Captive portal attack!
A captive portal is a web page accessed with a web browser that is displayed to newly connected users of a Wi-Fi or wired network before they are granted broader access to network resources. Captive portals are commonly used to present a landing or log-in page which may require authentication, payment, acceptance of an end-user license agreement, acceptable use policy, survey completion, or other valid credentials that both the host and user agree to adhere by. Captive portals are used for a broad range of mobile and pedestrian broadband services – including cable and commercially provided Wi-Fi and home hotspots. A captive portal can also be used to provide access to enterprise or residential wired networks, such as apartment houses, hotel rooms, and business centers.
There is more than one way to implement a captive portal, like:
- HTTP redirect
- ICMP redirect
- Redirect by DNS
The attacking side works perfectly if we act MITM and running a script that receives all request from the Captive portal and connection check to reply to these request to force to open page this page will do:
- hijacks all Internet traffic from the machine.
- allows the attacker to remotely force the user to make HTTP requests and proxy back responses (GET & POSTs) with the user’s cookies on any backdoored domain.
- does not require the machine to be unlocked.
- backdoors and remote access persist even after MITM stoped.
The affected list of the operating systems with this attack:
- AP router itself too.
On the defense side you have to:
- Stop using public wifi.
- always use VPN
- disable Captive portal
The above steps help you to stay 50% safe from this kind of attacks