In this tutorial we will guide you through the process of bypassing captive portals. By following these steps, you can navigate around WiFi paywalls and terms of service agreements. Our primary focus will be on airlines using GoGo Air. We'll showcase the cost-free methods to gain internet access. However, do this at your own risk as it might lead you into trouble. Our intent is to shed light on the workings of captive portals and to teach MAC spoofing.
What Is a Captive Portal?
A captive portal is a virtual gatekeep for internet access. It's a webpage that users encounter when they try to connect to a public WiFi network. Instead of being granted immediate access to the interet, the captive portal will prompt users to take a specific action or even pay a fee before gaining full access to the WiFi.
Here are some exmaples of when captive portals are commonly used:
Public Wi-Fi Hotspots:
- Coffee Shops: Places like Starbucks often have captive portals that may require users to accept terms and conditions before getting online.
- Airports: Free Wi-Fi at airports usually comes with a captive portal for user authentication.
Hotels and Accommodations:
- Many hotels use captive portals to provide internet access to guests, often requiring a password or some form of user authentication.
Business Networks:
- Corporate offices or businesses may implement captive portals to control and monitor guest access to their Wi-Fi networks.
Educational Institutions:
- Universities and schools might use captive portals to ensure that only authorized users can access their networks.
Public Events:
- Events like conferences or concerts might set up captive portals to manage and control the large number of users seeking internet access.
How Does It Work?
When a your device attempts to connect to a WiFi network with a captive portal, the wireless access point logs the MAC address of your device. Before granting you internet access, the network redirects your device to the captive portals landing page. Captive portal backends typically use the MAC address as a temporary identifier for the device during the authentication process. This allows the backend to associate the device with a particular session.
After successful authentication, which could be agreeing to the terms of service or paying to access the internet, the captive portal backend then 'whitelists' your MAC address to allow seamless access for the duraction of your session.
Bypassing The Captive Portal
In this example we will be showing you how to bypass Gogo Inflight Air's captive portal to get free internet. We will be doing this using Kali Linux with the aircrack-ng suite. You will also need a wireless adapter that is capable of being put into monitor mode, most onboard wireless cards do not have this ability.
1. Find Wireless Adapter In Kali
Type the following:
$ iwconfig
You should return something like this:
My wireless adapter is wlan0
, though yours may be different if you have an onboard WiFi card as well.
2. Put Wireless Adapter In Monitor Mode
You will need to put your wireless adapter into monitor mode, this will take 2 different commands. I'd suggest doing this as root, if not make sure you use sudo
. Make sure to change wlan0
to the name of your device:
# airmon-ng check kill
# airmon-ng start wlan0
Here is an example of what Kali can output:
Make sure you take a look at the interface
name. Sometimes the name of it will change. The name of mine stayed as wlan0
however yours might change to something different, a common one would be something like wlan0mon
or similar.
3. Scan For Connected MAC Addresses
You'll need to find out the name of the wireless network that you are trying to connect to. For Gogo Inflight Air, the name is usually "gogoinflight". This is a multi step process.
First we need to find the channel that the wifi is running on. You will need to change the wlan0
and gogoinflight
to whatever is appropriate. We can find the channel out by typing the following:
# airodump-ng wlan0 --essid gogoinflight
It should give us something that looks like this:
If you look under "CH" you will see that gogoinflight
is being broadcasted on channel 2.
Next we need to set our wireless adapter to channel 2 by typing the following:
# airodump-ng wlan0 --essid gogoinflight -c 2
You will see all of the connected devices to the WiFi in the second half of the screen. The STATION
is the MAC address of the connected device. You will want to write down several of these MAC addresses.
4. Change Your MAC Address
My suggestion, and most ethical approach to this is to wait until one of the devices drops off. Then you can change the MAC address of your WiFi adapter to what theirs is. Then when you attempt to connect to the inflight WiFi, the backend server will see a whitelisted MAC address and think that you have already paid for the service and allow you to connect. If the MAC address you are using doesn't allow you to connect and you're still getting the captive portal message, then that person has not paid for the service and you will have to wait for another MAC address to disconnect that has paid. If you're impatient, the less ethical way to do this would be to deauth the client using either aireplay-ng or MDK4. Keep in mind that you will be restricting internet access to someone that has paid for it, so do this at your own will. We won't cover that in this tutorial but an easy search can show you how to do it.
Replace XX:XX:XX:XX:XX:XX
with the STATION
ID from the previous step and make sure to change wlan0
with your wireless device.
# macchanger -m XX:XX:XX:XX:XX:XX wlan0
Once you've done you'll need to put your wireless device back into managed mode by typing:
# airmon-ng stop wlan0
Now you should be able to connect to the WiFi and bypass the captive portal by using the wireless adapter that we changed the MAC address to!
Member discussion: