New use of Captive Portal for MiTM attacks



The theme of the Man in the Middle attack in the context of the Captive Portal is as old as the world. As a rule, we are talking about raising a fake wireless access point with its own Captive portal. Today I will show a completely different attack vector that goes beyond WiFi and is applicable also in wired Ethernet networks.



The scope of the trap portal is wide, but today most often the portal serves as a way to identify users in public places who want to use the Internet in a public WiFi network.



As a direct regulator of Internet access, this network service has the ability to block or skip client connections. Once in a network isolated by the portal, the client must somehow understand that pre-authorization is required to access the Internet. From the side of the Captive Portal, the following steps can be applied:



  1. Send HTTP redirects to all "open" client web requests.
  2. Respond with the portal's IP address to all DNS requests.
  3. Roughly redirect all web traffic to the portal page.


On the client side, there are also auxiliary mechanisms for detecting the presence of a trap portal. They differ for operating systems and browsers, but the algorithm is generally similar - resolving a certain domain and checking the availability of a file.



For Windows Vista \ 7 \ 8 this check - www.msftncsi.com/ncsi.txt

For Windows 10 - www.msftconnecttest.com/connecttest.txt

For iOS - www.apple.com/library/test/success.html

Android and Chrome makes a request / generate_204 for one of their domains.



The key point here is the use of bare HTTP. This is done in order for the Captive Portal to be able to send a redirect to the client to the authorization page.



Now I will describe how you can create a Captive Portal using only Intercepter-NG and carry out a MiTM attack.



Let's use ARP Spoofing against the target chosen for the tests, let it be Windows 10. Then we need to "isolate" the target from the Internet, as a real portal-trap does. In this case, it will be enough to enable SSL MiTM and the "Internet" in the form of a browser and all services using HTTPS in their work will cease to function, because there will be problems trusting the SSL certificate.



Faced with the inaccessibility of HTTPS, the target will launch the previously described connection verification mechanisms. Especially for the implementation of Captive Portal, a handler for such checks was added to Intercepter, as a result, it will send the target a redirect to its own IP address. In the FATE mode of the interceptor, a simple web server is used and there you can also select a template with a portal page. As a result, the target will be sent to the portal we created.



Here are some interesting points:



1. Windows has many different network processes running in the background. If, during their execution, an unsuccessful connection occurs, then a mechanism for determining the state of the network may be launched. Being under attack Windows will catch Intercepter's redirect and open a browser with our portal. Imagine a situation: a user session is blocked, the user returns to the workplace, logs in - and the attacker's web page immediately pops up on the screen.



2. An attack occurs, the target opens Chrome and tries to log into Google. An SSL error is detected because enabled MiTM, then Chrome sends a request / generate_204 - Intercepter responds with a redirect and Chrome opens the portal page in a new tab.



This technique works on both wireless and wired networks, at any given time, not just after connecting to the network. Several tests were carried out on Android smartphones - the flight is normal. It is not yet clear with Apple, on iOS versions 12 and 13, no diagnostic HTTP requests were found when blocking HTTPS, it may be possible to resolve this issue in the future.



The scope of this MiTM portal is limited only by imagination. A little more details and a full demonstration are presented in the next video clip. It shows the interception of user input, Twitter authorization using SSL Strip and HSTS Spoofing, as well as the interception of SSL authorization Vkontakte.







→ The updated assembly can be downloaded on Github



Information is given for review, use it for good deeds. Telegram chat available .



All Articles