Introduction
In this lab, you will explore how to enhance a captive portal attack by using a generic login page. Captive portals are web pages that users of a public-access network are obliged to view and interact with before access is granted. While often used for legitimate purposes like accepting terms of service, they can also be spoofed for phishing attacks to steal credentials.
Using a generic template, such as a standard router login page, can make the fake portal more believable to a wider range of users, as it doesn't target a specific brand. We will use the wifipumpkin3 tool to create and deploy a fake Wi-Fi access point with a customized captive portal. By the end of this lab, you will have successfully launched a captive portal featuring a generic login page and observed how it captures user credentials.
Start the Captive Portal Attack
In this step, we will begin by launching the wifipumpkin3 tool. This powerful framework allows us to create various types of Wi-Fi attacks, including the captive portal we will be setting up. We will start the tool with sudo privileges, as it needs to manage network interfaces.
First, open a terminal. Your default path is already ~/project. Now, run the following command to start wifipumpkin3:
sudo wifipumpkin3
After running the command, you will see the wifipumpkin3 splash screen and be dropped into its interactive shell, indicated by the wp3 > prompt. This is where we will issue all subsequent commands to configure and launch our attack.
[21:47:18] INFO starting wifipumpkin3...
...
wifipumpkin3 v1.1.4
Wireless-Pumpkin - Framework for Rogue Wi-Fi Access Point Attack
Codename: "The Pumpkin-King"
wp3 >
Now, to begin the captive portal setup process, type start and press Enter. This command will initiate the attack and guide you through the necessary configuration choices.
wp3 > start
When Prompted for a Portal, Select a Generic Brand
In this step, after initiating the attack with the start command, wifipumpkin3 will prompt you to choose a captive portal template. The tool organizes its templates into categories to make selection easier. For our purpose, we want to use a login page that is not specific to any particular service like Facebook or Google, as this increases the chances of tricking a user.
The tool will present a list of portal categories. We will select the "Generic" category. Look for an option similar to the one shown below and enter its corresponding number.
Please select a portal category:
[1] Social Media Logins
[2] Email Provider Logins
[3] Generic Brands
[4] Terms of Service
...
Enter the number of your choice:
At the prompt, type the number corresponding to Generic Brands and press Enter. For this example, we will assume it is 3.
3
This tells wifipumpkin3 that you want to use a template from its collection of generic, non-branded login pages.
Choose a Portal like 'Generic Router Login'
In this step, after selecting the "Generic Brands" category, wifipumpkin3 will display a sub-list of available templates within that category. Our goal is to select a portal that mimics a typical router or network device login page. This is a common and effective lure, as users are often accustomed to seeing such pages when connecting to new networks.
You will see a new prompt with a list of specific generic portals.
Please select a generic portal:
[1] Generic Router Login
[2] Generic Wi-Fi Terms of Service
[3] Generic Hotel Wi-Fi Login
...
Enter the number of your choice:
From this list, choose Generic Router Login by typing its corresponding number and pressing Enter. In this example, we'll type 1.
1
By selecting this option, you have now configured the captive portal to use a standard, generic router login page as its phishing template. The tool is now almost ready to launch the attack.
Launch the Attack and Connect a Client Device
In this step, with the portal template selected, wifipumpkin3 will automatically finalize the configuration and launch the fake Access Point (AP). The terminal will display logs indicating that the AP is active and waiting for clients to connect.
Now, we need to simulate a client device connecting to our malicious network and being redirected to the captive portal. In the LabEx VM environment, we can do this by using the built-in Firefox web browser.
First, observe the output in your wifipumpkin3 terminal. You should see messages indicating the AP has started successfully.
[21:48:10] INFO roguehostd: service is running...
[21:48:10] INFO dhcpd: service is running...
[21:48:11] INFO accesspoint: setting up AP on wlan0
[21:48:12] INFO accesspoint: AP [Free-WiFi] started at (channel 6)
Next, open a new terminal tab or window and launch the Firefox browser by typing the following command:
firefox http://neverssl.com &
We use http://neverssl.com because it is a non-HTTPS site, which ensures the captive portal redirection works correctly. Modern browsers often prevent redirection on HTTPS sites for security reasons. The & at the end runs the process in the background, allowing you to continue using the terminal.
Observe the Appearance of the Selected Generic Portal
In this final step, you will observe the results of the attack. The Firefox browser you launched should have been automatically redirected to the captive portal page you selected.
In the Firefox window, you will see the "Generic Router Login" page. It will be a simple form asking for a username and password, designed to look like a standard administration page for a network router.
To test the credential capturing functionality, enter some fake data into the form. For example:
- Username:
admin - Password:
password
After you submit the form, switch back to the wifipumpkin3 terminal window. You will see that the credentials you entered have been captured and are displayed in the logs.
[21:50:15] INFO PumpkinProxy: GET / HTTP/1.1 200
[21:50:25] INFO PumpkinProxy: POST / HTTP/1.1 200
[21:50:25] INFO PumpkinProxy: Captive Portal -----------------------------------
[21:50:25] INFO PumpkinProxy: Client-Info:
IP: 10.0.0.2
MAC: 02:42:ac:11:00:02
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:102.0) Gecko/20100101 Firefox/102.0
[21:50:25] INFO PumpkinProxy: Credentials:
username: admin
password: password
[21:50:25] INFO PumpkinProxy: ------------------------------------------------
You have now successfully deployed a captive portal with a generic login page and captured credentials from a simulated client. To stop the attack, you can type stop in the wp3 > prompt and then exit to close the tool.
Summary
In this lab, you learned how to set up and customize a captive portal attack using wifipumpkin3. You successfully launched the tool, navigated its interactive prompts to select a generic router login template, and deployed a fake Wi-Fi access point. By simulating a client connection with a web browser, you observed the customized portal in action and confirmed its ability to capture credentials.
This exercise demonstrates how easily a convincing phishing attack can be created and highlights the importance of being cautious when connecting to unknown or public Wi-Fi networks. Using generic templates makes such attacks more versatile and harder to detect for the average user.