Alright, let me start off by saying that I'm not a malicious hacker -
like hacker ethic's state, I do this soley for exploration and
advancement of knowledge.

Let me also say that this may be a long post, but I hope all of you
respond so we can have an exciting discussion!

Now that the legalese and foreward is out of the way, I've got a
discussion to start with you wireless experts. I've done my share of
hacking before, but I've not done any WiFi hacking, so I thought I'd
post this here to sort of get a consensus on a crazy idea I had
tonight.

I'm staying at this hotel in NYC over the next 3 days (the Doubletree
by Times Square). They don't offer wired internet because it's an old
building and they don't want to rewire it all. So they offer wireless
internet in the suites for $9.95/day. Bummer, right? So the person I'm
staying with in the hotel signs up wirelessly with his laptop and gets
on just fine. The system makes him register an account, and he's got
his high-speed internet. So I try the account on my computer - no such
luck. Perhaps only one laptop at a time is allowed to connect? He logs
off and shuts down his wireless, and I try again. Strike two. Alright,
so perhaps they're filtering based on something else - what's the most
permanent thing most people have associated with their network cards? A
MAC address! Looking more closely at the history log of my friend's
laptop (we're both computer people and keep logs of these sorts of
things), I notice that when he first signed up with the system, it
passed his MAC address around via some GET variables in the URL. So I
go ahead and change my MAC address to his and re-connect, again making
sure he's off. Bingo! Wireless internet. Main problem: solved.

Now here's where I started getting excited. They obviously have
wireless coverage in all of the rooms built in, and the gateway filters
who's allowed to connect by A) an account with user/pass combo; B) the
MAC address; or C) a combination of both. Now, I had typed in the
account information with my old MAC address enabled - not with his,
which leads me to believe that they're using option B. This really
doesn't matter anyway, as you'll see later on. So, wireless in all the
rooms. Based on my findings, theoretically, couldn't I just find
someone else who's signed up for the internet, get their MAC address,
spoof theirs as mine, and get internet, in their name? Wouldn't that
then allow me to get free wireless internet? Remember, whatever you
tell me can't steal from the hotel - I've already paid to get the
internet in our room. So, how to get the MAC addresses? I've got a tool
which can recover the MAC address of a remote machine by giving it the
IP address - anyone know of a tool which can give me a list of all the
live hosts' IP addresses in my subnet? I've got SuperScan, but it's
slow & bloated - I'm thinking maybe nmap? Granted, not every wireless
MAC address I get will have signed up for the free internet - most
laptop users who aren't computer literate will just leave their
wireless adapter on and it'll connect to the default network. But a
strong percentage (or at least a few) will have done so, and that could
then be used a list to rotate among for my MAC address, to continually
get free wireless internet.

But wait, Logan, you're all now thinking - two machines with the same
MAC address on the same network? Surely the router or gateway would go
mad! Or something like that. Well, I anticipated that, too - I had once
read an article about WEP hacking and in it was mentioned a way to send
a broadcast packet to tell certain clients to
disconnect/disassociate/disauthenticate from a certain SSID, again by
spoofing the MAC address to appear as if it the packet were coming from
the router/gateway. Anyone know of a way to achieve this? If so, then
one would be able to construct a tool which rotated one's MAC address
among a list and sending out the appropriately spoofed packets to
ensure that the MAC address currently in use was not connected to the
network. Sure, one user at a time will have some wireless troubles, but
that's their problem to deal with.

And now for the granddaddy of them all - I got the MAC address of the
main gateway assigned to my laptop when I first connected wirelessly.
This device, I'm assuming, allows access only to its manufacturer's
special website for some legalese agreements & logins, etc. Now,
couldn't I change my MAC address to that of the main gateway, do the
same for the IP address, and flood the network with spoofed ARP packets
to, in essence, redirect all the traffic normally going to the gateway
to my laptop? I could then easily create a fake website which looked
like the real gateway, grab their user details, and send them along to
the real gateway. Don't know how much or what I could harvest with an
attack like that, but any comments would be appreciated to further
discuss! Another note: I believe an attack like this was described in
one of the "Stealing the Network" books (I'm not at home right now
otherwise I'd look it up since I've got the whole series): where a
student did something similar to grab the personal details of all the
registering students at a college who were creating accounts at the
school's "personal" website (you know, sites like my.mit.edu). He used
a tool, I think, called webmitmd to man-in-the-middle the secure server
on campus.

That's all I've been brooding about over the past hour or so. I was
thinking more and more about it but really wanted a bunch of
knowledgeable experts I could share my thoughts with to further discuss
the feasability, both technically and otherwise, of the possibility of
things like these actually happening. Because I'm sure with your
stimulating responses, I can learn much more than I could have trying
to research all of this!

That's it! Looking forward to some discussions!