Captive portal infrastructure originally designed for a community allows all people can connect (open network). Actual captive portal is a router or gateway machine that does not protect or allow the existence of traffic to perform user registration / authentication. Here's how workplace captive portal:
- user with a wireless client is allowed to connect to get a wireless IP
- address (DHCP) block all traffic except for the captive portal (Registration / Authentication based web), which is located on the cable network.
- redirect all web traffic to the captive portal
- after user login or to register, allow access to the network (internet)
Some things to note, that the captive portal only do connection tracking based on client IP and MAC address after authentication. This makes captive still possible to use the portal without authenticating the IP and MAC address can dispoofing. Attacks with IP spoofing and MAC. MAC address spoofing, such as that already described in section 4 above. Medium to IP spoofing, which required more effort that is using the ARP cache poisoning, we can redirect traffic from the client have been connected before.
Attacks that are quite easy to do using the Rogue AP, which is set up Access Point (usually use HostAP) that use components such as the same information AP targets such as SSID, BSSID and channel frequency is used. So when a client which will be connected to the AP made us, we can divert traffic to the actual AP. Not infrequently captive portal built on a hotspot has a weakness in the configuration or network design. For example, authentication is still using plain text (http), management network can be accessed via wireless (the one on the network), and many more.
Another weakness of the captive portal is that the communication traffic data or when it is perform authentication (network connected) will still not be sent encrypted, so that can easily break by the hacker. For that need to be careful to connect hotspot network, to carry on using a secure communication protocol such as https, pop3s, ssh, imaps ff.