Thursday, December 31, 2015

Bypassing GoGo In-flight for free internet

This entry is going to be short, as the techniques I am going to show you either require a VPS (or an at home ssh server with a public IP) or an iPhone (iPhone trick not much of a hack, but it works).

Both of the methods were tested recently, December.2015, on a two hour flight.

On my initial flight to visit the family, I connected to the GoGo In-Flight just to play around and see what was going on in the internal network. I knew that I could listen on the network and steal someones MAC address, but I think that is a cheap trick, so I was looking for other ways to bypass.

I did an "ifconfig" found the gateway server, did a full port scan on it (WAY too long to complete) then then reverted to the nmap default top 1000k ports.

Found 53, 443 and 3128 to be up. It looks like they were using Squid Proxy for their gateway with 3128 being used for the http/https traffic. I made some attempts to connect to my VPS on the flight down, but since I didn't have it configured for these ports, I had no luck.

Port 3128 results:
PORT     STATE SERVICE    VERSION
3128/tcp open  http-proxy Squid http proxy 2.6.STABLE14
|_http-methods: No Allow or Public header in OPTIONS response (status code 503)
| http-open-proxy: Potentially OPEN proxy.
|_Methods supported: HEAD
|_http-server-header: squid/2.6.STABLE14
|_http-title: Did not follow redirect to http://airborne.gogoinflight.com/abp/page/abpDefault.do?REP=127.0.0.1&AUTH=127.0.0.1&CLI=XXX.XX.131.145&PORT=54273&RPORT=54272

The captain came on and told everyone to put away all electronic devices, so close!

Fast forward to the trip back. I set SSH to listen on 53, 443, and 3128 on my VPS. I had also done some research and found people were able to connect via 53 and 443 over ssh, as they are not using DPI. I had no such luck

On 53 I was able to make a full TCP connection, but was not able to pass the SSH cert to the VPS (used -vvv to see where SSH was hanging up).

On 443 I was not able to leave the network at all (SYN SENT - on netstat)

On 3128 I was able to ssh into my VPS port 3128! Jackpot! The proxy was not inspecting traffic on this port. so I ran the following SSH command to create a SOCKS5 Proxy on my machine:

ssh -D 3128 root@VPS.IP -p 3128

Now I went into my browser network settings, checked "use proxy server" and under "socks" (may be an option for socks 4 and 5, if so use 5) I entered my localhost and port (127.0.0.1:3128) and saved.

VIOLA! I was able to browse the entire flight for free!




Now I know I mentioned needing an iPhone, while I dont own one, I was able to convince my more ethical friend to try some steps I read in a blog that ended up working also:

1 - Connect to the GoGo Wifi
2 - Browse to the GoGo Movie library (free or paid, it doesnt matter, you wont be paying)
3 - Click on a movie and it will bring you to a page to download the GoGo app
4 - Enter the Captcha Code to access the app.
5 - Submit it
6 - Do not close the browser now! Open a new tab and start browsing the web. If you leave the auth window active, you will retain your authentication cookie! You can browse as much as you'd like now. Once you close out the browser window, you will lose your session.

Enjoy your free wifi!

36 comments:

  1. Going on a flight next week. I'm not too knowledgeable on doing this operation using my Mac, but if I use my iPhone to bypass it as the post says, can I tether it to the Mac using personal hotspot?

    ReplyDelete
    Replies
    1. You'll have to let me know if the iPhone trick still works. I made this in dec 2015 and never got around to posting it until this month. The SSH trick will require you to have a public facing SSH server, which can be done via a VPS or port forwarding on your home router to an internal SSH server.

      Delete
    2. I'll be boarding a flight in a few hours. I've used the iPhone trick before (I figured it out on my own), and I seem to remember that it doesn't work any more, but I might be remembering incorrectly.

      I've also set up my Raspberry Pi at home to accept ssh connections on port 3128, so I'll test that once I'm in the air.

      Delete
  2. Does this still work? Has anyone done a port scan to see if TCP/3128 is still used? I ma flying in a few days and want to test this

    ReplyDelete
  3. Not sure, haven't traveled since I wrote this blog... If you're up to it, do some exploring and report back!

    ReplyDelete
  4. Yes, it does still work. I've just come from an American Airlines flight that also uses GoGo Inflight Wifi and the movie/entertainment hack still works flawlessly......however, the ONLY thing that is NOT true in this blog is you DO have a time limit. 15 minutes and then it automatically logs you back in to the GoGo Inflight Wifi home portal so you just have to go through it again. Free Internet.....I'm fine with it.

    ReplyDelete
  5. Yes, it does still work. I've just come from an American Airlines flight that also uses GoGo Inflight Wifi and the movie/entertainment hack still works flawlessly......however, the ONLY thing that is NOT true in this blog is you DO have a time limit. 15 minutes and then it automatically logs you back in to the GoGo Inflight Wifi home portal so you just have to go through it again. Free Internet.....I'm fine with it.

    ReplyDelete
    Replies
    1. Hey thanks for reporting back! Also good to know about the 15 min session, I may not have been browsing long enough to realize that.

