{"id":48921424,"url":"https://github.com/mikkoparkkola/nowifi","last_synced_at":"2026-05-31T11:00:54.500Z","repository":{"id":349448370,"uuid":"1198289138","full_name":"MikkoParkkola/nowifi","owner":"MikkoParkkola","description":"No WiFi? Now WiFi. One command. 27 techniques. Bypass any captive portal.","archived":false,"fork":false,"pushed_at":"2026-05-29T23:56:11.000Z","size":10978,"stargazers_count":9,"open_issues_count":1,"forks_count":0,"subscribers_count":0,"default_branch":"master","last_synced_at":"2026-05-30T01:19:40.557Z","etag":null,"topics":["bypass","captive-portal","cli","go","golang","hacking","linux","macos","network-security","penetration-testing","security","wifi","wifi-hacking"],"latest_commit_sha":null,"homepage":null,"language":"Go","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"other","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/MikkoParkkola.png","metadata":{"files":{"readme":"README.md","changelog":"CHANGELOG.md","contributing":"CONTRIBUTING.md","funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":".github/CODEOWNERS","security":"SECURITY.md","support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null,"notice":null,"maintainers":null,"copyright":null,"agents":"AGENTS.md","dco":null,"cla":null}},"created_at":"2026-04-01T09:31:56.000Z","updated_at":"2026-05-29T23:56:14.000Z","dependencies_parsed_at":"2026-05-21T08:02:05.124Z","dependency_job_id":null,"html_url":"https://github.com/MikkoParkkola/nowifi","commit_stats":null,"previous_names":["mikkoparkkola/nowifi"],"tags_count":27,"template":false,"template_full_name":null,"purl":"pkg:github/MikkoParkkola/nowifi","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/MikkoParkkola%2Fnowifi","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/MikkoParkkola%2Fnowifi/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/MikkoParkkola%2Fnowifi/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/MikkoParkkola%2Fnowifi/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/MikkoParkkola","download_url":"https://codeload.github.com/MikkoParkkola/nowifi/tar.gz/refs/heads/master","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/MikkoParkkola%2Fnowifi/sbom","scorecard":null,"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":286080680,"owners_count":33728391,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2026-05-26T15:22:16.424Z","status":"online","status_checked_at":"2026-05-31T02:00:06.040Z","response_time":95,"last_error":null,"robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":true,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["bypass","captive-portal","cli","go","golang","hacking","linux","macos","network-security","penetration-testing","security","wifi","wifi-hacking"],"created_at":"2026-04-17T05:07:37.242Z","updated_at":"2026-05-31T11:00:54.490Z","avatar_url":"https://github.com/MikkoParkkola.png","language":"Go","funding_links":[],"categories":[],"sub_categories":[],"readme":"# nowifi\n\n[![License: AGPL-3.0](https://img.shields.io/badge/License-AGPL--3.0-blue.svg)](LICENSE)\n[![CI](https://github.com/MikkoParkkola/nowifi/actions/workflows/ci.yml/badge.svg)](https://github.com/MikkoParkkola/nowifi/actions/workflows/ci.yml)\n[![Go Report Card](https://goreportcard.com/badge/github.com/MikkoParkkola/nowifi)](https://goreportcard.com/report/github.com/MikkoParkkola/nowifi)\n[![Release](https://img.shields.io/github/v/release/MikkoParkkola/nowifi)](https://github.com/MikkoParkkola/nowifi/releases)\n[![Downloads](https://img.shields.io/github/downloads/MikkoParkkola/nowifi/total)](https://github.com/MikkoParkkola/nowifi/releases)\n[![Go Version](https://img.shields.io/github/go-mod/go-version/MikkoParkkola/nowifi/master?filename=go/go.mod)](go/go.mod)\n[![Dependencies](https://img.shields.io/librariesio/github/MikkoParkkola/nowifi)](https://libraries.io/github/MikkoParkkola/nowifi)\n[![GitHub Stars](https://img.shields.io/github/stars/MikkoParkkola/nowifi?style=social)](https://github.com/MikkoParkkola/nowifi)\n\n### No WiFi? Now WiFi.