Bypassing ShawOpen Wifi’s Captive Portal

Shaw, a local cable monopoly, has started offering businesses a free wifi with free internet connection if they allow the installation of a public wifi access point. If you are a Canadian in the western provinces you might have seen these networks under the name “ShawOpen”. The term open in this case is misleading since only customers with shaw accounts can access the internet. The entire thing is a clever branding of the 2.4GHz frequency and businesses love being able to “offer” wifi with no cash out of their pocket.

 

Meanwhile I’m sitting here in the doctor’s waiting room and I am bit less enthusiastic over the ordeal. If Shaw wasn’t offering this service there is a good chance my doctor would be providing usable internet. Instead all I can do is poke around inspecting things.

 

There is more to inspect than initial impressions give. ShawOpen allows unauthenticated users to browse Shaw’s webportal and other Shaw owned web properties.

 

The easy bypass is through DNS which is unrestricted. While most protocols are blocked for unauthenticated users DNS requests are often not. In general restricted wifi access points do not restrict DNS because it requires setting up a special DNS server and isn’t the easiest solution. Since it is a common work around you can use iodine to proxy your traffic. To my discredit I don’t have a dns2ip proxy setup on my server so this is no use to me.

 

Instead with an unknown period of waiting ahead I set about inspecting those Shaw owned web properties. The best list for our needs is found at the bottom of Shaw Connect Lite. The full version of connect can be found here over the full internet. http://www.shawconnect.ca/ which also contains the list.

 

What you want to use for this task is either Firefox Development Tools or Chrome Development Tools. The panel of interest is the network connections tab. This will show what resources have been requested by the page.

 

What we want to find is a request which contains another url in the get parameters. These requests may be going to a proxy which is allowed to access the real interenet. You will find some false starts and will want to ignore anything going to Twitter or Facebook as these requests are for the social media buttons.

 

What you want is something like this: http://www.globaltv.com/images/blank.gif?size=100×70&src=http://media.globaltv.com/uploadedimages/content/shows/remedy/remedy_castdillon_400x500.jpg

Notice how it includes a full url to another domain. This is what you want to look for and there are a few of them on different accessible websites. This exact image proxy requires us to specify a size value in the get request but will accept 0x0 to skip resizing.

 

Thus allowing us to request: http://www.globaltv.com/images/blank.gif?size=0x0&src=http://www2.warnerbros.com/spacejam/movie/img/p-jamlogo.gif

In theory you could tunnel IP through these image proxies to your own proxy similar to how iodine functions. Of course it is more fun to find these loop-holes than use them so you may just want to do that.

Leave a Reply

Your email address will not be published.