Captive Portals for Pentesting: What They Are and How to Use Them Responsibly

Legal Disclaimer: The techniques described in this article are intended solely for authorized security testing and educational purposes. Deploying a captive portal, evil twin access point, or any credential-harvesting tool against networks or users without explicit written authorization is illegal under the Computer Fraud and Abuse Act (CFAA), the UK Computer Misuse Act, and equivalent legislation worldwide. Always obtain written permission before conducting any penetration test. InfiShark Technologies Inc. assumes no liability for misuse of the information or tools described herein.

What Is a Captive Portal?

You've seen them dozens of times. You connect to the Wi-Fi at a hotel, airport, or coffee shop, open your browser, and instead of your destination you land on a login page - sometimes asking for a room number, an email address, or payment details before granting internet access. That interstitial page is called a captive portal.

Technically, a captive portal works by intercepting all outbound HTTP (and sometimes HTTPS) traffic from a newly connected device and redirecting it to a locally hosted web page. The gateway only releases the client to the open internet after a condition is met - credentials verified, terms accepted, or payment processed. They're a fixture of hospitality networks, corporate guest Wi-Fi, and public hotspots worldwide.

They're also one of the most underestimated attack surfaces in wireless security.

How Captive Portals Are Used in Penetration Testing

From an attacker's perspective - and therefore from a tester's perspective - captive portals are compelling for one reason: people trust them implicitly. Decades of connecting to hotel and airport Wi-Fi have trained users to expect a login page and to enter credentials without scrutiny. That conditioned behavior is exactly what captive portal pentesting probes.

Evil Twin Attacks

The most common attack vector pairing captive portals with wireless networks is the evil twin. An attacker (or authorized tester) stands up a rogue access point broadcasting the same SSID as a legitimate network. Devices that have previously connected to that SSID - or users who manually select it - associate with the rogue AP. The attacker then serves a captive portal that mimics the legitimate one, harvesting whatever credentials or personal data the victim enters.

Evil twin attacks require no cryptographic breaking. They exploit user trust, not protocol weaknesses. That makes them fast, low-noise, and devastatingly effective against organizations that haven't trained their staff to recognize them.

Credential Harvesting Tests

Beyond evil twins, a captive portal attack can be purpose-built as a social engineering assessment. A tester deploys a portal styled to look like the company's legitimate guest Wi-Fi landing page - same logo, same color palette, same copy. Employees who connect and enter their credentials demonstrate that the organization is vulnerable to this class of phishing. The test is targeted, measurable, and produces actionable data: how many users connected, how many submitted credentials, and how quickly (or slowly) the SOC detected the rogue AP.

Why Organizations Must Test for This Vulnerability

Wireless social engineering is chronically undertested. Most organizations invest heavily in email phishing simulations and endpoint hardening, but leave their RF perimeter almost entirely unexamined. That gap matters because:

• Physical proximity is the only barrier. An attacker with a compact device can conduct a captive portal attack from a parking lot, a shared lobby, or a neighboring office suite. The target doesn't need to click a link in an email - they just need to connect to Wi-Fi.
• Credentials entered into rogue portals are often reused. When users submit credentials to a fake captive portal, those credentials frequently work against internal systems - VPN, email, HR portals - because password reuse remains endemic.
• Detection is hard without prior testing. Unless your SOC has established a baseline of legitimate APs and is actively hunting rogue SSIDs, a well-crafted evil twin can operate undetected for hours or days.
• Compliance frameworks increasingly require it. PCI DSS, HIPAA security rule guidance, and ISO 27001 Annex A controls all touch wireless security. Demonstrating you've tested this vector is a meaningful compliance differentiator during audits.

