Alright, let me start off by saying that I'm not a malicious hacker - like hacker ethic's state, I do this soley for exploration and advancement of knowledge.
Let me also say that this may be a long post, but I hope all of you respond so we can have an exciting discussion!
Now that the legalese and foreward is out of the way, I've got a discussion to start with you wireless experts. I've done my share of hacking before, but I've not done any WiFi hacking, so I thought I'd post this here to sort of get a consensus on a crazy idea I had tonight.
I'm staying at this hotel in NYC over the next 3 days (the Doubletree by Times Square). They don't offer wired internet because it's an old building and they don't want to rewire it all. So they offer wireless internet in the suites for $9.95/day. Bummer, right? So the person I'm staying with in the hotel signs up wirelessly with his laptop and gets on just fine. The system makes him register an account, and he's got his high-speed internet. So I try the account on my computer - no such luck. Perhaps only one laptop at a time is allowed to connect? He logs off and shuts down his wireless, and I try again. Strike two. Alright, so perhaps they're filtering based on something else - what's the most permanent thing most people have associated with their network cards? A MAC address! Looking more closely at the history log of my friend's laptop (we're both computer people and keep logs of these sorts of things), I notice that when he first signed up with the system, it passed his MAC address around via some GET variables in the URL. So I go ahead and change my MAC address to his and re-connect, again making sure he's off. Bingo! Wireless internet. Main problem: solved.
Now here's where I started getting excited. They obviously have wireless coverage in all of the rooms built in, and the gateway filters who's allowed to connect by A) an account with user/pass combo; B) the MAC address; or C) a combination of both. Now, I had typed in the account information with my old MAC address enabled - not with his, which leads me to believe that they're using option B. This really doesn't matter anyway, as you'll see later on. So, wireless in all the rooms. Based on my findings, theoretically, couldn't I just find someone else who's signed up for the internet, get their MAC address, spoof theirs as mine, and get internet, in their name? Wouldn't that then allow me to get free wireless internet? Remember, whatever you tell me can't steal from the hotel - I've already paid to get the internet in our room. So, how to get the MAC addresses? I've got a tool which can recover the MAC address of a remote machine by giving it the IP address - anyone know of a tool which can give me a list of all the live hosts' IP addresses in my subnet? I've got SuperScan, but it's slow & bloated - I'm thinking maybe nmap? Granted, not every wireless MAC address I get will have signed up for the free internet - most laptop users who aren't computer literate will just leave their wireless adapter on and it'll connect to the default network. But a strong percentage (or at least a few) will have done so, and that could then be used a list to rotate among for my MAC address, to continually get free wireless internet.
But wait, Logan, you're all now thinking - two machines with the same MAC address on the same network? Surely the router or gateway would go mad! Or something like that. Well, I anticipated that, too - I had once read an article about WEP hacking and in it was mentioned a way to send a broadcast packet to tell certain clients to disconnect/disassociate/disauthenticate from a certain SSID, again by spoofing the MAC address to appear as if it the packet were coming from the router/gateway. Anyone know of a way to achieve this? If so, then one would be able to construct a tool which rotated one's MAC address among a list and sending out the appropriately spoofed packets to ensure that the MAC address currently in use was not connected to the network. Sure, one user at a time will have some wireless troubles, but that's their problem to deal with.
And now for the granddaddy of them all - I got the MAC address of the main gateway assigned to my laptop when I first connected wirelessly. This device, I'm assuming, allows access only to its manufacturer's special website for some legalese agreements & logins, etc. Now, couldn't I change my MAC address to that of the main gateway, do the same for the IP address, and flood the network with spoofed ARP packets to, in essence, redirect all the traffic normally going to the gateway to my laptop? I could then easily create a fake website which looked like the real gateway, grab their user details, and send them along to the real gateway. Don't know how much or what I could harvest with an attack like that, but any comments would be appreciated to further discuss! Another note: I believe an attack like this was described in one of the "Stealing the Network" books (I'm not at home right now otherwise I'd look it up since I've got the whole series): where a student did something similar to grab the personal details of all the registering students at a college who were creating accounts at the school's "personal" website (you know, sites like my.mit.edu). He used a tool, I think, called webmitmd to man-in-the-middle the secure server on campus.
That's all I've been brooding about over the past hour or so. I was thinking more and more about it but really wanted a bunch of knowledgeable experts I could share my thoughts with to further discuss the feasability, both technically and otherwise, of the possibility of things like these actually happening. Because I'm sure with your stimulating responses, I can learn much more than I could have trying to research all of this!
That's it! Looking forward to some discussions!