\n\n**Author: Mikko Parkkola**\n\nOne command. 43 techniques. Browser works immediately.\n\n```bash\nsudo nowifi\n```\n\n\u003cp align=\"center\"\u003e\n  \u003cimg src=\"screenshot.png\" alt=\"nowifi dashboard\" width=\"800\"\u003e\n\u003c/p\u003e\n\nStuck behind a hotel/airport/cafe WiFi login page? `nowifi` detects the captive portal, probes for weaknesses, and tries 35 bypass techniques automatically -- most powerful first, stops on the first one that works. Your browser works immediately. `Ctrl+C` restores everything.\n\nNeed the actual WiFi password instead? `nowifi crack` runs an ordered 8-technique WPA/WPA2 cracking pipeline. It escalates from PMKID and WPS Pixie-Dust through handshake capture, dictionary/smart cracking, and only then to WPS PIN or online brute force, stopping as soon as a password is recovered.\n\n---\n\n## Installation\n\n### Homebrew (Recommended)\n\n```bash\nbrew install MikkoParkkola/tap/nowifi\n```\n\nThat's it. Pre-built binary, no Go toolchain, no `sudo install`. Works on\nApple Silicon, Intel Macs, Linux x86_64, and Linux arm64.\n\n### Pre-built Binaries (Manual)\n\nDownload the latest release for your platform from\n[GitHub Releases](https://github.com/MikkoParkkola/nowifi/releases/latest)\nand verify checksums against\n[`checksums.sha256`](https://github.com/MikkoParkkola/nowifi/releases/latest/download/checksums.sha256).\nRelease assets also include CycloneDX SBOMs, Sigstore keyless signatures\n(`.sigstore.json` bundles), and GitHub provenance attestations.\n\n```bash\n# macOS Apple Silicon\ncurl -LO https://github.com/MikkoParkkola/nowifi/releases/latest/download/nowifi-darwin-arm64.tar.gz\ncurl -LO https://github.com/MikkoParkkola/nowifi/releases/latest/download/checksums.sha256\nshasum -a 256 -c checksums.sha256 --ignore-missing\ntar xzf nowifi-darwin-arm64.tar.gz\nsudo install -m 0755 nowifi-darwin-arm64 /usr/local/bin/nowifi\n\n# macOS Intel\ncurl -LO https://github.com/MikkoParkkola/nowifi/releases/latest/download/nowifi-darwin-amd64.tar.gz\ncurl -LO https://github.com/MikkoParkkola/nowifi/releases/latest/download/checksums.sha256\nshasum -a 256 -c checksums.sha256 --ignore-missing\ntar xzf nowifi-darwin-amd64.tar.gz\nsudo install -m 0755 nowifi-darwin-amd64 /usr/local/bin/nowifi\n\n# Linux x86_64\ncurl -LO https://github.com/MikkoParkkola/nowifi/releases/latest/download/nowifi-linux-amd64.tar.gz\ncurl -LO https://github.com/MikkoParkkola/nowifi/releases/latest/download/checksums.sha256\nsha256sum -c checksums.sha256 --ignore-missing\ntar xzf nowifi-linux-amd64.tar.gz\nsudo install -m 0755 nowifi-linux-amd64 /usr/local/bin/nowifi\n\n# Linux ARM64\ncurl -LO https://github.com/MikkoParkkola/nowifi/releases/latest/download/nowifi-linux-arm64.tar.gz\ncurl -LO https://github.com/MikkoParkkola/nowifi/releases/latest/download/checksums.sha256\nsha256sum -c checksums.sha256 --ignore-missing\ntar xzf nowifi-linux-arm64.tar.gz\nsudo install -m 0755 nowifi-linux-arm64 /usr/local/bin/nowifi\n```\n\n### Build from Source\n\n```bash\ngit clone https://github.com/MikkoParkkola/nowifi.git\ncd nowifi/go\nmake build\nmake test-short\nmake ci\nsudo install -m 0755 bin/nowifi /usr/local/bin/nowifi  # optional\n```\n\nRequires Go 1.26+. The macOS menubar (`nowifi menubar`) requires CGO and is\nonly included in native macOS builds.