Thursday, December 31, 2015

Bypassing GoGo In-flight for free internet

This entry is going to be short, as the techniques I am going to show you either require a VPS (or an at home ssh server with a public IP) or an iPhone (iPhone trick not much of a hack, but it works).

Both of the methods were tested recently, December.2015, on a two hour flight.

On my initial flight to visit the family, I connected to the GoGo In-Flight just to play around and see what was going on in the internal network. I knew that I could listen on the network and steal someones MAC address, but I think that is a cheap trick, so I was looking for other ways to bypass.

I did an "ifconfig" found the gateway server, did a full port scan on it (WAY too long to complete) then then reverted to the nmap default top 1000k ports.

Found 53, 443 and 3128 to be up. It looks like they were using Squid Proxy for their gateway with 3128 being used for the http/https traffic. I made some attempts to connect to my VPS on the flight down, but since I didn't have it configured for these ports, I had no luck.

Port 3128 results:
PORT     STATE SERVICE    VERSION
3128/tcp open  http-proxy Squid http proxy 2.6.STABLE14
|_http-methods: No Allow or Public header in OPTIONS response (status code 503)
| http-open-proxy: Potentially OPEN proxy.
|_Methods supported: HEAD
|_http-server-header: squid/2.6.STABLE14
|_http-title: Did not follow redirect to http://airborne.gogoinflight.com/abp/page/abpDefault.do?REP=127.0.0.1&AUTH=127.0.0.1&CLI=XXX.XX.131.145&PORT=54273&RPORT=54272

The captain came on and told everyone to put away all electronic devices, so close!

Fast forward to the trip back. I set SSH to listen on 53, 443, and 3128 on my VPS. I had also done some research and found people were able to connect via 53 and 443 over ssh, as they are not using DPI. I had no such luck

On 53 I was able to make a full TCP connection, but was not able to pass the SSH cert to the VPS (used -vvv to see where SSH was hanging up).

On 443 I was not able to leave the network at all (SYN SENT - on netstat)

On 3128 I was able to ssh into my VPS port 3128! Jackpot! The proxy was not inspecting traffic on this port. so I ran the following SSH command to create a SOCKS5 Proxy on my machine:

ssh -D 3128 root@VPS.IP -p 3128

Now I went into my browser network settings, checked "use proxy server" and under "socks" (may be an option for socks 4 and 5, if so use 5) I entered my localhost and port (127.0.0.1:3128) and saved.

VIOLA! I was able to browse the entire flight for free!




Now I know I mentioned needing an iPhone, while I dont own one, I was able to convince my more ethical friend to try some steps I read in a blog that ended up working also:

1 - Connect to the GoGo Wifi
2 - Browse to the GoGo Movie library (free or paid, it doesnt matter, you wont be paying)
3 - Click on a movie and it will bring you to a page to download the GoGo app
4 - Enter the Captcha Code to access the app.
5 - Submit it
6 - Do not close the browser now! Open a new tab and start browsing the web. If you leave the auth window active, you will retain your authentication cookie! You can browse as much as you'd like now. Once you close out the browser window, you will lose your session.

Enjoy your free wifi!

26 comments:

  1. Going on a flight next week. I'm not too knowledgeable on doing this operation using my Mac, but if I use my iPhone to bypass it as the post says, can I tether it to the Mac using personal hotspot?

    ReplyDelete
    Replies
    1. You'll have to let me know if the iPhone trick still works. I made this in dec 2015 and never got around to posting it until this month. The SSH trick will require you to have a public facing SSH server, which can be done via a VPS or port forwarding on your home router to an internal SSH server.

      Delete
  2. Does this still work? Has anyone done a port scan to see if TCP/3128 is still used? I ma flying in a few days and want to test this

    ReplyDelete
  3. Not sure, haven't traveled since I wrote this blog... If you're up to it, do some exploring and report back!

    ReplyDelete
  4. Yes, it does still work. I've just come from an American Airlines flight that also uses GoGo Inflight Wifi and the movie/entertainment hack still works flawlessly......however, the ONLY thing that is NOT true in this blog is you DO have a time limit. 15 minutes and then it automatically logs you back in to the GoGo Inflight Wifi home portal so you just have to go through it again. Free Internet.....I'm fine with it.

    ReplyDelete
  5. Yes, it does still work. I've just come from an American Airlines flight that also uses GoGo Inflight Wifi and the movie/entertainment hack still works flawlessly......however, the ONLY thing that is NOT true in this blog is you DO have a time limit. 15 minutes and then it automatically logs you back in to the GoGo Inflight Wifi home portal so you just have to go through it again. Free Internet.....I'm fine with it.

    ReplyDelete
    Replies
    1. Hey thanks for reporting back! Also good to know about the 15 min session, I may not have been browsing long enough to realize that.

      Delete
  6. This comment has been removed by the author.

    ReplyDelete
  7. This isn't very ethical, but I guess neither is the information I posted in here, but I have noticed that even if there isn't wifi on the flight, the crew has wifi (I see them on their phones). So one flight I sat down and fired up aircrack-ng to find that they do have wifi and do not broadcast the SSID. Sometimes its easily crackable and others it requires login. I captured some of the packets with the networks that required login and upon googleing the network SSID I found default logins to that network!

    BE VERY CAREFUL AND DO NOT DO ANYTHING CRAZY! I dont know if this is there for the sole purpose of crews to be able to use wifi or if its for plane equipment. I've never attempted to get on the said networks.

    ReplyDelete
  8. This comment has been removed by the author.

    ReplyDelete
  9. No I meant be careful on the hidden SSID networks, not the proxy server trick. I do not know what the purpose hidden SSID network is.
    With the proxy server you could probably argue (don't quote me haha) that you are using it as it it was intended to be used, as it allows that type of connection out.

    ReplyDelete
  10. This comment has been removed by the author.

    ReplyDelete
  11. This comment has been removed by the author.

    ReplyDelete
  12. I travel a lot and the 15 min iPhone trick is very true but in addition I found you get about (3 - 4) 15 min sessions and after this it will say you've exceeded the limit and to contact gogo support. It should be plenty for most given the 20min takeoff and landing where they haven't turned it on.

    ReplyDelete
  13. I bet you can get around the session limit by spoofing your mac address or by simply clearing cookies. I'll have to try on an upcoming flight.

    ReplyDelete
  14. The iPhone trick still works however now they are awake to it. Only let me do the trick 4 times and then I was locked out

    ReplyDelete
  15. Tmobile phone numbers get 1 hour free. I put in my friends number no problem no confirmation.

    ReplyDelete
  16. This comment has been removed by the author.

    ReplyDelete
  17. If you wish to explore lots of various useful articles on using tracking software on your phone, view here http://spying.ninja/highster-mobile-review/.

    ReplyDelete
  18. So do you have to use stunnel or something?

    ReplyDelete
  19. Download social Business app and connect with your co-travelers and wish to speak with your fellow colleagues or business associates with Flightnetworksin real-time during a flight. A Way to Avoid Being Bored while traveling

    ReplyDelete
  20. Salut Je vous partage mon site ou je partage des codes free wifi pour tous et fonctionnel free wifi code

    ReplyDelete
  21. I can confirm that the port 3128 trick works on American as of March 10, 2017.

    ReplyDelete
  22. Still works, thanks for the great tip! On the plane now.

    I prefer the command as so: `ssh -D 3128 -f -C -q -N root@VPS.IP -p 3128`

    from https://www.digitalocean.com/community/tutorials/how-to-route-web-traffic-securely-without-a-vpn-using-a-socks-tunnel

    ReplyDelete