Make your 2026 legendary, the HTB way — 25% off our HTB Academy Annual Plans for a limited time. Learn More

Bypassing Wi-Fi Captive Portals

In this module, we delve into a range of methods for identifying and bypassing captive portals, employing both indirect and direct exploitation techniques. We cover tactics such as MAC spoofing, ARP poisoning, DNS tunneling, and credential interception, alongside direct attack vectors like Cross-Site Scripting (XSS), file upload vulnerabilities, file inclusion, and brute force attacks. Additionally, we will examine client hijacking strategies to extract credentials and circumvent portal restrictions. By understanding these attack methods, we can evaluate and enhance the security of captive portal implementations.

4.83

Created by Sentinal
Co-Authors: MrGrep, N1tr0x

Medium Offensive

Summary

In this module, we explore methods for enumerating and attacking Wi-Fi captive portals with the goal of bypassing them. Captive portals are commonly used to restrict network access until authentication is completed, but they often contain vulnerabilities that can be exploited. We will demonstrate a range of techniques, including captive portal detection, indirect and direct exploitation methods, and client-side hijacking strategies. These can be used to compromise devices on the network, extract stored credentials, and ultimately bypass the portal's access restrictions. By understanding and applying these attack vectors, we gain deeper insight into the inherent security flaws in captive portals and how attackers can exploit them.

In this module, we will cover:

  • Introduction
    • Captive Portal Usage
    • Reconnaissance
  • In-Direct Exploitation of captive portal, such as:
    • MAC Address Spoofing
    • VPN Bypasses
    • ARP Spoofing and Hijacking
    • External HTTP Credential Interception
    • External HTTP Session Interception
    • Hostile Portal Attacks
  • Hijacking Clients through:
    • Vulnerable Servicee
    • Interception
    • Malware Portals
  • Direct Exploitation of captive portal, such as:
    • Brute Forcing
    • XSS and Command Injection
    • Host Header Manipulation
    • File Upload Attacks
    • File Inclusion and Privilege Escalation
  • Skills Assessment

This module is broken down into sections with accompanying hands-on exercises to practice each of the tools, tactics, and techniques we cover. There are no specific WiFi hardware requirements for this module, as Hack The Box manages all necessary resources. You will need to RDP into the provided attacker VM to perform the exercises.

As you work through the module, you will see example commands and command outputs for the various tools and topics introduced. Reproducing as many examples as possible is recommended to reinforce the concepts presented in each section.

You can start and stop the module at any time and pick up where you left off. There is no time limit or grading, but you must complete all of the exercises and the skills assessments to receive the maximum number of cubes and have this module marked as complete in any paths you have chosen.

This module is classified as "Medium" and assumes a working knowledge of Linux systems, common web vulnerabilities, Wi-Fi fundamentals and network fundamentals. A firm grasp of the following modules can be considered a prerequisite for the successful completion of this module:

Introduction

Captive portals are authentication gateways that control access to a network, commonly used in public Wi-Fi hotspots, corporate environments, and paid Wi-Fi services. These portals ensure that users comply with specific terms before gaining internet access. When a user connects, their browser is redirected to the captive portal, which may require authentication, agreement to terms, or even payment before granting internet access.

Common Use Cases of Captive Portals:

Captive portals serve as a controlled gateway for users accessing a network. They are widely used in different environments to regulate internet access, enforce policies, and enhance security. Below are some of the most common use cases:

  • Public Wi-Fi (Hotels, Airports, Cafes, Shopping Malls) – To control and monitor access.
  • Corporate Networks and Enterprises– To enforce access policies.
  • Paid Wi-Fi Services – To collect payments before granting internet access.

How Captive Portals Work?

The process typically follows these steps:

1. Connection

When a user connects to a Wi-Fi network, whether open or encrypted, their device requests an IP address from the network's DHCP server. This allows the device to communicate with the local network but not necessarily access the internet. Notification: Connected to Wi-Fi network 'HTB-Guest' on desktop with green and blue abstract design.

2. Redirection to Captive Portal

Once connected, if the user tries to access any website, their request is intercepted by the network gateway. Instead of reaching the intended site, the network redirects the user to a captive portal page. This is done using DNS hijacking or HTTP interception techniques.

Login screen for Hack The Box, prompts for username and password to sign in to HTB-Guest.

The portal page typically contains a login form, terms of use, or a payment option, depending on the network's requirements.

3. Authentication and User Agreement

At this stage, the user must complete one of the following actions to gain network access:

  • Login with credentials – In enterprise or university networks, users may need to enter a username and password.
  • Accept terms and conditions – In public Wi-Fi setups, simply agreeing to terms may be sufficient.
  • Enter a voucher or access code – Some networks issue temporary access codes to limit usage.
  • Payment for access – Paid Wi-Fi services require users to enter payment details before proceeding.

4. Network Access Granted

Once the user has successfully authenticated, the captive portal grants them internet access. This is usually done by updating the firewall rules or inserting the user's MAC address into an allowlist.

