WiFi Phishing: Configuring Captive Portal for Android


(Joshep) #1

I’m using airegeddon.How do we manually redirect victim to the captive portal page after they connect to our fake ap?

Some phone doesn’t automatically redirect victim to the captive portal page and all they browse is fb,viber,youtube to check their internet connection…and can i redirect them manually to the browsers so that they could see the captive portal page?
I used fluxion ,wifiphisher and had the same problem.

As i saw the topic “Captive Portal” on the WiFi hacking ebook.
I created folder “android” on the directory /var/www/html/
and inside the android folder, i created a file name android.conf and also created black file generate_204

and did the attack but nothing changed.
fake ap didn’t redirected victim to the captive portal page.

(Hardeep Singh) #2
  1. What version of android are you using for this test?

  2. use dnsspoof -i <fake ap interface> and see if that fixes the problem.

(Joshep) #3

I’m using lollipop version.
when i type the command i got
dnsspoof: unknown physical layer type 0x323
and it didn’t redirected me to the captive portal page

(Hardeep Singh) #4

Please share your stack. You are probably using an invalid interface name.
For example, if you are using airbase-ng you must use at0 in the above command: sudo dnsspoof -i at0 and wlan0 if using hostapd.

Please share your hardware and software stack.

(Joshep) #5

Oh sorry i again used the real interface and it just showed some links of the website i visited.
But it didn’t redirected me to the portal page.

(Hardeep Singh) #6

Alright. Did you configure apache mod_rewrite as described in the eBook ?

For instance, see page 152 for the apache configuration code.

If still the client isn’t redirected (or shown a notification that takes the user…) to captive portal, then note the dnsspoof output.
You will see certain domain names like android.com, connectivitycheck.android.com, gstatic.com etc. Make sure to add those domain names in the apache configuration as ServerAlias and restart apache: service apache restart

(Joshep) #7

Let me make you clear what i did.
I used airgeddon to make a evil twin fake ap …and succefully creates a clone of my victim wifi.
and then i waited for a client to connect to my fake ap and client successfully connected but all i could see is they browse facebook.com,youtube.com, etct through DNS terminal…
why didn’t they get redirected to the portal page?
when i use my own phone (lollipop version)
it also didn’ take me to the portal page autmatically
i have to go manually to the browser for it.
but in my next phont (marshmellow) version when i connect to the fake ap it automatically rediected me to the portal page.
how can i solve this in my (lollipop version) phone

(Hardeep Singh) #8

Airegeddon is a 3rd party tool which can get outdated. that is the reason I don’t focus much on complete solutions for pentesting and rather teach how to do the same task manually.

The problem here is that different android versions have different methods of checking Internet Connectivity. Some might use clients1.google.com, another might use connectivitycheck.android.com for generate204 code. Also airgeddon needs to be sending the HTTP{ Status 204 to the client in return to the request being made to the DNS server (fake AP’s DNS in your case).

Also, airgeddon is supposed to do this all by itself and not need dnsspoof or apache to be involved explicitly. That is why all these confusions and errors. I would rather suggest you to perform the attack manually, slip airgeddon and use airbase-ng/hostapd, apache, dnsspoof, MySQL, iptables to carry out the attack.

Best part? You can pin point the exact request using your apache logs and make changes to your apache configuration files accordingly. No matter which OS you are using on mobile, you can adjust accordingly. Even if there is a major upgrade.

By the way, do you see a status bar notification about “No Internet Connection” on your Android Lollipop?

Something like this:

(Joshep) #9

No i didn’t get any notification such as Sign in to the network.
That’s why i asked you about this.
i tried fluxion and wifiphisher too but didn’t work.
Now I’m trying to attack manually using airbase-ng / hostapd , apache , dnsspoof , MySQL , iptables
But iss there any tutorial about this method?

(Hardeep Singh) #10

Download the WiFi Pentesting and Security eBook here: https://rootsh3ll.com/klwps

and Read Chapter 8: Captive Portals (Page 144) for all the explanation and attack configuration files. It covers:

  1. How different OS checks the Internet connection status
  2. How a Captive Portal is triggered on different OS.
  3. How we can use apache for spear phishing based on OS version.

You’ll be able to setup custom attacks for different SO versions.

For example, a certain attack for iOS 10 and a different attack vector for iOS 12. Same goes for Windows and Android. :slight_smile:

(Joshep) #11

Thanks for the swift reply.Do you have any video about it beacause i couldn’t understood the steps clearly.

(Hardeep Singh) #12

Not yet. Would have to see if I can make one soon.

(Joshep) #13

In Captive Portal topic:
Captive Portal configuration for Android Devices
Set up iptables for redirection
Enable modules:
When are these steps to be performed?

(Hardeep Singh) #14

I see. It will confuse you since you are jumping on that chapter directly and haven’t read the previous chapters.

I actually wrote the chapters in a follow up way. So I skipped the actual fake AP creation part for the previous chapter and focusing this one on Captive Portals only.

Please refer to the Rogue AP - A Deeper Dive for AP creation and apache configuration. Then use chapter 8 as an add-on to that configuration.

Meanwhile I’ll write a complete Captive Portal guide here on Member’s Area so you’d be able to follow up in a linear way.

(Joshep) #15

I hope you will write from the beginning point (creating fake ap)

(Hardeep Singh) #16

Sure! I’ll PM/tag you after publishing :slight_smile:

(Joshep) #17

Hoping for your post soon.

(Joshep) #18

Are you still working on it?

(Hardeep Singh) #19

Yes. I’ll be posting it by tomorrow.

(Joshep) #20

i hope you won’t forget these topics
airbase-ng / hostapd , apache , dnsspoof , MySQL , iptables