\n\n---\n\n## Quick Start\n\n```bash\n# One command. Detect, bypass, cloak, and stay connected until you stop.\nsudo nowifi\n\n# Read-only assessment (no changes to network)\nnowifi diagnose\n\n# Capture a forensic package when an environment can't be bypassed (read-only)\nnowifi forensics\n\n# WPA password cracking\nsudo nowifi crack\n\n# Check system health\nnowifi doctor\n```\n\n`sudo nowifi` does everything automatically: detects the portal, probes for leaks, bypasses using the most powerful technique available, applies traffic stealth (anti-tethering), and **maintains your connection** until you press `Ctrl+C`. All network changes are restored on exit.\n\n---\n\n## Key Features\n\n- **Session persistence** — stays connected after bypass. Auto-renews on session expiry (MAC rotate → full re-bypass → re-probe). One command at boarding, connected for the entire flight.\n- **Traffic stealth** — TTL normalization to defeat anti-tethering detection (macOS also adds IP ID randomization and MSS clamping via PF). Your bypassed connection looks identical to a directly-connected device.\n- **Inflight WiFi intelligence** — profiles for 7 major providers (Panasonic, Gogo, Viasat, Inmarsat, Thales, SITA, Anuvu) covering 40+ airlines. Auto-detects provider and optimizes technique ordering.\n- **Satellite-aware** — detects high-latency links (RTT \u003e 400ms) and adjusts all timeouts dynamically. Prevents false-positive idle detection on inflight networks.\n- **Zero-config tunnels** — auto-deploys Cloudflare Workers proxy if no tunnel server is configured. Checksum-verifies and auto-downloads `cloudflared` for DoH tunneling.\n- **Clean restore guarantee** — `Ctrl+C` always restores original MAC, proxy, DNS, TTL, PF rules, and tunnel processes. Handles SIGINT/SIGTERM via signal handlers and any clean exit via `defer`.\n\n---\n\n## Common Commands and Examples\n\n| Command | What it does |\n|---------|-------------|\n| `sudo nowifi` | Full audit: detect, probe, bypass, maintain access, restore on exit |\n| `sudo nowifi -p` | Probe only -- find leaks without exploiting them |\n| `sudo nowifi --dry-run` | Read-only audit plan: detect, probe, and show feasible bypasses without mutating state |\n| `sudo nowifi --fast` | Skip stealth timing (faster but more detectable) |\n| `sudo nowifi -t URL` | Use a specific chisel tunnel server |\n| `sudo nowifi --http3-server https://vps:443` | HTTP/3-ALPN tunnel to nowifi server (#22) |\n| `sudo nowifi --doq-server 1.1.1.1:853` | Override default DoQ resolver (#21) |\n| `sudo nowifi --ech-server https://... --ech-config-list \u003cb64\u003e` | TLS 1.3 ECH domain fronting (#24) |\n| `sudo nowifi --masque-server https://proxy:443` | MASQUE tunnel via HTTP/3 Extended CONNECT (#27) |\n| `sudo nowifi --wt-server https://proxy:443/wt` | WebTransport tunnel over HTTP/3 (#28) |\n| `sudo nowifi --h2-proxy https://proxy:443` | HTTP/2 CONNECT tunnel (gRPC-style) (#29) |\n| `sudo nowifi --sse-server https://relay.example.com` | SSE streaming tunnel (#30) |\n| `sudo nowifi --grpc-server https://proxy:443` | gRPC bidi streaming tunnel (#31) |\n| `sudo nowifi --connectip-server https://proxy:443` | CONNECT-IP full IP tunnel (#32) |\n| `sudo nowifi -i en1` | Use a different WiFi interface (default: `en0`) |\n| `nowifi recon -o klm.json` | Passive network fingerprint for contributing provider profiles |\n| `nowifi diagnose` | Read-only security assessment (no changes to network) |\n| `nowifi diagnose -r json -o report.json` | Save diagnosis as JSON file |\n| `nowifi forensics` | Capture a portable forensic package of which channels survive enforcement (read-only, no sudo, local-only `holes-\u003cts\u003e.