Testing is the only way to know how your environment holds up - and to give your team a safe, controlled experience of what a real captive portal attack looks like before a real attacker delivers it.

graph TD
    subgraph "Phase 1: Evil Twin Setup"
        A[BLEShark Nano] --> B[Scan for Target WiFi AP]
        B --> C[Clone SSID and Channel]
        C --> D[Launch Rogue Access Point]
        D --> E[Deauth Clients from Real AP]
    end
    subgraph "Phase 2: Client Redirect"
        E --> F[Victim Auto-Reconnects to Rogue AP]
        F --> G[DNS Intercept All Requests]
        G --> H[Redirect to Captive Portal Page]
    end
    subgraph "Phase 3: Credential Harvest"
        H --> I[Display Custom Login Page]
        I --> J{User Action}
        J -->|Submits Credentials| K[Capture via JSON POST]
        J -->|Closes Page| L[No Credentials Captured]
        K --> M[Log to BLEShark Storage]
        M --> N[Include in Pentest Report]
    end
    subgraph "Phase 4: Documentation"
        N --> O[Record Success Rate]
        O --> P[Identify Vulnerable Users]
        P --> Q[Recommend Training]
    end

Complete evil twin captive portal attack flow during an authorized pentest. The BLEShark Nano clones the target network, redirects clients to a custom login page, and logs submissions — all to measure how many employees fall for credential harvesting.

How BLEShark Nano Creates Captive Portals for Authorized Testing

Running a professional captive portal assessment historically required a laptop, a wireless adapter in monitor mode, a hotspot router, and a stack of command-line tools duct-taped together. The setup was fragile, the teardown messy, and the entire rig conspicuous enough to draw attention.

BLEShark Nano collapses that entire workflow into a pocket-sized device purpose-built for authorized wireless security testing. As an evil portal tool, it handles the access point, the DHCP server, the DNS redirection, and the portal web server in a single self-contained unit - deployable in under two minutes.

Key capabilities for captive portal pentesting:

• Customizable portal templates. Clone the look of any existing captive portal or build a bespoke page that matches your client's guest Wi-Fi branding. Upload custom portal HTML directly through the file portal - no SSH, no laptop tethering required.
• Credential logging and export. Every form submission is timestamped and stored locally. Captured credentials are downloadable as JSON via the file portal. No data leaves the device unless you export it.
• Configurable SSIDs. Broadcast any SSID - open, WPA2, or WPA3 - to simulate the specific network topology under test.
• Covert form factor. At the size of a USB thumb drive, BLEShark Nano can be placed discreetly during a physical penetration test to assess both wireless and physical security controls simultaneously.
• Offline operation. No cloud dependency. The device operates entirely air-gapped, which matters when you're testing sensitive environments where network egress from test tools would be a finding in itself.

The result is a repeatable, professional-grade captive portal assessment workflow that produces clean evidence for your report rather than a tangle of terminal logs.

Multi-Node Portal Testing with Shiver Mesh

BLEShark Nano v1.0.0 introduced Shiver - a built-in mesh networking system that lets up to 16 Nano devices coordinate over ESP-NOW. For captive portal assessments, Shiver unlocks a capability that was previously impossible with a single device: distributed A/B testing of portal pages across multiple nodes at the same time.

Here's how it works in practice:

• Deploy different portal pages per node. Upload a distinct HTML page to each Nano in the mesh via the file portal. Node A serves a minimal credentials form; Node B serves a more elaborate branded portal. Compare submission rates across the two to find out which social engineering approach performs better.
• Run different SSIDs per node. One node impersonates the corporate guest network; another tries a generic open SSID. See which attracts more connections in your target environment.
• Partition channels. Each node can operate on a different Wi-Fi channel, giving you broader coverage across the 2.4 GHz band without your own devices interfering with each other.
• Results sync to the master node. Connection counts, credential submissions, and timing metrics from every node in the mesh aggregate back to the master for unified reporting. One export covers the entire multi-node assessment.

Shiver mesh packs ship in 3, 5, 7, 12, and 16-device configurations with a node-to-node range of 20-50m. For large-venue assessments - conference centers, multi-floor office buildings, campus environments - this is a qualitatively different capability than anything achievable with a single device.

graph TD
    subgraph "Shiver Mesh Deployment"
        A[Node 1 - Reception] -->|ESP-NOW| B[Node 2 - Cafeteria]
        A -->|ESP-NOW| C[Node 3 - Open Office]
        B -->|ESP-NOW| D[Node 4 - Executive Floor]
    end
    subgraph "Portal Variations per Node"
        A --> E[Portal A: IT Password Reset]
        B --> F[Portal B: Free WiFi Login]
        C --> G[Portal C: VPN Certificate Page]
        D --> H[Portal D: Microsoft 365 Sign-In]
    end
    subgraph "Results Aggregation"
        E --> I[Submissions from Reception]
        F --> J[Submissions from Cafeteria]
        G --> K[Submissions from Office]
        H --> L[Submissions from Exec Floor]
        I --> M{Compare Click Rates}
        J --> M
        K --> M
        L --> M
        M --> N[Which Department Most Vulnerable?]
        M --> O[Which Pretext Most Effective?]
        N --> P[Targeted Security Training]
    end

