Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Connect to captive portal wifi using ESP8266

I would like to connect an ESP8266 based sensor on a wifi network protected by a captive portal (I've no other option, and I cannot ask for derogation). I have a login/password to connect.

From a basic computer, when I'm connected to the network and I do an Internet request (for example, I search "bl" on google), I got a page like this : https://url:1003/fgtauth?12291a0aff04200a

<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01//EN">
<html>
  <head>
    <meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
    <style type="text/css">
    ...
    </style>
    <body>
<div class="oc">
  <div class="ic">
    <form action="/" method="post">
      <input type="hidden" name="4Tredir" value= "https://www.google.com/search?q=test&ie=utf-8&oe=utf-8">
      <input type="hidden" name="magic" value="12291a0aff04200a">
      <input type="hidden" name="answer" value="0">
      <h1 class="logo">
        GENERAL CONDITIONS
      </h1>
      <p>
      I.    OBJET <br /> <br />
      Some blabla..
      </p>
      <h2>
        Do you agree to the above terms?
      </h2>
      <div class="fec">
        <input type="submit" value= "Yes, I agree" onclick="sb('1')">
        <input type="submit" value= "No, I decline" onclick="sb('0')">
      </div>
    </form>
   </div>
   </div>
   <script>
     function sb(val) {
       document.forms[0].answer.value = val;
       document.forms[0].submit();
      }
    </script>
  </body>
</html>

So, we see in this page that we get a "magic value" that is in fact an id for the session. When I click the agree button, I get this page https://url:1003/ :

<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01//EN">
<html>
  <head>
    <meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
    <style type="text/css">
    ...
    </style>

    <title>
      Firewall Authentication
    </title>
  </head>
  <body>
    <div class="oc">
      <div class="ic">
        <form action="/" method="post">
        <input type="hidden" name="4Tredir" value= "https://www.google.com/search?q=bl&ie=utf-8&oe=utf-8">
        <input type="hidden" name="magic" value="122713150676bec1">
        <h1 class="logo">
          Authentication Required
        </h1>
      <h2>
        Please enter your username and password to continue.
      </h2>
        <div class="fer">
          <label for="ft_un">
            Username:
          </label>
            <input name="username" id="ft_un" style="width:245px">
            <br>
          </div>
          <div class="fer">
            <label for="ft_pd">
              Password:
            </label>
            <input name="password" id="ft_pd" type="password" style="width:245px">
          </div>
          <div class="fer">
            <input type="submit" value= "Continue">
          </div>
        </form>
      </div>
    </div>
  </body>
</html>

Here, I fill user and password and it will send them to the server that returns a blank page with OK.

So, I would like to do this step from an ESP8266. I see that in two steps :

  • request a page
  • get the result and store the magic
  • fake an "agree" request page
  • fake a "user/id/magic" request page

An example of requesting page for ESP8266 can be found here : https://github.com/iobridge/ThingSpeak-Arduino-Examples/blob/master/Ethernet/Arduino_to_ThingSpeak.ino We see here, that we can send POST request as :

client.print("POST /update HTTP/1.1\n");

Here, there is a good example to parse a page : http://blog.nyl.io/esp8266-led-arduino/

So, I might do it with that and post the answer, but first I need some clues about how to create the above "fake" requests.

Any ideas ?

like image 928
iero Avatar asked Mar 15 '23 08:03

iero


1 Answers

The ESP8266 is more than capable of using HTTPS, in fact the latest ESP8226 Arduino codebase includes a WiFiClientSecure class for connecting to HTTPS servers.

Assuming this page will never change, and you're using the Arduino environment, you would need to write a few basic functions. One of these will be the initial GET function which you have already linked, and checks whether you received the page you wanted, or if you were directed to the portal. If you were directed to the portal, you would then need to write an equivalent POST function to send the "I Agree" response.

Now, this POST function will require you to send an HTTP form encoded payload to the server containing the "Answer" value - You can read up on that here http://www.w3.org/TR/html401/interact/forms.html#h-17.13. Since you (probably) aren't expecting the page to change, you could hard code it to be something like this:

client.println("POST / HTTP/1.1");
// $PORTAL_HOST should be the host of the captive portal, e.g. 10.1.1.1
client.println("Host: $PORTAL_HOST");
client.println("Content-Type: application/x-www-form-urlencoded");
client.println("Content-Length: 8");
client.print("\n");
client.print("Answer=1");

Once you send that payload, you should receive your secondary user/password page. From there it's a simple matter of extracting the magic/session via indexOf / substring or something similar, and then repeating the above code with your now extracted data (if needed).

If you need a better idea of what exactly you'll be sending, I'd advise you to open the debug/networking tab on your browser, and watch the exact data your browser sends when it's directed to this portal page. You will want to emulate this as closely as possible.

like image 166
Dawn Minion Avatar answered Mar 16 '23 22:03

Dawn Minion