Jump to content

how can i force a captive portal to pop up using brup suite ?


Recommended Posts

  • Replies 52
  • Created
  • Last Reply

Top Posters In This Topic

2 minutes ago, digininja said:

If it is code making the requests

but that's what normally happens when connecting to a captive portal.



2 minutes ago, digininja said:

and not a browser then I can understand why it wouldn't cause any alerts

hmm it mostly happens in the background then a page pops up using webview.

Link to comment
Share on other sites

But if you can't get it working in the browser then you are unlikely to get it working elsewhere.

And does it matter where you target if all you want is to have it make a request that causes a portal to be shown?

Link to comment
Share on other sites

2 minutes ago, digininja said:

And does it matter where you target if all you want is to have it make a request that causes a portal to be shown?

yup it matters ... for the browser i can do it manually but for the webview there is no why to do that without the captive portal (dns spoofing + http redirect ) .

Edited by mooooon
Link to comment
Share on other sites

38 minutes ago, digininja said:

What's so special about doing it that way?

the webview  is much limited environment and the captive portal opens in it by default  so i wanna do some testing it and stuff.. 

and for the really real  truth about my history of posts lately...
a long while ago maybe the last year i got an idea after reading about dns rebinding and thought about doing it in lan which makes no sense , right ? 

so i tried a couple of keywords in google and found this (and a couple of awesome writes) which is so similar to what i was thinking about minus the cache minus counting  on the chance of them opening an http page in a browser minus giving them internet access or letting them connect to our ap for more than 15 sec.

just captive portal with the same ip of the target device which is mostly or we can grab it using web rtc &  turnscan.js or even Kr00k .... the attack may be split into 2 parts 1- enumeration (this includes grabbing the router page to know the exact model or this can be done if wps available just a wash scan)   2- attacking ? .... .so it's as simple as  targets connects the page opens automatically we disconnect it then the targets reconnects to its original network the code gets executed we get the password.

but as dump as i can be i focused on the second part and forgot the start ... i tried to learn js especially for this... so i browsed the most common routers here and tried to bypass their shitty csrf tokens and cookie shit ... which took me more than it should... then i came across the fact that not all the routers have the wifi password  in their config pages ... and some store it in the config file only which is encrypted ... then i tried my best with it using ida and couldn't make it without the router pass view nirsoft guy.

doing all of this and forgetting about the kickstart the captive portal thinking that i can add an open in the browser button to it or that it stays open till you close it manually ... which turns out that after android 5 it closes automatically when the login is done or a network change is detected ... and when it testing on some other devices i found that a few a little few of  them opens it in the browser by default which gave some chance for this to work but the number was very low to procced with it..... so i tried every single thing on the internet to get out of the webview but all failed . once in the captive portal webview there is no way out ! 

so this the little story that i didn't share with many.

Edited by mooooon
Link to comment
Share on other sites

It is an interesting concept but seems very unlikely to work reliably in the real world. A lot of routers now ship with unique passwords, so that kills quite a few of the attacks. I've not used a default router for a while so don't know how many contain the wifi password in the GUI, certainly not all of them, so that kills off some more of the targets.

Even for default creds, you'd need to pick a very limited range of devices to have a working list of default IPs, credentials, and ways to extract the wifi password.

I can see it maybe working in a lab environment, or if you know exactly what devices the victim has, but there just seem like too many variables to make it practical. There may be shortcuts and smart ways to do call outs to external sites to offload some of the processing, but still not sure.

Link to comment
Share on other sites

52 minutes ago, digininja said:

external sites to offload some of the processing, but still not sure.

@digininja i have a working demo js & php files for 2-3 routers you put it in the place of captive portal landing page in fluxion or wifiphisher and run it then after the page loads connect back to your network.

56 minutes ago, digininja said:

It is an interesting concept but seems very unlikely to work reliably in the real world

not really i think.. if it wasn't for the captive portal problem it would have worked just perfect.

all the problems you are listing can be solved using the first part which is the target enumeration  and a big part of it can be done without needing an access to that network ... with the mac address you can find out the vendor which narrows the targets list even more and if you are lucky enough you may have wps enabled even on PBC mode ( which is unhackable using wps pin mostly) you will get the exact model of the device... all of this depends on where you are , like i made this while thinking about ISPs routers as the most are using them here and a shit ton of places according to shodan.

and about the connected devices thats why i made a post asking how can i collect the useragents using karma + deauth from a specific ap clients.

and about the router as i said you can grab the router page in the first part after that you prepare the second payload to that router [ if you are quick enough you may love to use a beef hook to directly make changes] 

1 hour ago, digininja said:

I've not used a default router for a while so don't know how many contain the wifi password in the GUI

i can tell you the most do if not all of them.

1 hour ago, digininja said:

A lot of routers now ship with unique passwords

i know about this , but here the catch the password are mostly 8 digits and for some unknown reason they make it the same as the default wifi password which means that when you crack the wifi password you get access to the admin panel instantly too.

and i made a list with every model and how its default password looks like and if it have a unique admin password or a unique wifi password or both.. 

and here is a bigger catch to the phrase up up this ... what i found while full port scanning the devices is that they have UPNP enabled by default mostly and even with disabling it the upnp stills be open with very limited functionality 

the catch is .... that the unique password is the last 8 digits or characters of the serial number that you can easily grab by visiting the device ip:upnp port which i tried and worked just fine....and that's supposed to be a unique password , people don't change the password when it's just admin and what about a unique password written on the back of the device ? they will never think about changing it even if the router page asks them to ( which one of the models did)...  here is something similar to this which is super awesome read btw. 

1 hour ago, digininja said:

list of default IPs

no need web rtc + turn scan you can easily get the ip in a few seconds.

and incase of the def pass doesn't work .... you have EXPLOITS which is main key in this attack ... all the devices that i have tested have vulnerabilities a way or another ( auth bypass - info leak - hardcoded passwords - unnecessary services .. etc)

and one case of info leak i have came across a device leaks the serial number that contains the password... which you can use to login to the admin panel.


complicating this to the maximum level 

Reset Detection Attack login do you know what the victim mostly does when faced with evil twin attack ?! THEY RESET THE DAMN DEVICE HOPPING THAT FIXES THE PROBLEM.

do you know how routers reacts after being reset ? for example : a one with unique wifi password (in the ones i tested) doesn't ask you for the admin password when you first configure them in some form of setup wizard here comes the attack.

and as they say anything is better than nothing( pss : the evil twin is the nothing ) s which they consider the ultimate wifi hack currently.

Link to comment
Share on other sites


i forgot to say that the captive portal thing isn't a problem in case of desktops and i heard that you can force ios devices to open the captive portal in a browser is it correct ? 


and by exploiting that the auto fil is triggered with the same url .

we get that unique password which is mostly saved by the browser and will be auto filed the second you load the page. and you know who saves the router password in the browser ?me and lot of people.


alsoooooooo about the IPs thing i forgot to mention that routers have a something like domain name ex. http://tplinkwifi.net  , http://router.asus.com 


i got shit ton of similar amazing ideas i listed some here check them if you want.

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

  • Recently Browsing   0 members

    • No registered users viewing this page.

  • Create New...