banner
miaoer

miaoer

喵二の小博客 https://www.miaoer.net xLog 分站
tg_channel
telegram
bilibili
HomeArchives

OpenWrt uses UA2F to bypass campus network UA detection full analysis case

#软路由#CatWrt#Openwrt#分享2291
AI Translation
This post is translated from Chinese into English through AI.View Original
AI-generated summary
The article provides a tutorial on using the UA2F software from Zxilly to bypass campus network restrictions. It is applicable for all OpenWrt LuCI versions 18.06 and above, and is not intended for illegal activities. The tutorial details the setup process, including the use of a J4105 router, capturing packets with HttpCanary, and writing a Python script to automate network authentication. It also explains how to install UA2F on a CatWrt system to maintain internet access while avoiding detection. The steps include updating software sources, installing necessary packages, and setting up scheduled tasks for the script to ensure continuous connectivity.

Given that some group members are unable to use CatWrt's UA2F software to bypass the UA detection of the campus network, this article has processed the corresponding service providers of the respective schools. Please do not misuse it. This tutorial only demonstrates sharing the campus network and is not intended for cracking paid systems.

This article is applicable to all OpenWrt LuCI 18.06+, and if you are not using CatWrt, you can still proceed with confidence.

The project being discussed this time is Zxilly/UA2F

UA2F author's blog: https://learningman.top/archives/304

Determine the Network#

First, let me introduce our school's campus network, which has several types representing different service providers (web verification only, web + APP verification, APP verification only).

The device I am using is a J4105 soft router, which automatically obtains an IP via DHCP on the WAN port. When using a computer to access the internet, it hijacks and pops up a QR code for verification on the mobile APP. I am using the HttpCanary tool for man-in-the-middle packet capturing. The blogger here uses a XiaoMi 10 with an unlocked BootLoader and has obtained ROOT permissions using Magisk. In the Love Play ToolBox, I installed the CA root certificate module. It seems that you can perform man-in-the-middle without ROOT by manually installing it, but I haven't tested that.

By simply using HttpCanary to resend packets on the phone, the corresponding functionality can be achieved reliably. Analyzing the captured packets reveals: login verification, device list, disconnect link.

Here, we only need to use login verification and device list for disconnection detection.

Script#

Just right, I have a J4105 that has been flashed with our CatWrt system. Since the CatWrt software source does not include the Python3 package, we also need to use the default Tencent software source to install both Python3 and Python3-requests. Next, we will write a script.

Indeed, in OpenWrt, resending packets uses Python3 Requests. The captured content is slightly parsed to send the following content to the backend, including: Cookie, Token, phone number, IP, school, UA, etc...

Content is closed source, script processing logic is not communicated, only for example! You can throw the packets you captured to ChatGPT to write one; AI is quite smart now.

#!/usr/bin/python3
import os
import time
from threading import Thread
import requests

……

cookie_self = {
    "token": "1145141919=",
    "catwrt": "catwrt.v23.8",
}

data_self_check_pc = {
    "uid": "114514",
    "school": "whu",
    "ip": "172.168.1.4",
    "token": "1145141919=",
    "phones": "11451419",
}

header_self_auth = {
    "Host": "api.miaoer.xyz",
    "user-agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/116.0.0.0 Safari/537.36)",
    "Content-Type": "application/x-www-form-urlencoded",
    'Connection': 'keep-alive',
    'Content-Length': '114',
    "Accept-Encoding": "gzip",
}

header_self_check = {
    "Host": "api.miaoer.xyz",
    "user-agent": "Mozilla/5.0 (Linux; Android 10; K) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/116.0.0.0 Mobile Safari/537.36)",
    "Content-Type": "application/x-www-form-urlencoded",
    'Connection': 'keep-alive',
    'Content-Length': '514',
    "Accept-Encoding": "gzip",
}

def auth_router():
    url_self = "http://api.miaoer.xyz/api/v2/network_auth"
    global auth_code_pc
    # post send packet
    log_print("OpenWrt is authenticating~~")
    requests.encoding = 'utf-8'
    requests.post(url=url_self, headers=header_self_auth, data=data_self_auth_router, cookies=cookie_self)

……

After processing the script, place the file in /root, then install Python3 and requests.

opkg update

opkg install python3 python3-request

We will add the script to the scheduled tasks, as the script may be unexpectedly killed.

0/15 * * * 5,6 /usr/bin/python3 /root/auth.py
0/15 6-23 * * 1,2,3,4,7 /usr/bin/python3 /root/auth.py

Run it, and surf the internet easily. However, upon closer inspection, some http:80 websites will display a message to stop sharing the network, so UA2F will be needed.