{txt,json}`) |\n| `nowifi forensics --baseline` | Capture a full-access baseline to diff against later under enforcement |\n| `nowifi report` | Review and submit queued reports from networks nowifi couldn't bypass (consent-gated GitHub issue, MACs redacted) |\n| `nowifi crack` | 8-technique WPA/WPA2 cracking pipeline (ordered fastest-to-slowest, stops on first recovered password) |\n| `nowifi crack --scan-only` | Scan for WiFi networks without attacking |\n| `nowifi scan` | Scan nearby WiFi networks with signal/security info |\n| `nowifi watch` | Maintain access -- auto-reconnect on session expiry |\n| `nowifi history` | Show past audit sessions |\n| `nowifi tools` | Show which external tools are installed/missing |\n| `nowifi tools -d` | Checksum-verified auto-download of missing tools (chisel, hysteria, cloudflared) |\n| `nowifi server create` | Create a tunnel server (CF Worker or VPS) |\n| `nowifi server list` | List active tunnel servers |\n| `nowifi server rotate-token` | Redeploy the managed Worker with a fresh `nowifi_token` |\n| `nowifi server destroy` | Destroy a tunnel server |\n| `nowifi server info` | Show which techniques need a server |\n| `nowifi config list` | Show saved defaults such as tunnel endpoints and interface |\n| `sudo nowifi server listen` | Run the HTTP/3-ALPN tunnel server (peer for `--http3-server`) |\n| `nowifi ecosystem` | Show complementary tools (bettercap, wifiphisher, etc.) |\n| `nowifi setup` | Interactive first-time setup wizard |\n| `nowifi doctor` | System health check |\n| `nowifi doctor --json` | Machine-readable health check output |\n| `nowifi ui` | Launch the web dashboard |\n| `nowifi menubar` | Launch the macOS menubar app |\n| `nowifi score` | Grade nearby WiFi networks (A-F) |\n| `sudo nowifi reset` | Emergency network reset after crash/kill |\n\n---\n\n## 43 Techniques\n\n### Portal Bypass (35 techniques)\n\nThese work when you're connected to WiFi but stuck behind a captive portal login page.\n\n| # | Technique | How it works | Severity |\n|---|-----------|-------------|----------|\n| 1 | **IPv6 bypass** | Portal only filters IPv4; IPv6 passes unfiltered | Critical |\n| 2 | **HTTPS/WS tunnel** | Chisel WebSocket tunnel through HTTPS to your server | Critical |\n| 3 | **CNA User-Agent spoof** | Portal auto-approves Apple CNA/Wispr User-Agent requests | High |\n| 4 | **JS-only bypass** | Portal enforces auth only in JavaScript, not server-side | High |\n| 5 | **HTTP CONNECT abuse** | Tunnel through the portal's transparent proxy via CONNECT | High |\n| 6 | **MAC clone (idle)** | Clone an inactive authenticated device's MAC address | Critical |\n| 7 | **MAC clone (any)** | Clone any authenticated device's MAC from ARP table | Critical |\n| 8 | **DNS tunnel** | IP-over-DNS via iodine (50-500 Kbps) | High |\n| 9 | **ICMP tunnel** | IP-over-ping via hans (100-300 Kbps) | High |\n| 10 | **VPN on port 53** | WireGuard/OpenVPN on DNS port, usually allowed | High |\n| 11 | **Whitelist domain** | Tunnel via whitelisted CDN domain | Medium |\n| 12 | **Session cookie replay** | Sniff and replay portal auth cookies (HTTP portals) | High |\n| 13 | **Portal