Introduction
In this lab, you will learn the fundamental steps to identify a rogue Access Point (AP) and a malicious captive portal. A rogue AP is a wireless access point installed on a network without the network owner's explicit authorization. Attackers often use them to launch "man-in-the-middle" attacks to intercept traffic.
A captive portal is a web page that users must view and interact with before being granted access to a public network. While many legitimate hotspots use them, attackers can create their own to phish for credentials.
This lab will simulate this scenario in a safe environment. You will use command-line tools to scan for networks, spot a suspicious "evil twin" network, and analyze a fake captive portal to identify it as a threat.
Scan for Wi-Fi Networks on a Client Device
In this step, you will simulate scanning for available Wi-Fi networks. In a real-world scenario, you would use tools like nmcli, iwlist, or airodump-ng. For this lab, we have prepared a script named scan-wifi.sh that mimics the output of a network scan. This allows us to perform the lab without requiring physical Wi-Fi hardware.
All files for this lab are located in the ~/project directory. Let's execute the script to see the list of simulated Wi-Fi networks.
Run the following command in your terminal:
~/project/scan-wifi.sh
You should see an output similar to this, listing the available networks, their signal strength, and security type.
IN-USE BSSID SSID MODE CHAN RATE SIGNAL BARS SECURITY
* AA:BB:CC:11:22:33 CorpWifi Infra 6 54 Mbit/s 90 ▂▄▆█ WPA2
AA:BB:CC:44:55:66 CorpWifi Infra 11 54 Mbit/s 95 ▂▄▆█ --
DE:F0:12:34:56:78 GuestWifi Infra 1 54 Mbit/s 70 ▂▄▆_ WPA2
Notice Two Networks with the Same Name (ESSID)
In this step, you will analyze the scan results to spot an anomaly. The ESSID (Extended Service Set Identifier) is the public name of a Wi-Fi network.
Look closely at the output from the previous step. You should notice that two different networks share the same SSID, "CorpWifi". This is a classic sign of a potential "Evil Twin" attack. One network is the legitimate one, and the other is a rogue AP set up by an attacker.
The key difference is in the SECURITY column. The legitimate network uses WPA2 encryption, while the rogue network is open (indicated by --). Attackers often create open networks because users are more likely to connect to them without needing a password.
To make this clearer, let's use the grep command to filter the output and show only the networks named CorpWifi.
~/project/scan-wifi.sh | grep CorpWifi
This command will produce the following output, highlighting the two networks.
* AA:BB:CC:11:22:33 CorpWifi Infra 6 54 Mbit/s 90 ▂▄▆█ WPA2
AA:BB:CC:44:55:66 CorpWifi Infra 11 54 Mbit/s 95 ▂▄▆█ --
Connect to the Open (Unencrypted) Version of the Network
In this step, we will simulate connecting to the suspicious, open "CorpWifi" network. In a real scenario, your device's operating system would handle the connection. For our simulation, "connecting" will involve starting a local web server that will act as the rogue AP's captive portal.
The files for this fake portal are located in the ~/project/portal directory. We will run a simple Python web server from that directory. To keep our terminal free for other commands, we'll run the server as a background process.
First, change your current directory to ~/project/portal:
cd ~/project/portal
Next, start the Python web server in the background using the & symbol:
python3 server.py &
You will see a process ID and a confirmation message, indicating the server is running.
[1] 1234
Serving captive portal on port 8000
The server is now running and listening for connections on port 8000, simulating the environment of the rogue network.
Observe the Automatic Redirect to a Login Page
In this step, you will see the captive portal in action. After connecting to a network with a captive portal, any attempt to browse the web is typically intercepted and redirected to a login or terms-of-service page.
We will simulate this by using the curl command to try and access a website. Since our simulated network environment is controlled by the Python server we just started, any HTTP request on localhost:8000 will be "captured" and served the index.html file from our portal.
Use curl to make a request to the local server. This mimics a browser's initial request after connecting to the new network.
curl http://localhost:8000
The command will return the HTML source code of the fake login page. In a real browser, this code would be rendered as a graphical login form.
<!DOCTYPE html>
<html>
<head>
<title>CorpWifi Login</title>
<style>
body {
font-family: sans-serif;
background: #f0f2f5;
display: flex;
justify-content: center;
align-items: center;
height: 100vh;
margin: 0;
}
.login-box {
background: white;
padding: 20px 40px;
border-radius: 8px;
box-shadow: 0 2px 4px rgba(0, 0, 0, 0.1);
text-align: center;
}
input {
margin: 10px 0;
padding: 8px;
width: 200px;
border: 1px solid #ddd;
border-radius: 4px;
}
button {
padding: 10px 20px;
background-color: #1877f2;
color: white;
border: none;
border-radius: 5px;
cursor: pointer;
width: 100%;
}
</style>
</head>
<body>
<div class="login-box">
<h2>CorpWifi Access</h2>
<p>Please log in to continue.</p>
<input type="text" placeholder="Username" />
<br />
<input type="password" placeholder="Password" />
<br />
<button>Log In</button>
<p style="font-size: 12px; color: #888; margin-top: 15px;">
Powered by CorpWifi-Login.net
</p>
</div>
</body>
</html>
Recognize the URL is not a Legitimate Domain
In this final step, you will perform the crucial check that confirms this is a malicious captive portal. The goal of such a portal is to trick you into entering your credentials on a fake page. The most reliable way to spot a fake is to inspect the domain name (URL).
In a real browser, you would check the address bar. In our simulation, we can inspect the HTML content for clues. Looking at the HTML from the previous step, we can find a suspicious line of text at the bottom. Let's use grep to find it within the index.html file.
First, let's return to the main project directory.
cd ~/project
Now, search for suspicious text within the portal's HTML file:
grep 'CorpWifi-Login.net' portal/index.html
The command will find and display the line containing the suspicious domain.
<p style="font-size: 12px; color: #888; margin-top: 15px;">Powered by CorpWifi-Login.net</p>
The domain CorpWifi-Login.net is highly suspicious. Attackers often register domains that sound official but are not. A legitimate corporate portal would be hosted on the company's official domain (e.g., wifi.corp.com). This discovery confirms that the open network is a rogue AP, and the login page is a phishing attempt.
Summary
In this lab, you successfully identified a rogue AP and a malicious captive portal through simulation. You have learned a practical, step-by-step process for identifying common Wi-Fi threats.
You accomplished the following:
- Scanned for Wi-Fi networks and identified an unencrypted "evil twin" with the same name as a secure network.
- Simulated connecting to the rogue AP by starting a local server.
- Observed how a captive portal intercepts web traffic and presents a login page.
- Analyzed the login page's content to find a suspicious, non-legitimate domain name, confirming the phishing attempt.
The key takeaway is to always be cautious of open Wi-Fi networks and to scrutinize the URL of any login page before entering sensitive information.
Finally, let's stop the background server process. The %1 refers to the first background job.
kill %1