UA2F Installation#

Since it has been tested and confirmed to work, the soft router will continue to stay on standby at home. I found a XiaoMi Redmi AC2100 for campus network sharing.

After CatWrt, UA2F is supported, and we are already verifying the network status. The software sources we use are all Https:443, which can bypass UA detection due to encryption.

First, we follow the blog CatWrt Application Installation, Universal for All Ecosystems to fill in the latest software sources for the corresponding device.

Pull the software source index file and install UA2F. If you previously installed Python3 using the Tencent source, you need to rm -f /var/lock/opkg.lock to clean up the default Tencent source index file or restart, then fill in the source index into the CatWrt distribution software source and refresh the list with opkg update.

opkg update

opkg install ua2f

Example

BusyBox v1.35.0 (2022-12-09 10:18:58 UTC) built-in shell (ash)

   _____     _             _
  |     |___| |_ _ _ _ ___| |_
  |   --| .'|  _| | | |  _|  _|
  |_____|__,|_| |_____|_| |_|
 W I R E L E S S   F R E E D O M

==================================
  Catwrt - miaoer.xyz - v22.12
Lean OpenWrt source r5525-7979de9ed
==================================
oroot@CatWrt:~# opkg update
root@CatWrt:~# opkg update
Downloading https://catwrt.eu.org/targets/ramips/mt7621/packages/Packages.gz
Updated list of available packages in /var/opkg-lists/openwrt_core
Downloading https://catwrt.eu.org/targets/ramips/mt7621/packages/Packages.sig
Signature check passed.
Downloading https://catwrt.eu.org/mipsel_24kc/base/Packages.gz
Updated list of available packages in /var/opkg-lists/openwrt_base
Downloading https://catwrt.eu.org/mipsel_24kc/base/Packages.sig
Signature check passed.
Downloading https://catwrt.eu.org/mipsel_24kc/luci/Packages.gz
Updated list of available packages in /var/opkg-lists/openwrt_luci
Downloading https://catwrt.eu.org/mipsel_24kc/luci/Packages.sig
Signature check passed.
Downloading https://catwrt.eu.org/mipsel_24kc/packages/Packages.gz
Updated list of available packages in /var/opkg-lists/openwrt_packages
Downloading https://catwrt.eu.org/mipsel_24kc/packages/Packages.sig
Signature check passed.
Downloading https://catwrt.eu.org/mipsel_24kc/routing/Packages.gz
Updated list of available packages in /var/opkg-lists/openwrt_routing
Downloading https://catwrt.eu.org/mipsel_24kc/routing/Packages.sig
Signature check passed.
Downloading https://catwrt.eu.org/mipsel_24kc/telephony/Packages.gz
Updated list of available packages in /var/opkg-lists/openwrt_telephony
Downloading https://catwrt.eu.org/mipsel_24kc/telephony/Packages.sig
Signature check passed.
root@CatWrt:~# opkg install ua2f
Package ua2f (3.10-1) installed in root is up to date.
root@CatWrt:~#

UA2F Configuration#

Regarding the configuration of UA2F, you can directly copy the uci command from the README, but here I wrote a separate BASH script for startup. I named it ua.sh. It doesn't necessarily have to be bash; I just used it because it was available in the system. If not, you can directly change it to #!/bin/sh & /bin/sh /root/ua.sh to make it work.

#!/bin/bash
uci set ua2f.enabled.enabled=1
uci set ua2f.firewall.handle_fw=1
uci set ua2f.firewall.handle_tls=1
uci set ua2f.firewall.handle_mmtls=1
uci set ua2f.firewall.handle_intranet=1
uci commit ua2f
service ua2f enable
service ua2f start
echo "Enjoy it!"

Then add it to the startup items - local startup script, to complete the UA2F auto-start on boot.

/usr/bin/python3 /root/auth.py

/bin/bash /root/ua.sh

exit 0

Before setting it to auto-start, we first execute a test ./ua.sh. We can use http://ua.233996.xyz to test UA.

You can see that the http:80 traffic has been processed and changed to FFFFF…….

Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/115.0.0.0 Safari/537.36

image

Enjoy~

This method cannot capture packets from our client anymore, but the API itself is fine and can continue to be used. In early 2024, the service provider went bankrupt, alas!

This article was synchronized and updated by Mix Space to xLog. The original link is https://www.miaoer.net/posts/network/openwrt-ua2f

Loading...
Ownership of this post data is guaranteed by blockchain and smart contracts to the creator alone.