I am doing some investigation around wifi captive portals development.
I would like to capture the WiSPr XML tags from a FON authentication captive portal (my neighbours have that active, I have also a roaming account for that).
Trying to authenticating in an iPhone or even a Mac does not cut it, as the equipment detects the captive portal/WIPr tags, and open a dedicated window/mini-browser without any controls; trying to open the page on a Linux/*BSD might not work as the browser user agent / or behaviour won’t be recognized as iPhone/Apple.
Sniffing the iPhone transaction also does not cut it, as the web login page of the captive portal is handled in https/TLS (e.g. it is encrypted on the wire).
I also tried sysdig in a Linux, and obviously hit again the head on the encrypted transmissions.
wget is also not getting satisfying results.
What to do?
Answers:
Thank you for visiting the Q&A section on Magenaut. Please note that all the answers may not help you solve the issue immediately. So please treat them as advisements. If you found the post helpful (or not), leave a comment & I’ll get back to you as soon as possible.
Method 1
I ended up using lynx in a FreeBSD system; initially used the -dump option, that allowed to see the redirects, but only output and not contents ; then discovered the -source option, that shows the source/HTML and does not attempt to render it.
I also used the option -useragent to pretend I was an iPhone doing WISPr discovery, and also tried to get one of the pages the iPhone tries to get to discover if it is dealing with a captive portal (http://www.apple.com/library/test/sucess.html).
I also had to deal with the fact the FON captive portal is self-signed(?), or my FreeBSD does not know the underlying SSL root certificate. (I did not lost much time tracing that); I just had to configure lynx to accept self-signed certificates (will write the question later on and had a link here).
So the actual commands I used where:
lynx -useragent=CaptiveNetworkSupport -dump http://www.apple.com/library/test/sucess.html
and however, while the first has it´s usefulness, the one that interested me more was:
lynx -useragent=CaptiveNetworkSupport -source http://www.apple.com/library/test/sucess.html
Using the latter command line, gave me back the HTML source in it´s full glory with the embedded WISPr tags.
From man lynx
-dump dumps the formatted output of the default document or those
specified on the command line to standard output. Unlike
interactive mode, all documents are processed. This can be used
in the following way:
lynx -dump http://www.subir.com/lynx.html
Files specified on the command line are formatted as HTML if
their names end with one of the standard web suffixes such as
".htm" or ".html". Use the -force_html option to format files
whose names do not follow this convention.
-source
works the same as dump but outputs HTML source instead of
formatted text. For example
lynx -source . >foo.html
generates HTML source listing the files in the current
directory. Each file is marked by an HREF relative to the
parent directory. Add a trailing slash to make the HREF's
relative to the current directory:
lynx -source ./ >foo.html
taken from the captured login page:
<!-- WISPr message -->^M <span class="displayNone"><!--<?xml version="1.0" encoding="UTF-8"?>^M <WISPAccessGatewayParam xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:noNamespaceSchemaLocation="http://www.acmewisp.com/WISPAccessGatewayParam.xsd">^M <Redirect>^M <AccessProcedure>1.0</AccessProcedure>^M <LoginURL>https://xxxx/captive/noswifi?hmac=xxxx&res=notyet&uamip=xxxx&uamport=80&userurl=&challenge=xxxxxxe&nasid=BC-14-01-XX-XX-XX&mac=00-15-AF-XX-XX-XX</LoginURL>^M <AbortLoginURL>http://xxxx:80/captive/logoff</AbortLoginURL>^M <MessageType>100</MessageType>^M <ResponseCode>0</ResponseCode>^M <AccessLocation>FonZON:PT</AccessLocation>^M </Redirect>^M </WISPAccessGatewayParam>-->^M </span>
All methods was sourced from stackoverflow.com or stackexchange.com, is licensed under cc by-sa 2.5, cc by-sa 3.0 and cc by-sa 4.0