Wifi tricks (public and limited networks)

Last Updated or created 2024-03-18

(use your own discretion/risk)

When connecting to public Wi-Fi, watch what you are doing, it can be dangerous.
(Use a VPN whenever you can, like OpenVPN or Zerotier.)

But it also can be fun to have a look on those networks.

Sometimes there are IP camera’s you can find.
Use an App like Android TinyCam to scan for camera’s

I found at least 5 this way. Getting access, is something else.
One had access to RTSP without password. 🙂
But I found IP camera’s in the wild using a default password also.
(Just google for default passwords. Don’t know the brand of the device? Sometimes you can use the OUI (Organizationally Unique Identifier) part of the Mac Address to find the brand)

Other fun things to scan for are devices you can cast to!

At one time I was in Woerden, getting my Car fixed.
I started working on my Laptop using their guest Wi-Fi.
And checking out the network, I saw some TVs with Casting enabled.
Let’s Cast a Youtube video with a fireplace to it.
Next moment, the display behind the desks started playing the video.
The guys behind the desk were not facing the display.

I tried to revert my test, but I could not found/start the original cast stream.
I told them to get this fixed, and the network security.

Another idea is to scan for hidden camera’s in Hotels or B&Bs.
(There are more tricks to find these, like Flir/IR)

Some Hotels or B&B have a paid Wifi or a one device only policy.

Some tricks for that are:

Using a device which acts as an Access Point/Router.

I started using this trick with a Ravpower (RP-WD01)

I used this device to copy my Nikon photos to an external storage device.

I patched the OS on this Linux device.
Now it autocopied files from sdcard to usb-drive when inserted.

But it also could act as an AccessPoint.
Laptops/tablets and phones can connect using this hotspot.

After that I used a WD device in the same way.

After that I made a mini AP using a Raspberry PI.

When connecting with the first device which was a phone, I wanted to switch to an accesspoint.
So I spoofed the MAC address of the my AP, because it was mac-address locked in the B&B’s main access point.

Now it’s even easier, current mobile phone’s have dual Wi-Fi interfaces.
Connecting to an AP and at the same time setting up a hotspot is a breeze.
(Not that this is needed any more, Wi-Fi is not limited to one device any more. And mobile internet is almost everywhere)

Some access points still require payment, or you don’t know the password.

Some tricks below (use wisely):

Access point with a captive portal:
These are not protected initially.
But you have to enter a username/password to gain access to the internet.

  1. Try to start a VPN client (without logging into the captive portal)
    Sometimes those ports are not blocked.
    (Even more change to use UDP instead of TCP, try zerotier)
  2. Sometimes only DNS works though those AP’s.
    Then you could use a DNS tunnel. This is a method to embed your network traffic in DNS packages. (Note: you have to make your own DNS tunnel server!) https://github.com/yarrick/iodine
  3. Copy the Captive Portal website, write some logging code. And start AP using the same SSID you want the credentials for.
    Get close to someone using the real AP, so they try to log into your fake AP, using their credentials.
    (This is also illegal, and I won’t post code to do this.)

Leave a Reply

Your email address will not be published. Required fields are marked *