Want to know how to hack travelers and hotel networks in a matter of minutes? On a recent trip, Nabil Ouchn (@toolswatch) decided to do some some security analysis with a piece of hardware called the PwnPad – a penetration testing tablet – and a few other tools to see what kind of mischief he could get into.

Ouchn is the founder of ToolsWatch.org and the organizer of the Arsenal Tools exhibit at the BlackHat Conferences in both the US and Europe since 2011. ToolsWatch is a free interactive service designed to help auditors, penetration testers, and other security professionals keep their ethical hacking toolbox up to date with the latest and greatest resources.

Ouchn has over 15 years of experience in vulnerability management, compliance assessment and penetration testing, and Co-Founder of an innovative SaaS Multi-Engines Threats Scanning Solution. His adventure began one day at an undisclosed European airport where he had a layover while heading to another country through a connecting flight.

“I had an hour to kill before catching my flight, and I thought I’d do a little fooling around with one of my favorite weapons on the PwnPad: EvilAP,” Ouchn said.

EvilAP can be configured with the option to force clients to connect based on their device’s probe requests, which means it will accept any probe request frames originating from a client.

“No authentication is required, so the connection is completed without the target noticing anything unusual. All they think is they got access to a unlimited 3G internet connection,” Ouchn said.

“To make things seem even more legit, I chose a very catchy and suggestive name for my WiFi connection it was something like “Free_wifi_[popular_store_name] when in fact I was just sitting at a nearby a chocolate store waiting for the first fly to hit my web.”

Along with EvilAP, Ouchn fired up a couple of other tools including SSLstrip – which will transparently hijack HTTP traffic on a network – and Ettercap, which can be used to perform Man-in-the-Middle (MitM) attacks by reprocessing a target’s requests from the fake EvilAP connection to a legit 3G connection, and then pushing it to SSLstrip to perform the HTTPS stripping attack described by Moxie Marlinspike years ago.

It was not very long before Ouchn got his first targets:

Got an auth request from 00:26:37:B5:0D:5D (open system)
Client 00:26:37:B5:0D:5D associated (unencrypted) to ESSID: “free_wifi_xxxx”


Got an auth request from 30:85:A9:65:F2:73 (open system)
Client 00:26:37:B5:0D:5D associated (unencrypted) to ESSID: “free_wifi_xxxx”

Shortly thereafter, SSLstrip started to hijack all the HTTP and HTTPS traffic:

209:12:25,862 SECURE POST Data (auth.mail.ru):
09:12:30,791 POST Data (events20staging.adtilt.com):
09:12:30,817 POST Data (events20staging.adtilt.com):

09:12:35,610 POST Data (data.flurry.com):

“For security reasons, I masked the password and login in the example above,” Ouchn said. “A  quick look at the target’s email (for curiosity only, and not for doing bad things) revealed the identity of the target who was a businessman from Russia. His email was full of credentials to many of his accounts like banking, other emails accounts, Skype, Facebook, and more. So I stopped there.”

Ouchn said he was able to enumerate six other logins and passwords in just a half hour.

“This attack is one of the easiest because it targeted users and not the airport IT infrastructure. Why would an attacker spend a lot of time digging into the airport systems when users are such easy prey?” Ouchn said rhetorically. “I then closed my computer to catch my flight to the next hub.”

Several hours later, after having missed his next connection, Ouchn said the airline put him up in a wonderful hotel to rest his flight departed the next morning.

“Of course curiosity would not let me sleep once I found out that the room was equipped with an Alcatel VoIP phone and I saw the system options were not protected,” Ouchn recalled. “When system administrators make such a big mistake then you can assume that the whole network is wide open.”

Armed with the Wifi code the hotel staff provided, Ouchn connected to the network with his Android smartphone and then leveraged a very cool application called “Fing,” which performed a network and services discovery listing in a matter of seconds, providing him with a list of connected devices.