default creds** | Try default admin passwords on portal management | Critical |\n| 14 | **MAC rotate** | Fresh random MAC for new session/quota/time limit | High |\n| 15 | **DHCP rotate** | New IP via DHCP release/renew cycle | Medium |\n| 16 | **QUIC tunnel** | Hysteria2 over UDP/443 (looks like HTTP/3 to DPI) | Critical |\n| 17 | **CF Workers proxy** | Serverless proxy via Cloudflare Workers (no server needed) | Critical |\n| 18 | **NTP tunnel** | Data encoded in NTP extension fields on UDP/123 | High |\n| 19 | **DoH tunnel** | DNS-over-HTTPS to Cloudflare/Google (whitelisted endpoints) | High |\n| 20 | **CAPPORT extend** | RFC 8908 captive-portal API — surfaces session state and user-portal URL | Medium |\n| 21 | **DoQ tunnel** | DNS-over-QUIC (RFC 9250) to public resolver, bypasses DNS interception | High |\n| 22 | **HTTP/3 tunnel** | Pure-Go QUIC tunnel with ALPN `h3` on UDP/443, SOCKS5 wrapper | Critical |\n| 23 | **DHCP Option 121 route** | CVE-2024-3661 \"TunnelVision\" — honor DHCP-advertised static routes that bypass the portal's filter chain (serverless) | High |\n| 24 | **ECH domain fronting** | TLS 1.3 Encrypted Client Hello (RFC 9147) cloaks the real SNI behind a CDN cover name | Critical |\n| 25 | **WG-over-WebSocket** | WireGuard/tunnel payloads in WS binary frames on TCP/443 (looks like Teams/Zoom) | Critical |\n| 26 | **Secondary interface** | Use cellular/USB-Ethernet/Bluetooth-PAN to exit the carrier, bypassing portal entirely (serverless) | Critical |\n| 27 | **MASQUE tunnel** | HTTP/3 Extended CONNECT (RFC 9220/9298) — identical to Apple Private Relay/Cloudflare WARP | Critical |\n| 28 | **WebTransport tunnel** | RFC 9220 WebTransport over HTTP/3 — looks like Google Meet/Zoom to DPI | Critical |\n| 29 | **HTTP/2 CONNECT tunnel** | HTTP/2 binary-framed CONNECT — looks like gRPC/Cloud API to DPI | Critical |\n| 30 | **SSE streaming tunnel** | Server-Sent Events downlink + HTTP POST uplink — looks like a news feed | High |\n| 31 | **gRPC bidi streaming tunnel** | HTTP/2 + application/grpc framing — looks like Kubernetes/microservice API traffic | High |\n| 32 | **CONNECT-IP tunnel** | RFC 9484 full IP tunnel via QUIC datagrams — identical to Apple Private Relay | Critical |\n| 33 | **Cloudflare WARP tunnel** | Zero-config — auto-registers free WARP device, tunnels via HTTP/2 CONNECT | Critical |\n| 34 | **Portal self-relay** | Zero-config — tunnels through portal-whitelisted domains (Stripe, Google, Apple) via HTTP/2 CONNECT | Critical |\n| 35 | **TURN relay** | Zero-config — relays through public WebRTC TURN servers on TCP/443, indistinguishable from video calls | High |\n\n### When nowifi can't bypass — the self-improving loop\n\nIf every technique fails, nowifi turns the dead end into data. It automatically captures a **forensic package** (which egress channels survived enforcement, the portal's control-plane surface, the ranked candidate techniques) and **queues it locally** — because a failed bypass means you're offline and can't file anything yet.\n\nThe next time you run nowifi **with working internet** (or `nowifi watch` reconnects), it asks once:\n\n```\nUnsolved network captured 2026-05-29 — provider=panasonic_nordic_sky, 25 open channels.\nSubmit this report to github.com/MikkoParkkola/nowifi? [y/N]\n```\n\nOn `y`, it files a GitHub issue containing everything needed to build a bypass for that environment. Nothing is ever uploaded without that explicit consent, and your MAC plus nearby device MACs are redacted to vendor IDs first. Disable with `nowifi config set report_failures false`.