Hacking the "Captivate" Network
by Darlok
No doubt many of you have seen those fancy computer screens mounted in elevators in office buildings in major cities like New York, Chicago, and Boston. They provide news, sports, weather, advertising, and other information to the occupants as they enjoy the ride. Well, I was recently able to do some poking around with the Captivate Network in my building. Once I figured out that they were actually wireless devices residing on a 802.11b network I broke out my wireless hacking tools and went to work.
In my case, the wireless network did not have Wired Equivalent Privacy (WEP) enabled, so it was open. However, I couldn't obtain an IP address, so I figured either DHCP wasn't running or the network was configured to disallow new clients from associating with an access point and getting on the network. It turned out that the latter was true. How did I know? After using Kismet to capture IP and MAC addresses, I did some MAC spoofing. Once on, I typed the IP address of one of the APs into by browser and got the administration page for a Cisco Aironet 4800E. To my (mild) surprise, it was not password protected, so I was able to basically do whatever I wanted.
The main thing I wanted to do was configure it to allow my machine to associate. I accomplished this by navigating to the "Association" page and changing the "Allow automatic table additions" option from "off" to "on." I was now able to freely associate with this access point without having to spoof a MAC addy. I then performed some network discovery and OS fingerprinting to see what I could see.
I discovered that the screens mounted in the elevators are actually wireless PDA-type devices running Windows CE and that they have 'telnet' open. I also found a lone Windows 2000 server which, according to my packet sniffer, was broadcasting the images to the elevator screens every few seconds. As much as I wanted to, I suppressed the urge to attempt to inject my own images. And yes, I also set the "Allow automatic table additions" option back to "off."
Anyhow, I hope this proves interesting for some of you wireless hackers out there.