Being the middle of the night, he found no guests were connected, so targeting users was not an option. Unwilling to relent, Ouchn tried for a little serendipity.

“I wanted to figure out if any of those hotel IT administrators has ever attended a security convention before, or had even read a book on hacking,” he said. “I fired up Fing on my computer and started scanning – here’s what I found:”

$ sudo fing -s -r 1 -d 1

05:22:56 > Service scan on a local network

05:22:56 > Preemptive discovery on:

05:23:00 > Preemptive discovery completed.

05:23:00 > Service scan on:

05:23:00 > Service scan starting.

05:23:00 > Detected MAC address: 00:00:5E:00:01:1E

05:23:07 > Service scan completed in 6.664 seconds.

05:23:07 > Service scan on:

05:23:07 > Service scan starting.

05:23:07 > Detected MAC address: 00:E0:B1:E1:2E:03

05:23:07 > Detected service:    21 (ftp)

05:23:07 > Detected service:    23 (telnet)

05:23:07 > Detected service:    22 (ssh)

05:23:07 > Detected service:    80 (http)

05:23:07 > Detected service:   443 (https)

05:23:13 > Detected firewall

05:23:13 > Service scan completed in 6.233 seconds.

05:23:13 > Service scan on:

etc etc …

“The device at seemed a to be good place to start,” Ouchn said. “When connecting to TCP/80, it revealed a Webviewfor  Alcatel-Lucent. One of the first things any security pentester will do is trydefault credentials. So my own project DPE came in handy, and I pulled up all the default credentials for Alcatel.”

And guess what?  the admin/switch combination worked:


He then captured telnet session using the same credentials:



Connected to

Escape character is ‘^]’.

login : admin

password :

Welcome to the Alcatel-Lucent OmniSwitch 9000

Software Version GA, April 08, 2010

Copyright(c), 1994-2010 Alcatel-Lucent. All Rights reserved.

OmniSwitch(TM) is a trademark of Alcatel-Lucent registered

in the United States Patent and Trademark Office.

XXXX # ?







“In fact, I was in front of the Alcatel-Lucent OmniSwitch 9000,” Ouchn said. “If this switch was hit by a malicious attacker or even just a joker, he could modify configurations, change administrator passwords, and even go further since the OmniSwitch 9000 was the core network device of this five star hotel:”


Ouchn found other administrators which are listed below (login’s are obfuscated for security reasons), and note that a password policy is not being applied:


“I was on my way to closing my computer down as the clock was ticking on the time-out before when I decided to try one last thing,” Ouchn said. “Getting a connection to the switch FTP service, and I was rewarded:”

Listing Directory /flash/working:

-rw   3303906 Jun  8  2018 Jdiag.img

-rw      9645 Sep 12  2012 boot.cfg 

-rw       744 Jun  5  2018 software.lsm

-rw    581967 Jun  5  2018 Jsecu.img

-rw   3258135 Jun  8  2018 Jdni.img

-rw   2859888 Jun  5  2018 Jadvrout.img

-rw  21798508 Jun  5  2018 Jbase.img

-rw   6497127 Jun  5  2018 Jeni.img

-rw   2151785 Jun  5  2018 Jos.img

“I focused my attention on the boot.cfg file which revealed the whole internal network of IP addresses:”

ip interface “Users” address mask vlan 110 ifindex 1

ip interface “Guest” address Xxxxxxxxx mask vlan 150 ifindex 2

ip interface “Wifi-Guest” address Xxxxxxxxx mask vlan 160 ifindex 3

ip interface “CCTV” address Xxxxxxxxx mask vlan 170 ifindex 4

ip interface “Mgmt” address Xxxxxxxxx mask vlan 200 ifindex 5

ip interface “AP” address Xxxxxxxxx mask vlan 240 ifindex 6

ip interface “Voice” address Xxxxxxxxx mask vlan 120 ifindex 7

ip interface “Internet” address Xxxxxxxxx mask vlan 999 ifindex 8

ip interface “Test” address Xxxxxxxxx mask vlan 99 ifindex 9

ip interface “Guest1” address Xxxxxxxxx mask vlan 12 ifindex 10

ip interface “Guest2” address mask vlan 13 ifindex 11

ip interface “Guest3” address Xxxxxxxxx mask vlan 14 ifindex 12

“Fabulous, I thought. I wish I had one more hour since now I knew exactly which networks belongs to which categories of service ranging from guests (folks like me) to users (hotel employees), CCTV, AP, Voice (VoIP phones), etc…” Ouchn said. “This line in the configuration file caught my attention:”

