OpenWrt uses UA2F to bypass campus network UA detection full analysis case.

Given that some group members do not know how to use the UA2F software of CatWrt to bypass the campus network's UA detection, this article has dealt with the corresponding school's service provider, so please do not abuse it.

This article is applicable to all OpenWrt LuCI 18.06+ versions. If you are not using CatWrt, please feel free to use it.

The project used in this article is Zxilly/UA2F.

UA2F author's blog: https://learningman.top/archives/304

Determining the Network#

First, let's introduce the campus network of our school. There are several types that represent different service providers (web page verification only, web page + app verification, app verification only).

The device I'm using is the J4105 software router, which automatically detects the IP address through DHCP when the WAN port is connected, and when accessing the Internet on the computer, a QR code pops up on the mobile app for verification. I'm using the Xiaohuangniao HttpCanary for man-in-the-middle packet capture. The author here uses the XiaoMi 10, which has unlocked the bootloader and obtained ROOT permission using Magisk. The CA root certificate module is installed in the love playing machine toolbox. It seems that manual installation of the man-in-the-middle without ROOT can be done, but it hasn't been tested.

Simply using HttpCanary on the phone to resend packets can achieve the corresponding function. Analyzing the captured packets, we can see that there are login verification, device list, and disconnect links. We only need to use login verification and device list for disconnection detection.

Script#

Fortunately, I have a J4105 with our CatWrt system installed. Because the CatWrt software source does not include the Python3 package, we also need to use the default Tencent software source. Install Python3 and Python3-requests, and then write a script.

Yes, in OpenWrt, we use Python3 Requests to resend packets. After parsing the captured packets, we send the following content to the backend, including: Cookie, Token, phone number, IP, school, UA, and other content...

The content is closed source, and the script processing logic is different. It is only an example!

#!/usr/bin/python3
import os
import time
from threading import Thread
import requests

......

cookie_self = {
    "token": "1145141919=",
    "catwrt": "catwrt.v23.8",
}

data_self_check_pc = {
    "uid": "114514",
    "school": "whu",
    "ip": "172.168.1.4",
    "token": "1145141919=",
    "phones": "11451419",
}

header_self_auth = {
    "Host": "api.miaoer.xyz",
    "user-agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/116.0.0.0 Safari/537.36)",
    "Content-Type": "application/x-www-form-urlencoded",
    'Connection': 'keep-alive',
    'Content-Length': '114',
    "Accept-Encoding": "gzip",
}

header_self_check = {
    "Host": "api.miaoer.xyz",
    "user-agent": "Mozilla/5.0 (Linux; Android 10; K) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/116.0.0.0 Mobile Safari/537.36)",
    "Content-Type": "application/x-www-form-urlencoded",
    'Connection': 'keep-alive',
    'Content-Length': '514',
    "Accept-Encoding": "gzip",
}

def auth_router():
    url_self = "http://api.miaoer.xyz/api/v2/network_auth"
    global auth_code_pc
    # post 发包
    log_print("OpenWrt 正在认证喵~~")
    requests.encoding = 'utf-8'
    requests.post(url=url_self, headers=header_self_auth, data=data_self_auth_router, cookies=cookie_self)

......

After the script is processed, place the file in /root and then install Python3 and request.

opkg update

opkg install python3 python3-request

Add the script to the scheduled task, because the script may be killed due to accidents.

0/15 * * * 5,6 /usr/bin/python3 /root/auth.py
0/15 6-23 * * 1,2,3,4,7 /usr/bin/python3 /root/auth.py

Run it and enjoy easy internet access. However, when used in detail, it is found that some websites on http:80 will display "stop sharing network", so UA2F is needed.

UA2F Installation#

Because it has been tested here and the software router needs to continue to be on standby at home, I bought a XiaoMi Redmi AC2100 for campus network sharing.

UA2F is supported in CatWrt after that. We already have a network authentication status, and the software sources we use are all Https:443. Because it is encrypted, it can bypass UA detection.