\n\n### Anonymous Telemetry (opt-in, zero-cost)\n\nnowifi can send anonymous data about which bypass techniques succeed on which captive portals. Purpose: security research + improved technique ordering in future releases.\n\n```bash\nnowifi telemetry enable    # opt in\nnowifi telemetry status    # show state\nnowifi telemetry disable   # opt out\n```\n\n**Collected**: technique ID, success, provider, duration, version, country\n**NEVER collected**: IP, MAC, SSID, portal URL, DNS names, or any personal identifier\n\nData goes to a single Cloudflare Worker running on the free tier (100K events/day). Source: [worker/telemetry/](worker/telemetry/).\n\n### WPA Cracking (4 techniques)\n\nThese crack the actual WiFi password when you don't have it. The stages run in order, and slower fallback steps only run if the earlier capture and smart-crack stages fail.\n\n| # | Technique | How it works |\n|---|-----------|-------------|\n| 31 | **PMKID capture** | Extract PMKID from AP's first message -- no clients needed (~60% of APs) |\n| 32 | **WPS Pixie-Dust** | Exploit weak RNG in WPS (~30% of WPS-enabled APs, 5-30s) |\n| 33 | **Handshake capture + hashcat** | Deauth a client, capture 4-way handshake, GPU crack |\n| 34 | **WPS PIN brute force** | Brute force 11,000 PIN combinations (2-10 hours, last resort) |\n\n### Smart Cracking (4 additional strategies)\n\n| # | Technique | How it works |\n|---|-----------|-------------|\n| 35 | **Smart common passwords** | Top 1000 WiFi passwords (embedded, no wordlist needed) |\n| 36 | **Numeric mask attack** | 8-digit patterns common in ISP-issued routers |\n| 37 | **Word+number rules** | Hashcat rules combining dictionary words with numbers |\n| 38 | **Online brute force** | wpa_supplicant PSK attempts (no monitor mode needed) |\n\nThe smart-crack pipeline also runs dictionary, smart-brute, and (opt-in) full-brute stages between rules and online brute force, in increasing cost order.\n\n---\n\n## External Tools\n\nnowifi works out of the box for many techniques. External tools unlock tunnel and cracking capabilities.\n\n```bash\n# Check what's installed\nnowifi tools\n\n# Checksum-verified auto-download of supported tools\nnowifi tools -d\n```\n\n| Tool | Unlocks | Install |\n|------|---------|---------|\n| chisel | HTTPS/WS tunnel (#2) | `nowifi tools -d` |\n| hysteria | QUIC tunnel (#16) | `nowifi tools -d` |\n| cloudflared | DoH tunnel (#19) | `nowifi tools -d` |\n| iodine | DNS tunnel (#8) | `brew install iodine` |\n| hans | ICMP tunnel (#9) | `brew install hans` |\n| hashcat | WPA cracking (GPU) | `brew install hashcat` |\n| aircrack-ng | WPA cracking (CPU) | `brew install aircrack-ng` |\n| hcxdumptool | PMKID/handshake capture | `brew install hcxdumptool` |\n| hcxpcapngtool | Convert captures for hashcat | `brew install hcxtools` |\n| reaver | WPS Pixie-Dust/PIN attacks | `brew install reaver` |\n\n### Antivirus false positives (chisel, hysteria, cloudflared)\n\nThese tools are legitimate FOSS tunneling utilities, but several antivirus engines classify them as **HackTool / PUA** (potentially unwanted application) — not a virus, not a trojan, but a dual-use tool also seen in real attack chains (CISA AA22-216A, AA23-129A flagged chisel use by ransomware groups).\n\nWhat you may see:\n\n| Engine | Verdict | Severity |\n|---|---|---|\n| Microsoft Defender | `HackTool:Win64/Chisel`, `HackTool:Linux/Chisel` | informational |\n| ESET | `Linux/Chisel.A` (potentially unsafe application) | low |\n| Sophos | `HackTool/Chisel-A` | low |\n| Kaspersky | `not-a-virus:RemoteAdmin.