Welcome screen for HTB with abstract green and blue design, text: 'Your gateway to seamless connectivity and endless possibilities.

Some networks impose additional restrictions, such as:

  • Session time limits – Users may need to reauthenticate after a set duration.
  • Bandwidth limitations – Speeds may be throttled to prevent excessive usage.
  • Concurrent connection limits – Some networks restrict the number of devices per user.

Attacking Captive Portals:

While captive portals serve as an access control mechanism for networks, they also introduce several security risks. Attackers can exploit these portals to intercept traffic, steal credentials, or bypass restrictions. Below are some key security concerns:

1. Man-in-the-Middle (MitM) Attacks:

Since users must first connect to an untrusted network before authentication, attackers can position themselves between the user and the legitimate portal to intercept traffic. Common MitM techniques include:

  • ARP Spoofing – By poisoning the ARP cache, an attacker can intercept and modify network traffic.
  • SSL Stripping/Interception – If the captive portal forces an HTTPS login page, attackers can downgrade or intercept secure connections and capture credentials in plaintext.

2. Credential Harvesting via Fake Captive Portals:

Attackers can create rogue captive portals that mimic legitimate login pages to steal user credentials. This is especially dangerous in environments where users use the same credentials for enterprise Wi-Fi authentication.

  • Rogue Access Points – Attackers set up a fake Wi-Fi network with the same SSID as the target network and host a fake captive portal to lure users into connecting. Once a user enters their credentials, the attacker captures them and can use them for unauthorized access to corporate or enterprise networks. Attackers can also use JavaScript keyloggers embedded in fake captive portals to log keystrokes in real-time.

3. Bypass Methods and Evasion Techniques:

Some users attempt to bypass captive portals using various techniques, including:

  • DNS Tunneling – Encapsulating internet traffic within DNS queries to evade access restrictions.
  • MAC Address Spoofing – Cloning the MAC address of an already authenticated device to trick the network into granting access.
  • Session Hijacking – Capturing and reusing authentication cookies or session tokens to bypass login pages.

4. Direct Attacks on Captive Portals

Since captive portals often include login pages and web-based authentication mechanisms, they can be vulnerable to traditional web security threats:

  • Cross-Site Scripting (XSS) - If the portal does not properly sanitize user input, an attacker can inject malicious JavaScript into the page which can lead to session hijacking, credential theft, or browser-based exploits.
  • File Upload Vulnerabilities - Some captive portals allow users to upload identification documents or proof of payment. If file type validation or upload directory permissions are not properly enforced, attackers may upload malicious scripts or web shells.
  • Brute Force - If the captive portal relies on weak authentication (e.g., simple passwords or 4-digit PINs), attackers can automate login attempts to guess credentials. Lack of rate-limiting or account lockout mechanisms makes brute-forcing easier.
  • File Inclusion - If the captive portal has a file inclusion vulnerability, attackers can read sensitive files from the server.
  • Host Header Manipulation – Many captive portals rely on the Host header to determine how requests are processed. By modifying this header, we may be able to bypass authentication or gain access to restricted pages. Some portals use weak validation, allowing us to trick the server into thinking we are already authenticated.
  • Command Injection – If the captive portal executes system commands based on user input (such as verifying MAC addresses or processing login credentials), we can attempt command injection. Exploiting vulnerable parameters may allow us to execute arbitrary system commands, escalate privileges, or completely bypass authentication.

Captive portals are essential for securing network access, ensuring compliance, and controlling bandwidth usage. However, they also present opportunities for bypassing techniques, which we will explore in later sections.

Sign Up / Log In to Unlock the Module

Please Sign Up or Log In to unlock the module and access the rest of the sections.

Sections

Relevant Paths

This module progresses you towards the following Paths

Wi-Fi Penetration Tester

Wi-Fi Penetration Tester

The Wi-Fi Penetration Tester Job Role Path is designed for professionals and aspiring security practitioners who want to build expertise in assessing and securing corporate wireless networks. The course provides hands-on training in evaluating the security of Wi-Fi environments, from attacking modern authentication and encryption protocols to simulating real-world attack scenarios such as rogue access points, man-in-the-middle attacks, and credential harvesting. Students will gain practical experience with industry-standard tools and methodologies, learning how to identify vulnerabilities, exploit misconfigurations, and recommend effective countermeasures. By the end of this Path the participants will be equipped with the knowledge and skills required to perform authorized Wi-Fi penetration tests and strengthen the wireless security posture of enterprise corporate environments.

