Today we’re gonna take a look at how to hack Wi-Fi hotspots. In the last few years, many commercial hotspots have been poppin’ up literally everywhere. Most of these work as a complement to a ISP’s (Internet Service Provider) subscription. Others work with a pay-to-use model… if you want to use for X amount of hours, you pay $ Y amount of money.
Once the client connects into one of these hotspots he will either have to login using credentials (email & passwd) or input his credit card to purchase time…

Understanding The Protocol

When the client logs in or pays for time on the hotspot, his MAC address is now whitelisted (a list of approved addresses which are free to go thru to the internet, if a MAC address isn’t on that list he will be restricted to the local area network) and therefore allowed to browse the web freely.

What can we do with this information?

Planning The Attack

An attack into this type of network seems fairly easy to accomplish… as always you’ll want to start by bringing up a monitor interface:
airmon-ng start <wireless interface>

Then, begin scanning for associated clients on a specific channel and pay attention to the incoming traffic. You can use the following command to do so:
airodump-ng -c <channel> -a <monitor interface>
Optionally, you could write the traffic into a file (-w <filename>). During the scan pay attention to the OPEN networks you find, see which ones are hotspots (hint: they usually end with the word “wifi”) and most importantly keep an eye out for associated clients.

Cloning The Target

If you’ve found an associated client, looks at the amount of “frames” (read traffic) shown in the scan. More frames = more traffic; continuous frames = continuous traffic = authenticated client. If we clone an unauthenticated client, the method won’t work. So it’s worth making sure we have the right network and right client under the scope.
Once your ready, clone the client using the following command:
ifconfig <wireless interface> hw ether <MAC address>
Alternatively, you can use macchanger as well.