*` | informational |\n| VirusTotal | 15-25 / 70 detections, all \"HackTool / PUA\" category | — |\n\n**Verification you have the real binaries:**\n\n```bash\n# nowifi auto-downloads from official release pages and verifies SHA-256.\n# To re-check manually:\nshasum -a 256 ~/.nowifi/tools/chisel       # compare to github.com/jpillora/chisel/releases\nshasum -a 256 ~/.nowifi/tools/hysteria     # compare to github.com/apernet/hysteria/releases\nshasum -a 256 ~/.nowifi/tools/cloudflared  # compare to github.com/cloudflare/cloudflared/releases\n```\n\n**If your antivirus quarantines a tool:**\n\n1. Confirm the binary path is under `~/.nowifi/tools/` (auto-downloaded, SHA-verified) — not a random location.\n2. Whitelist by SHA-256 in your AV (preferred, narrow exception). Generic path-whitelisting `~/.nowifi/tools/*` is also acceptable.\n3. If the SHA-256 does **not** match the upstream release, do **not** whitelist — re-run `nowifi tools -d` to re-download, or report a supply-chain concern in [SECURITY.md](SECURITY.md).\n\nThese tools are not malware. They are the same binaries used by network engineers, pentesters, and remote-access tooling worldwide. Treat the AV verdict as informational, not a stop-the-line signal.\n\n---\n\n## Tunnel Server Setup\n\nMany techniques work without any server (MAC clone, IPv6, CNA spoof, etc.). Tunnel-based bypasses need a server you control outside the portal's network.\n\n### Quickest: Cloudflare Workers (Free)\n\n```bash\nnowifi server create\n# Deploys a free authenticated Cloudflare Worker proxy (100K req/day)\n```\n\nThe generated Worker URL includes a `nowifi_token` query parameter. Keep that\nfull URL in your nowifi config; tokenless Worker URLs are rejected to avoid\nleaving an open public proxy on your Cloudflare account.\n\n### VPS (DigitalOcean / Hetzner)\n\n```bash\nnowifi server create -p digitalocean -t do_xxx_token\n# Creates $0.007/hr droplet with chisel+iodine+hans pre-installed\n```\n\n### Your Own Server\n\n```bash\n# On your server:\nchisel server --reverse --port 443\n\n# On your laptop (behind portal):\nsudo nowifi -t https://your-server.example.com\n```\n\n### HTTP/3-ALPN Tunnel Server (#22, pure-Go, no external binary)\n\n```bash\n# On your server (once):\nsudo nowifi server listen --addr 0.0.0.0:443 --hostname tunnel.example.com\n# Auto-generates a self-signed cert (or pass --cert/--key for Let's Encrypt).\n\n# On your laptop (behind portal):\nsudo nowifi --http3-server https://tunnel.example.com:443\n```\n\nThe server speaks QUIC with ALPN `h3` on UDP/443. From a middlebox's point of view the traffic is indistinguishable from a browser HTTP/3 session, so it passes TCP-only DPI and most captive-portal filters.\n\n### DoH/DoQ (no server needed)\n\nTechnique #21 (DoQ) connects to a public resolver (default `dns.adguard.com:853`), so no infrastructure is required. Same for #19 (DoH — Cloudflare/Google).\n\n---\n\n## Recipes\n\nHands-on guides for specific scenarios:\n\n- [VPN over Cloudflare Quick Tunnel](docs/recipes/vpn-over-quick-tunnel.md) — carry a VPN through a TCP-only captive portal using zero-config UDP (`nowifi server create -p cloudflare-quick --udp`), plus four alternative strategies (chisel-legacy, OpenVPN TCP, wstunnel, Tailscale/ZeroTier).\n\nSee [`CHANGELOG.md`](CHANGELOG.md) for the full release history.\nSecurity-sensitive changes should also use the\n[`SECURITY.md`](SECURITY.md) policy and\n[`docs/SECURITY-REGRESSION-CHECKLIST.md`](docs/SECURITY-REGRESSION-CHECKLIST.md).