snmp station 162 “xxxxxx” v1 enable

“This reminded me of a login I found previously in the OmniSwitch Local users – there was actually an administrator located in the ‘Users’ VLAN, so it all made sense,” Ouchn continued. “The next logical step was to scan this computer. Normally, if the switch is well configured i could not do such action. I looked at the configuration boot.cfg I’ve downloaded and hopefully the ‘policy rules’ for denying inter-VLAN communications were not enabled. The switch was configured with no security hardening in mind. The scan for the admin computer revealed the following:

05:58:43 > Service scan on:

05:58:43 > Service scan starting.

05:58:43 > Detected service:   135 (msrpc)

05:58:43 > Detected service:   139 (netbios-ssn)

05:58:43 > Detected service:   389 (ldap)

05:58:43 > Detected service:   445 (microsoft-ds)

05:58:43 > Detected service:   636 (ldapssl)

05:58:43 > Detected service:  3389 (ms-term-serv)

05:58:43 > Detected service:  3999 (remoteanything)

05:58:46 > Detected firewall

05:58:46 > Service scan completed in 2.984 seconds

Ouchn said he had the choice to do it in a complicated manner using Metasploit and scanning for the appropriate exploits, or he could just focus on a remote service.

“The remote desktop (RDP) was enabled, and II also remember that password policy was not their strength. So, fingers crossed, I launched my RDP client and tried to get access with the password as the login,: Ouchn said. “To my very big surprise, it worked.”

“I immediately disconnect from host without even taking a snapshot. I then quickly tried connections to more than five switches belongings to the other services (VoiP, CCTV…)  and they all accepted default passwords,” Ouchen said.

“I was in for less than one hour and gained access to six of the most important switches for the network and also accessed the computer of the IT Security Administrator at a major five star hotel, but I had to leave to catch my cab to the airport,” he said.


Ouchn emphasizes that the techniques he used are some of the simplest to employ, and he did not have to use SQL injections, cross-site scripting (XSS), CSRF or any of the relatively more sophisticated attacks he might undertake during a challenging pentest.

“Putting together theses basic techniques for a security breach may lead in turn to a major compromise.” Ouchn said of the experiment. “It took me less than one hour to access part of a hotel network, and I didn;t even have time to play with tools like Armitage to get at more.”

“And while major airports may have a decent IT infrastructure, they ignore traveler’s security. I mean, have you never seen an awareness message in an airports about being cautious when using the WiFi? I haven’t,” he said, noting that using a VPN to access accounts is the only legitimate way to protect yourself.

“Do the airports have a responsibility towards protecting their customers? The same applies the hotels where the basic principles of security are not being applied,” Ouchn said.

“What does it cost to deploy a decent compliance and vulnerability management solution? There are plenty of choices ranging from open source and free software like SecureCheq and OVAL for compliance, CIS guides for hardening, etc… as well as commercial solutions,” Ouchn said.

“Anyone who reads this post should be advised that neither airports nor hotels are doing what should be done to improve IT security, so be smart.”


Related Articles:


P.S. Have you met John Powers, supernatural CISO?


Title image courtesy of ShutterStock

Categories ,

Tags , , , , , , , , , , , , , ,

SANS Endpoint Security Maturity Model
  • Davdi

    I'll happily use free wifi at airports on my laptop… using a Linux Live DVD for browsing. I won't visit any sites which require login credentials though.