Hard Path Sections 170 Sections
Required: 3400
Reward: +680
Path Modules
Wi-Fi Penetration Testing Basics
Medium
Path Sections 16 Sections
Reward: +20
In today's digital age, wireless networks are ubiquitous, connecting countless devices in homes, businesses, and public spaces. With this widespread connectivity comes an increased risk of security vulnerabilities that can be exploited by malicious actors. As such, understanding and securing Wi-Fi networks has become a crucial aspect of cybersecurity. Whether you are an aspiring ethical hacker, a network administrator, or simply a tech enthusiast, gaining a solid foundation in Wi-Fi penetration testing is essential for safeguarding your digital environment.
Attacking Wi-Fi Protected Setup (WPS)
Medium
Path Sections 13 Sections
Reward: +20
In this module, we delve into the intricacies of WPS, uncovering the common vulnerabilities that plague this technology. From brute-force attacks to more sophisticated exploitation techniques, we will explore how attackers compromise WPS-enabled networks. By understanding these vulnerabilities and their related attacks, you will gain the knowledge necessary to protect your networks and mitigate the risks associated with WPS.
Wired Equivalent Privacy (WEP) Attacks
Medium
Path Sections 13 Sections
Reward: +20
In this module, we delve into Wired Equivalent Privacy (WEP) and the various attacks that can compromise it. We'll explore how to identify access points configured with WEP and demonstrate different methods to exploit its vulnerabilities. As WEP is an outdated and insecure protocol, understanding its weaknesses is crucial for recognizing the need to upgrade to more secure protocols. This module aims to provide insights into WEP’s vulnerabilities and practical techniques for testing its security.
Attacking WPA/WPA2 Wi-Fi Networks
Medium
Path Sections 15 Sections
Reward: +100
This module explores the security challenges of WPA and WPA2 Wi-Fi networks, focusing on WPA/WPA2-Personal and WPA/WPA2-Enterprise. Although these protocols aim to secure wireless communication, attackers can exploit various weaknesses in home and enterprise environments. This module will delve deeper into WPA-Personal and WPA-Enterprise, demonstrating multiple attack vectors to compromise each. Understanding these attack vectors will give you insight into the vulnerabilities that could compromise WPA/WPA2 networks and how to secure them.
Wi-Fi Evil Twin Attacks
Medium
Path Sections 16 Sections
Reward: +100
This module explores the concept of evil twin attacks on Wi-Fi networks, focusing on WPA2, WPA3, and WPA-Enterprise. Despite these protocols being designed with strong security measures, they remain vulnerable to social engineering and rogue access point attacks. We will delve into both manual and automated methods for executing evil twin attacks, demonstrating practical approaches for each network type. Additionally, we will cover advanced MiTM techniques, including DNS spoofing and SSL interception, to highlight how attackers can exploit compromised connections for data interception.
Attacking WPA3 Wi-Fi Networks
Medium
Path Sections 16 Sections
Reward: +100
Wi-Fi Protected Access 3 improves upon WPA2 by offering stronger encryption, SAE for personal networks, OWE for open networks, and mandatory Protected Management Frames. However, it is not immune to compromise. In this module, we’ll explore practical attack techniques against WPA3 implementations, including OWE, SAE, and Enterprise networks (EAP-PWD), highlighting how vulnerabilities and misconfigurations can be exploited in real-world scenarios.
Bypassing Wi-Fi Captive Portals
Medium
Path Sections 17 Sections
Reward: +100
In this module, we delve into a range of methods for identifying and bypassing captive portals, employing both indirect and direct exploitation techniques. We cover tactics such as MAC spoofing, ARP poisoning, DNS tunneling, and credential interception, alongside direct attack vectors like Cross-Site Scripting (XSS), file upload vulnerabilities, file inclusion, and brute force attacks. Additionally, we will examine client hijacking strategies to extract credentials and circumvent portal restrictions. By understanding these attack methods, we can evaluate and enhance the security of captive portal implementations.
Wi-Fi Password Cracking Techniques
Medium
Path Sections 16 Sections
Reward: +20
Password cracking is a cornerstone of wireless penetration testing, as many real-world assessments hinge on the strength of the Wi-Fi password and our ability to break it. Despite its importance, many testers continue to rely solely on dictionary attacks with basic tools and minimal customization. In this module, we’ll go beyond the basics and explore the full spectrum of practical techniques, targeted strategies, and performance-driven optimizations for cracking Wi-Fi passwords.
Wi-Fi Penetration Testing Tools and Techniques
Medium
Path Sections 30 Sections
Reward: +100 NEW
Wireless network penetration testing presents a unique challenge due to the wide variety of technologies, protocols, and security configurations encountered in the field. This module introduces learners to a range of Wi-Fi pentesting tools, each selected to demonstrate techniques suited for different environments and stages of an engagement. By working through practical examples, learners will gain hands-on experience in choosing and applying the right tool for the task.
Attacking Corporate Wi-Fi Networks
Medium
Path Sections 18 Sections
Reward: +100 NEW
This module incorporates a simulated Wi-Fi penetration test from start to finish, emphasizing hands-on techniques that reflect real-world engagements. It involves conducting scoped reconnaissance, assessing wireless configurations, and evaluating common attack surfaces across WPA2, WPA3, and Enterprise deployments. The environment culminates in a demonstration of internal network pivoting, including Active Directory access, all performed within a controlled, simulated environment and in adherence to strict legal and ethical boundaries.