      Delete
  6. This isn't very ethical, but I guess neither is the information I posted in here, but I have noticed that even if there isn't wifi on the flight, the crew has wifi (I see them on their phones). So one flight I sat down and fired up aircrack-ng to find that they do have wifi and do not broadcast the SSID. Sometimes its easily crackable and others it requires login. I captured some of the packets with the networks that required login and upon googleing the network SSID I found default logins to that network!

    BE VERY CAREFUL AND DO NOT DO ANYTHING CRAZY! I dont know if this is there for the sole purpose of crews to be able to use wifi or if its for plane equipment. I've never attempted to get on the said networks.

    ReplyDelete
  7. No I meant be careful on the hidden SSID networks, not the proxy server trick. I do not know what the purpose hidden SSID network is.
    With the proxy server you could probably argue (don't quote me haha) that you are using it as it it was intended to be used, as it allows that type of connection out.

    ReplyDelete
  8. I travel a lot and the 15 min iPhone trick is very true but in addition I found you get about (3 - 4) 15 min sessions and after this it will say you've exceeded the limit and to contact gogo support. It should be plenty for most given the 20min takeoff and landing where they haven't turned it on.

    ReplyDelete
  9. I bet you can get around the session limit by spoofing your mac address or by simply clearing cookies. I'll have to try on an upcoming flight.

    ReplyDelete
  10. The iPhone trick still works however now they are awake to it. Only let me do the trick 4 times and then I was locked out

    ReplyDelete
  11. Tmobile phone numbers get 1 hour free. I put in my friends number no problem no confirmation.

    ReplyDelete
  12. This comment has been removed by the author.

    ReplyDelete
  13. So do you have to use stunnel or something?

    ReplyDelete
  14. I can confirm that the port 3128 trick works on American as of March 10, 2017.

    ReplyDelete
  15. Still works, thanks for the great tip! On the plane now.

    I prefer the command as so: `ssh -D 3128 -f -C -q -N root@VPS.IP -p 3128`

    from https://www.digitalocean.com/community/tutorials/how-to-route-web-traffic-securely-without-a-vpn-using-a-socks-tunnel

    ReplyDelete
  16. Wow i can say that this is another great article as expected of this blog.Bookmarked this site..
    jiofi local html login

    ReplyDelete
  17. Does the ssh trick work on a Windows 10 laptop? If yes, how do I run "ssh -D 3128 root@VPS.IP -p 3128" on a Windows machine? I have putty.

    ReplyDelete
    Replies
    1. Praveen. You'll need putty to accomplish that. You choose SSH there port. and IP. And I believe there's option to route traffic through SSH function somewhere but I already forgot where. You can easily find it out.

      Delete
  18. Would it be possible for me to set up an OpenVPN server on 3128 and tunnel out of the network that way? On my flight out, I tried my UDP 1194 and TCP 443 OpenVPN servers but neither of them worked. On the way home I'd like to try getting out on 3128 by setting up my server to allow me to connect through there, but I do not know if I have to have this server set up on 3128 TCP or UDP.

    ReplyDelete
    Replies
    1. Okay, so for my return flight, I reconfigured my OpenVPN server for TCP 3128, and it did not work. This was on United Airlines by the way. Does anybody have any advice they could give me about this?

      Delete
    2. You could have done a simple Nmap port scan. I did a normal top 1000 port nmap scan and found that only ports 53, 80, and 443 were up. Port 3128 was no where to be seen. The iPhone method also doesn't work (I'm pretty sure, unless the links were just broken) as United apparently wants you to have the app predownloaded before the flight and doesn't let you download during the flight.

      Delete
  19. I'm on a Delta flight today (July 7) and can confirm that the iPhone method works, as does the SOCKS on port 3128 method.

    ReplyDelete
  20. I can confirm that neither the proxy on port 3128 nor the iPhone method works on United Airlines. United only has ports 53, 80, and 443 up and apparently does not allow you to download their app during the flight.

    ReplyDelete
  21. I am grateful for this blog to distribute knowledge about this significant topic. Here I found different segments and now I am going to use these new instructions with new enthusiasm.
    HPE SV3200

    ReplyDelete
  22. Hi, new to setting up a VPS... can you use free solutions like Google Cloud Platform or any other cloud services instead of hosting it on my own computer?

    ReplyDelete
  23. Yes you can, and it actually may be the better option. The reason being is that a lot of access points do not block google pre-auth. Meaning that once you're connected, you will not be able to browse sites outside of google. This is why sometimes you can view your email on a flight/airport but not do anything else.

    Using google as your cloud platform may allow you to avoid doing things like using a DNS tunnel or ICMP tunnel.

    Now I've toyed with googles cloud services but have done nothing extensive, however from what I've seen, it definitely doable, as they let you have root access to your server.

    ReplyDelete
  24. Just for any others stumbling onto this great post, I just used it on Air Canada and it worked perfectly. Thanks!

    ReplyDelete
  25. I read that Post and got it fine and informative.
    vps

    ReplyDelete
  26. I was on aircanada and westjet over the weekend, this method does not seem to work anymore. port 3128 is blocked, and did some scanning for other ports, didnt get much luck

    ReplyDelete
  27. Old post, but wanted to say that this does not work anymore :( port 3128 its filtered now

    ReplyDelete