3

I'm trying to make a device with no internet connection that redirects any connection to its wifi to a unique page, a pirate box like. I use a NodeJS server and dnsmasq to redirect all connections to the server. That's working perfectly but when I try to connect with a Android or iOS smartphone it detects it as a captive portal and the page is displayed but within an authentication popup.

I saw that the device try to connect to some IP's and if there is no response it assumes that the connection is going through a captive portal.

Is there a way to avoid that ?

Thanks a lot!

Edit: I found the list of the pages to "whitelist" :

Android Captive Portal Detection:
Domain names to white list:
clients3.google.com

iOS for iPhone:
iPhone is more complicated, since it uses many different domain names, maybe for load balancing. It also changed its strategy using different domain names through different O.S. versions.
iOS 6:
Domain names to white list:
gsp1.apple.com
*.akamaitechnologies.com
www.apple.com
apple.com

iOS 7:
Domain names to white list:
www.appleiphonecell.com
*.apple.com
www.itools.info
www.ibook.info
www.airport.us
www.thinkdifferent.us
*.apple.com.edgekey.net
*.akamaiedge.net
*.akamaitechnologies.com


Windows Desktop O.S.
Domain names to white list:
ipv6.msftncsi.com
ipv6.msftncsi.com.edgesuite.net
www.msftncsi.com
www.msftncsi.com.edgesuite.net
teredo.ipv6.microsoft.com
teredo.ipv6.microsoft.com.nsatc.net

But since my device is not really connected to internet how do I send a those pages ?

N.Bv
  • 31
  • 3

1 Answers1

0

It shows the redirected page in a pop-up because the request the device makes (the http probes) to determine if it is behind a captive portal does not return the expected success message.

See also: https://serverfault.com/questions/679393/captive-portal-popups-the-definitive-guide/

If you want to avoid having the pop-up window, but not allow http probes through, then you have to return the same success message back that the http probe is expecting - this will fool it into thinking it is not behind a captive portal.

If you do not return the success message back that the http probe is trying to get, it will think it is behind a captive portal. Sometime the success message is just a 'HTTP 200 OK'.

So, to fool it, you need to record URLs the http probes from all devices are making. Store those results on your router that does the redirect. And inside the closed network, whenever one of those URLs are probed, return the expected success message. The device will think it has full Internet access and will not pop up a captive portal login window.

If you want to have the captive portal login page appear in the captive portal authentication pop-up on the device, just redirect all HTTP requests to the login page. After the device is logged in, then all of those URLs from http probes need to return the expected success message, otherwise it will continue to assume the device is not logged in to the captive portal successfully, and will continue to show the authentication pop-up.

Russell E Glaue
  • 1,472
  • 12
  • 9