I want to create a captive portal, first for a Windows hotspot, then for mobile-hotspots and all wifi-networks in general. So I want to understand how captive portals work under the hood, then how can I develop one in Java. I know Java socket programming
What is a captive portal?
It's an authentication screen is displayed when a wireless client isn't authorized to access the network resources. The authentication page is called a captive portal login.
A Captive Portal can be triggered on the client device in 2 ways
- DNS Redirection
- Splash page
DNS redirection works as the simple DNS hijacking where all the user DNS requests are hijacked and resolved to the captive portal login page. But, after widespread use of HSTS header implementation, DNS redirection hits a low success ratio providing no better service to the users.
Whereas, a Splash Page works in a little different fashion. It also uses DNS redirections but, it responds to the requests acc. to the operating systems which trick the O.S in believing there is a captive portal login in place and forcing the O.S to automatically trigger the login page to the user.
What is the splash page?
When a client device is connected to the WiFi, If unauthorized to access the Internet, A screen automatically pops up to display the captive portal.
A Splash page not only bypasses HSTS implementations on most websites but also gives you the flexibility of showing O.S specific login pages.
The only difference in the regular captive portal and splash page is that the splash page pulls up the captive portal login page automatically. Whereas, the DNS redirection based method requires a user to manually open up a website.
Imagine if a user is using a mobile app only, how would a user know he needs to log in? If you are a hacker you will lose your victim because the device will automatically disconnect upon no Internet access. So, this leads us to the much better and flexible option for triggering the captive portal login page, the Splash Screen.
As a business operator, you can show different kinds of services to different client devices, whereas as an attacker you can identify victim machines automatically and serve the payload accordingly. I’ll showcase its crux, and leave implementation upon your creativity and requirement.
Different Client Behaviours:
Every operating system has its own different way of detecting Internet access.
The mechanism is this basically:
GET/POST http://foo.ir/bar.html
If bar.html == [expected content] > Open Internet
If bar.html != [expected content] > Captive Portal
If bar.html[status] != SUCCESS > No Network
If a Captive Portal is not in place, the result will match the expected one and the OS will know that there is full access to the Internet.
If the URL returns a result other than the expected one, then the OS will detect that there is a Captive Portal in place and that it’s needed to proceed with authentication in order to get full access to the Internet: In this case, the OS will open the Splash Page automatically.
All client devices use the above-described strategy to find out if they are behind a captive portal, but the URL might vary depending on the specific model of smartphone, tablet, laptop and depending on the specific OS version. In the following, you can find the list of domains that are contacted by each model in order to detect the captive portal.
Each device, also Android different manufactures, behaves differently. For example, look at this list:
xperia z5:
connectivitycheck.gstatic.com:80
clients3.google.com:80
---------------------
galaxy j3 2016:
172.217.21.14:80
connectivitycheck.android.com
---------------------
galaxy j7 2015:
172.16.98.10:80
connectivitycheck.gstatic.com:80
---------------------
galaxy note4:
nothing!
---------------------
ios 11:
captive.apple.com/hotspot-detect.html
---------------------
windows 10:
www.msftconnecttest.com
This list show my tests on different devices. However, different versions of android devices, Windows operating systems, iOS versions, would be different on your tests, in this case.
Source