Getting WISPr tags from a FON authentication portal

Question

I am doing some investigation around wifi captive portals development.

I would like to capture the WiSPr XML tags from a FON authentication captive portal (my neighbours have that active, I have also a roaming account for that).

Trying to authenticating in an iPhone or even a Mac does not cut it, as the equipment detects the captive portal/WIPr tags, and open a dedicated window/mini-browser without any controls; trying to open the page on a Linux/*BSD might not work as the browser user agent / or behaviour won't be recognized as iPhone/Apple.

Sniffing the iPhone transaction also does not cut it, as the web login page of the captive portal is handled in https/TLS (e.g. it is encrypted on the wire).

I also tried sysdig in a Linux, and obviously hit again the head on the encrypted transmissions.

wget is also not getting satisfying results.

What to do?

Answer 1

I ended up using lynx in a FreeBSD system; initially used the -dump option, that allowed to see the redirects, but only output and not contents ; then discovered the -source option, that shows the source/HTML and does not attempt to render it.

I also used the option -useragent to pretend I was an iPhone doing WISPr discovery, and also tried to get one of the pages the iPhone tries to get to discover if it is dealing with a captive portal (http://www.apple.com/library/test/sucess.html).

I also had to deal with the fact the FON captive portal is self-signed(?), or my FreeBSD does not know the underlying SSL root certificate. (I did not lost much time tracing that); I just had to configure lynx to accept self-signed certificates (will write the question later on and had a link here).

So the actual commands I used where:

lynx -useragent=CaptiveNetworkSupport -dump http://www.apple.com/library/test/sucess.html

and however, while the first has it´s usefulness, the one that interested me more was:

lynx -useragent=CaptiveNetworkSupport -source http://www.apple.com/library/test/sucess.html

Using the latter command line, gave me back the HTML source in it´s full glory with the embedded WISPr tags.

From man lynx

  -dump  dumps  the  formatted  output  of  the default document or those
          specified on  the  command  line  to  standard  output.   Unlike
          interactive mode, all documents are processed.  This can be used
          in the following way:

          lynx -dump http://www.subir.com/lynx.html

          Files specified on the command line are  formatted  as  HTML  if
          their  names  end  with one of the standard web suffixes such as
          ".htm" or ".html".  Use the -force_html option to  format  files
          whose names do not follow this convention.

  -source
          works  the  same  as  dump  but  outputs  HTML source instead of
          formatted text.  For example

          lynx -source . >foo.html

          generates  HTML  source  listing  the  files  in   the   current
          directory.   Each  file  is  marked  by  an HREF relative to the
          parent directory.  Add a  trailing  slash  to  make  the  HREF's
          relative to the current directory:

          lynx -source ./ >foo.html

taken from the captured login page:

<!-- WISPr message -->^M
<span class="displayNone"><!--<?xml version="1.0" encoding="UTF-8"?>^M
<WISPAccessGatewayParam xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:noNamespaceSchemaLocation="http://www.acmewisp.com/WISPAccessGatewayParam.xsd">^M
<Redirect>^M
<AccessProcedure>1.0</AccessProcedure>^M
<LoginURL>https://xxxx/captive/noswifi?hmac=xxxx&amp;res=notyet&amp;uamip=xxxx&amp;uamport=80&amp;userurl=&amp;challenge=xxxxxxe&amp;nasid=BC-14-01-XX-XX-XX&amp;mac=00-15-AF-XX-XX-XX</LoginURL>^M
<AbortLoginURL>http://xxxx:80/captive/logoff</AbortLoginURL>^M
<MessageType>100</MessageType>^M
<ResponseCode>0</ResponseCode>^M
<AccessLocation>FonZON:PT</AccessLocation>^M
</Redirect>^M
</WISPAccessGatewayParam>-->^M
</span>