Is it legal to run captive portals?

Only on networks you own or administer, and with user consent. Never intercept or collect credentials. This guide uses a read-only educational page.

How do I defend against captive-portal phishing?

Prefer HTTPS sites, check for the lock icon, use HSTS-preloaded services, run a reputable VPN on untrusted Wi-Fi, and avoid reusing passwords.

Does this demo collect data?

No. The sample code intentionally avoids forms, log capture, or redirects. It serves a static educational page only.

Captive Portal Simulation | Ethical Wi-Fi Awareness & Defense Guide

> Captive Portal Simulation: Ethical Wi-Fi Awareness

⚠️ Ethics & Permission: For education only, on networks you own or manage. This page provides a non-phishing demo—no credential capture, no redirection tricks.

I understand and agree to use this material ethically.

The hands-on demo stays blurred until you confirm.

> 🌐 What Is a Captive Portal?

Captive portals are the splash pages you see in hotels or coffee shops before getting internet access. Attackers can imitate them to trick users. This lab shows how to recognize the risk and how to defend—without imitating real brands or harvesting data.

> 🛠️ Hardware

ESP32 dev board
USB cable + workstation
Optional: microSD for static assets (not required here)

> ⚙️ Software

Arduino IDE with ESP32 board support
Libraries: ESPAsyncWebServer, AsyncTCP

> ✅ Safe Demo: ESP32 AP + Educational Page (No Forms, No Capture)

This example creates a lab-only SSID and serves a static warning/explainer page. It does not present a login, collect input, or redirect traffic.

#include <WiFi.h>
#include <ESPAsyncWebServer.h>

const char* SSID = "CH_LAB_HOTSPOT"; // lab SSID you own
AsyncWebServer server(80);

const char HTML[] PROGMEM = R"HTML(


Captive Portal Awareness


⚠ Captive Portal Awareness
This is an educational demo on a lab network you control. Real attackers can imitate splash pages to trick users. Never enter passwords on unknown portals.

  Check for HTTPS and a valid certificate.
  Use a VPN on public Wi-Fi.
  Avoid reusing passwords; enable MFA.

Close this page when done. No data is collected.

)HTML";

void setup(){
  Serial.begin(115200);
  WiFi.mode(WIFI_AP);
  WiFi.softAP(SSID);
  Serial.print("AP up: "); Serial.println(SSID);
  server.on("/", HTTP_GET, [](AsyncWebServerRequest *req){ req->send(200, "text/html", HTML); });
  server.begin();
}
void loop(){}

Note: Some devices auto-open a “captive network assistant.” Our page stays informational only.

> 🛡️ Defenses Against Captive-Portal Phishing

Prefer HTTPS sites and watch certificate warnings.
Use a reputable VPN on untrusted Wi-Fi.
Disable auto-join for public networks; forget SSIDs you don’t trust.
Enable MFA on accounts; avoid password reuse.
Educate users: “If a page asks for credentials on public Wi-Fi, stop.”

> ❓ FAQ

Why no login or DNS hijack in this demo?

Demonstrating phishing or interception would be unethical and potentially illegal. This guide focuses on awareness and defense only.

Can I extend the page?

Yes—add educational content, logos you own, or links to your internal security policy. Avoid collecting inputs.

> Continue Learning

📶 Wi-Fi Security Lab 🧿 Bluetooth Lab (Ethical) 🕵️ Network Enumeration