I’ve been through such scenario that I had to run some MITM attacks on the hotspot to sniff some passwords and all (It doesn’t work when using QNet hotspots since it blocks ARP packets)…
Poking around abit, I found these interesting tutorials:
TCP over ICMP
Another TCP over ICMP
IP over DNS
Take these three tutorials for a spin… Who knows, might work