Is it possible to intercept a Captive Portal and pass authentication through?

[nopenoway]

Hi All,

Proud new owner of a Pineapple mk V here but fairly new user.

I'm trying to test a network which is 'Open' and redirects any connected users to a captive portal (requiring AD logins).

I'm wondering if it would be possible to perform an attack that does the following:

wlan0 broadcasts 'TARGET_SSID' as Open with the same spoofed MAC address/ESSID etc

Wlan1 connects to the 'legitimate' 'TARGET_SSID' and connects to the captive portal page

When a user connects to the fake TARGET_SSID on wlan0 they should see a SSL-stripped version of the captive portal.

Ideally, Once they login, the login should pass through WLAN1 to get internet/network access.

If that's occurred successfully, the user should be allowed to browse as per usual while having a SSL-stripping attack performed.

I'm not sure how to tie all these attacks together, from what i've been able to read so far, each of these attacks can happen but all happen individually.

Could anyone point me in the direction of any guides etc that will help me do this or have any pointers?

Many thanks,

[digininja]

Captive portals usually work by allowing the MAC of the authenticated user through so they can use all the network services so the basic way you would do this attack would be:

wlan0 puts up fake AP with fake login page. Don't pass through and don't sslstrip, just put up the page and ask for creds

wlan1 associates with the real AP

When a user sends creds to your fake portal it takes those and repeats the form POST (that is the most common auth method) against the real login page

If the login is successful the MAC of wlan1 is then approved for use on the network

Once you detect this success you take down the fake captive portal page and allow traffic to flow freely

Automating this shouldn't be to hard if you can do a bit of coding

[sud0nick]

May I suggest using PortalAuth to try cloning the portal? It will also use nmap to grab the MAC addresses of all other clients on the network if auto authentication fails so you can spoof your MAC.