected to the hotspot, you should be issued an IP address. Check this by entering the ifconfig
command:
luser$ ifconfig
en1: flags=8863<UP,BROADCAST,SMART,RUNNING,SIMPLEX,MULTICAST> mtu 1500
ether 00:26:08:e8:fc:e9
inet6 fe80::226:8ff:fee8:fce9%en1 prefixlen 64 scopeid 0x5
inet 10.15.32.137 netmask Oxffff0000 broadcast 10.15.35.255
nd6 options=1<PERFORMNUD>
media: autoselect
status: active
Here we can see that the IP address that was issued was 10.15.32.137. The next step is to gather other MAC addresses connected to the hotspot. To do this, issue a ping
to the broadcast address:
luser$ ping 10.15.35.255
When this command runs, you should see different IP addresses responding to your broadcast. When you start to see the IP addresses repeating, you can give it the ol’ command-c. The next step is to issue the arp command to see what MAC addresses you have just gathered in your arp cache.
luser$ arp -a
(10.15.32.95) at (5c:ac:4c:84:d0:65) on en1
Above, you can see that we have the MAC address 5c:ac:4c:84:d0:65 in our arp cache, which is associated with IP address 10.15.32.95. Now, to spoof this MAC address, we must simply tell our en1 wireless card to use the MAC address already connected (and paid) to the access point.
luser$ sudo ifconfig en1 lladdr 5c:ac:4c:84:d0:65
After you have changed your MAC address, disconnect and reconnect to the wireless access point. Doing this will grab a new IP address and, since the router’s data table already has 5c:ac:4c:84:d0:65 associated with the .95 IP address, this is the IP address you should now have. Because the router keeps track of who has paid by MAC address, you should now be able to access the Internet, bypassing the login and payment pages.
Some notes when choosing to do this. First, connecting to the Internet without paying can be a gray area in regard to morality. The gray area is enhanced by the fact that the MAC address you choose to spoof will be kicked offline. By spoofing another user’s MAC address, both your connection and the other user’s connection will go up and down. This technique works best in longer stay areas such as an Iraq deployment or a hotel, since a user may not always be online the same time as you, therefore giving you a more stable connection. Another consideration is the list of MAC addresses after issuing the arp command. Not all addresses that show in your arp cache will have paid to access the Internet. Many times, a user’s wireless card will connect to a network automatically without the user’s knowledge. Because of this, you may have to try more than one MAC address.
— by Ashes