    I visit Spain quite regularly, and use the free WiFi in a local bar. They have WPA2-PSK security and change their (random) password regularly.

    • Ron

      WPA won't really help you, if somebody knows the psk they can stand up a fake ap.

  • mav

    What is the point of this article? That the guy broke the law and then bragged about it? We all do this whenever we are bored in a public place although many of us can do it manually without having pre-built scripts, we just don't tell the world how we broke several laws. Sounds to me more like a kid who got a new bb gun and while he was told it wasn't a toy still couldn't help but shoot the neighborhood kids.

    • http://yourmortgageoryourlife.com Paisano1

      On one hand you criticize Nabil for exposing how vulnerable systems are, then on the other you brag that you do this all the time manually – not a very consistent argument. He did not "shoot the neighborhood kids," did nothing malicious, damages nothing, stole nothing. Though technically not legal, sometimes WhiteHats do things that push the bounds of lawfulness in order to bring vulnerabilities and weaknesses to light.

  • http://twitter.com/PedroStephano @PedroStephano

    The OmniSwitch had a default password combo. I'm relatively certain that the DFU for same includes the words "you are strongly advised to change the settings to a different password from the default" or similar.
    For the IT security folks there to have not done so is surely the equivalent of leaving your front door, back door, windows and garage all wide open when you leave home. yes, I know I've used the word "security" but I don't think it applies here.

    If you leave your doors and windows open and get burgled, both your insurance company and the police will look upon the lack of security unfavourably. Surely the same principle applies here? No damage and a strong message = a good article methinks.

    • http://yourmortgageoryourlife.com Paisano1

      Thanks Pedro – we have caught some flak for the less-than-legal nature of the activities, which I anticipated, but with no harm/no foul, the awareness factor overcame any hesitations.

  • Michael

    Cool stuff, great post. I've always wanted to venture off and explore the weaknesses at an airport but when you truly put it into perspective- most of your victims are going to be at the gates (already through airport security), so this brings up the point of how far will the attacker go to lure their victims. Will they buy an airfare ticket just to hack? Or when they do fly, will they arrive hours and hours early just to get their hands on whatever they can? Brings up interesting topics for discussion. I myself who has been traveling more frequently of late don't know how people have time to play around and hack at airports as it always seems everyone's a in a rush with a very limited time window of opportunity to explore of what can you get.

  • http://hackersonlineclub.com Priyanshu

    Nothing is secure.. Thanks for the information.. :)

  • Casey

    Thanks because of this great post right here, you recognize which mobile phones are extremely essential for people.


    don’t tell the world how we broke several laws. Sounds to me more like a kid who got a new bb gun and while he was told it wasn’t a toy still couldn’t help but shoot the neighborhood kids. will they arrive hours and hours early just to get their hands on whatever they can? Brings up interesting topics for discussion. I myself who has been traveling more frequently of late don’t know how people have time to play around and hack at airports

    • http://yourmortgageoryourlife.com Paisano1

      He did not do anything malicious, so your comparison to shooting kids with a BB gun is completely off base. A better comparison would be that he said, "this door should be locked, but it's not, look I can open it." Those who should be scolded are the ones who leave travelers and guests – and their own organizations – wide open to those others who may indeed have nefarious objectives.

  • Chris Payne

    Very nice :)

  • Tofast

    yes, No damage and a strong message = a good article methinks.

  • Imran

    Good work..

  • Vishal

    Very nice article. Great method to hack hotel networks. Even we can hack the cameras of hotel. I had seen people doing it

  • Nandan Raj

    I have gained access to administrator of a wifi named Netlit which is a open wifi and requires a login to gain access to internet. This wifi has open port 21,22,23,80,8080 .So can i use these open ports to access free internet using vpn hacking

  • james

    I have gained access to administrator of a wifi named Netlit which is a open wifi and requires a login to gain.

Previous Contributors

View all posts by Previous Contributors >