First, follow the blog CatWrt Extension Application Installation, Universal for the Entire Series to fill in the software source.

Pull the software source index file and install UA2F. If you previously used the Tencent source to install Python3, you need to rm -f /var/lock/opkg.lock to clean up the index file of the default Tencent source or restart, and then fill in the source index in the CatWrt distribution software source and refresh the list with opkg update.

opkg update

opkg install ua2f

Example

BusyBox v1.35.0 (2022-12-09 10:18:58 UTC) built-in shell (ash)

   _____     _             _
  |     |___| |_ _ _ _ ___| |_
  |   --| .'|  _| | | |  _|  _|
  |_____|__,|_| |_____|_| |_|
 W I R E L E S S   F R E E D O M

==================================
  Catwrt - miaoer.xyz - v22.12
Lean OpenWrt source r5525-7979de9ed
==================================
oroot@CatWrt:~# opkg update
root@CatWrt:~# opkg update
Downloading https://catwrt.eu.org/targets/ramips/mt7621/packages/Packages.gz
Updated list of available packages in /var/opkg-lists/openwrt_core
Downloading https://catwrt.eu.org/targets/ramips/mt7621/packages/Packages.sig
Signature check passed.
Downloading https://catwrt.eu.org/mipsel_24kc/base/Packages.gz
Updated list of available packages in /var/opkg-lists/openwrt_base
Downloading https://catwrt.eu.org/mipsel_24kc/base/Packages.sig
Signature check passed.
Downloading https://catwrt.eu.org/mipsel_24kc/luci/Packages.gz
Updated list of available packages in /var/opkg-lists/openwrt_luci
Downloading https://catwrt.eu.org/mipsel_24kc/luci/Packages.sig
Signature check passed.
Downloading https://catwrt.eu.org/mipsel_24kc/packages/Packages.gz
Updated list of available packages in /var/opkg-lists/openwrt_packages
Downloading https://catwrt.eu.org/mipsel_24kc/packages/Packages.sig
Signature check passed.
Downloading https://catwrt.eu.org/mipsel_24kc/routing/Packages.gz
Updated list of available packages in /var/opkg-lists/openwrt_routing
Downloading https://catwrt.eu.org/mipsel_24kc/routing/Packages.sig
Signature check passed.
Downloading https://catwrt.eu.org/mipsel_24kc/telephony/Packages.gz
Updated list of available packages in /var/opkg-lists/openwrt_telephony
Downloading https://catwrt.eu.org/mipsel_24kc/telephony/Packages.sig
Signature check passed.
root@CatWrt:~# opkg install ua2f
Package ua2f (3.10-1) installed in root is up to date.
root@CatWrt:~#

UA2F Configuration#

Regarding the configuration of UA2F, you can copy the uci command from the README, but here, in order to start up automatically, I wrote a separate BASH script, which I named ua.sh.

#!/bin/bash
uci set ua2f.enabled.enabled=1
uci set ua2f.firewall.handle_fw=1
uci set ua2f.firewall.handle_tls=1
uci set ua2f.firewall.handle_mmtls=1
uci set ua2f.firewall.handle_intranet=1
uci commit ua2f
service ua2f enable
service ua2f start
echo "Enjoy it!"

Then add it to the startup item - local startup script, to complete the UA2F startup.

/sbin/mtkwifi up

/usr/bin/python3 /root/auth.py

/bin/bash /root/ua.sh

exit 0

Before starting up, let's test it with ./ua.sh. We can use the website http://ua.233996.xyz to test UA.

You can see that the http:80 traffic has been processed and changed to FFFFF..., and if you are using CatWrt version v23.5+ obtained from the software source, it will be replaced with my Windows UA:

Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/115.0.0.0 Safari/537.36

Enjoy~

This article is synchronized and updated to xLog by Mix Space.
The original link is https://www.miaoer.xyz/posts/network/openwrt-ua2f