Multi-node captive portal testing with Shiver mesh: each BLEShark Nano runs a different social engineering pretext simultaneously, enabling A/B testing across departments to identify which teams need the most security awareness training.

Best Practices and Ethical Considerations

The effectiveness of a captive portal attack is precisely what makes responsible use non-negotiable. When you deploy a convincing rogue portal against real users - even in an authorized test - you are inducing genuine behavior that can cause stress and erode trust if not handled correctly. Follow these principles:

• Debrief quickly. Don't let users wonder for days whether they've been compromised. Debrief affected staff promptly after the test window closes. Explain what happened, what was captured, and how the data will be handled.
• Minimize credential exposure. Even in a test, captured credentials are sensitive. Store them only as long as needed for the report, then delete them securely. Never transmit them over unencrypted channels.
• Scope precisely. Define exactly which SSIDs, floors, buildings, or sites are in scope. An evil twin bleeding into a neighboring tenant's space creates liability you don't want.
• Coordinate with IT/SecOps. Unless the test is explicitly a blind red team exercise, ensure the SOC knows a wireless assessment is underway so they can distinguish your activity from a real incident - or, if it's blind, establish a get-out-of-jail card process in advance.
• Use the least-intrusive portal possible. For awareness assessments, a portal that captures the fact of a submission - not the credential itself - is often sufficient and reduces data handling risk.

Legal Requirements: What You Must Have Before You Start

There is no gray area here. Before you power on a rogue AP for captive portal pentesting:

1. Written authorization signed by an appropriate authority - the CISO, CTO, or legal counsel of the organization being tested. A verbal go-ahead is not sufficient.
2. Defined scope - specific locations, time windows, and systems covered by the authorization. Scope creep during a wireless test can put you outside the bounds of your authorization without realizing it.
3. Rules of engagement - what happens if a real incident is detected during the test window, how to abort, and who the emergency contact is.
4. Data handling agreement - how captured credentials and logs will be stored, who has access, when they will be destroyed, and whether any regulatory obligations apply (GDPR, HIPAA, etc.).

If any of these are missing, the test doesn't start. Full stop.

Real-World Use Case: Testing Employee Security Awareness

Consider a mid-size financial services firm that conducts annual phishing simulations but has never tested wireless social engineering. Their corporate guest SSID is open, unmonitored, and visible from the street-level lobby.

An authorized red team deploys a BLEShark Nano in a laptop bag in the lobby seating area during business hours. The device broadcasts an SSID identical to the corporate guest network and serves a portal styled to match the company's legitimate landing page - right down to the logo and acceptable use policy copy. Over a four-hour window, the team observes connection attempts and credential submissions without disrupting any live systems.

The results go into the report: X devices connected, Y users submitted credentials, Z minutes elapsed before any SOC alert fired (or didn't). The engagement produces concrete metrics, before-and-after training recommendations, and a documented baseline for the next assessment. That's what a professional captive portal pentest delivers - not just a vulnerability finding, but a measured picture of human risk.

Start Testing Smarter

Captive portal attacks are low-cost, high-impact, and almost universally undertested. If your wireless security assessments don't include a captive portal component, you're leaving a meaningful gap in your threat model.

BLEShark Nano gives security professionals a self-contained, professional-grade evil portal tool that's ready to deploy in minutes. Compact enough for physical red team engagements, capable enough for full wireless assessments - and built from the ground up for authorized testing.

Legal Disclaimer: All techniques and tools described in this article are intended for authorized security testing only. Never deploy captive portals, rogue access points, or credential-harvesting tools without explicit written authorization from the system owner. Unauthorized use may violate federal and state computer crime statutes. InfiShark Technologies Inc. sells its products exclusively for lawful security research and authorized penetration testing.