\n\n---\n\n## Architecture (Go)\n\n```\ncmd/nowifi/main.go         Entry point\ninternal/\n  cli/                     Cobra commands (audit, diagnose, crack, tools, ...)\n  detect/                  Portal detection: canary URLs, DNS hijack, vendor fingerprinting\n  probe/                   Leak enumeration: DNS, ICMP, IPv6, HTTPS, QUIC, NTP, DoH, ports\n  bypass/                  35 portal bypass techniques, ordered most-powerful-first\n  crack/                   WPA cracking: PMKID, handshake, hashcat, WPS, smart crack\n  tunnel/                  Tunnel management: chisel, iodine, hans, hysteria\n  platform/                OS abstraction: macOS (darwin.go) / Linux (linux.go)\n  report/                  Terminal, markdown, and JSON report generation\n  toolchain/               External tool discovery, auto-download, version management\n  server/                  Cloudflare Workers + VPS provisioning (DO, Hetzner)\n  config/                  Persistent config (~/.nowifi/config.json)\n  capture/                 Audit trail storage (~/.nowifi/captures/)\n  guard/                   State restoration on exit (MAC, proxy, DNS)\n  monitor/                 WiFi monitor mode management\n  discover/                WiFi network scanning\n  portal/                  Auto-login to known portal types\n  clone/                   MAC address cloning\n  inflight/                Airline portal intelligence: 7 provider profiles, 40+ airlines\n  score/                   WiFi network scoring (A-F grade)\n  ui/                      Web dashboard + menubar app\n```\n\n---\n\n## Responsible Use\n\nThis tool is for **authorized security assessments** of captive portal implementations.\n\n- **Only test networks you own or have explicit written authorization to test.** Unauthorized access to computer networks is illegal in most jurisdictions (e.g., CFAA in the US, Computer Misuse Act in the UK, Rikoslaki 38:8 in Finland).\n- **Deauthentication attacks** (technique #22, WPA handshake capture) actively interfere with other users' connections. This may violate telecommunications regulations even on networks you own, if it affects third parties.\n- **MAC cloning** another device's address takes over their authenticated session, disconnecting them. Only use this in controlled lab environments or with explicit consent.\n- **Session cookie replay** involves capturing other users' network traffic. This may violate wiretapping laws in your jurisdiction.\n\nThe authors accept no liability for misuse. This tool is published for defensive research, security assessment, and education.\n\n---\n\n## More Tools\n\n| Tool | What it does |\n|------|-------------|\n| [trvl](https://github.com/MikkoParkkola/trvl) | AI travel agent — flights, hotels, ferries, 33 MCP tools |\n| [axterminator](https://github.com/MikkoParkkola/axterminator) | macOS GUI automation — 30 MCP tools, audio/camera capture |\n| [mcp-gateway](https://github.com/MikkoParkkola/mcp-gateway) | Universal MCP gateway — single-port multiplexing |\n| [nab](https://github.com/MikkoParkkola/nab) | Token-optimized HTTP client for LLMs |\n\nAll tools: `brew tap MikkoParkkola/tap \u0026\u0026 brew install trvl axterminator mcp-gateway nab nowifi`\n\n## License\n\n[AGPL-3.0](LICENSE) -- Copyright (C) 2026 Mikko Parkkola\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fmikkoparkkola%2Fnowifi","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fmikkoparkkola%2Fnowifi","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fmikkoparkkola%2Fnowifi/lists"}