Evil Portal
Captive Portal — Evil Portal & Karma
The Captive Portal feature creates a fake WiFi access point with a captive portal page — similar to the login screens you see at hotels, coffee shops, and airports. When someone connects to the fake network and tries to browse the internet, they are redirected to your portal page. Any credentials they enter are captured in real-time on your phone and saved to the device.
This tool is for authorized security testing only. Always obtain written permission before deploying a captive portal against networks or users you do not own or have authorization to test.
The companion app combines two attack styles into one screen:
- Evil Portal — clone a specific WiFi network you have scanned. Optionally deauth its real clients to push them onto your fake AP.
- Karma — listen for probe requests from nearby devices and impersonate the SSIDs they are looking for, so devices auto-join.
Requirements
- SD card (Biscuit Ultra or DIY with SD card slot) or external flash storage (Biscuit Pro) for storing portal HTML templates.
- At least one portal template downloaded to the device.
The Captive Portal Hub
Open WiFi Tools > Attacks > Captive Portal to land on the Hub. It has four tabs:
- My Portals — portals already on your device. Search, sort by name/size, multi-select to delete, or tap a portal to start an Evil Portal or Karma attack with it.
- Browse — community catalog of templates. Preview before downloading. Download requires your device to be connected and your device WiFi credentials to be saved.
- Custom — start the temporary upload AP so you can transfer your own HTML portal from a phone or laptop.
- Captures — every credential ever captured on this phone, even when no device is connected. Search, export to CSV or JSON, or clear.
If you launch the Hub without a connected Biscuit, the My Portals, Custom, and download actions show a “Connect to device” prompt instead of failing silently. The Captures tab still works because captures are persisted on the phone.
Setup & Usage
1. Save your device WiFi credentials
The Biscuit needs WiFi to reach the portal catalog server. Open Browse and enter your network’s SSID and password. These are shared with firmware updates, so if you have already configured firmware updates, the credentials are already filled in.
2. Download a portal
In Browse, tap Fetch to load the catalog. Tap a portal to preview it in a built-in browser. Tap Download to send it to your device.
The download status is shown inline:
- “Connecting to WiFi…” — the Biscuit is joining your network.
- “Downloading…” — the portal is being fetched.
- “Verifying…” — the app is confirming the portal landed in the device manifest.
- “Downloaded” — success.
- “Download failed” — with the actual reason (bad WiFi credentials, network unreachable, file too large, etc.). No more silent failures or false success toasts.
If the device disconnects mid-download, the screen reports it within a second instead of spinning forever.
3. Start an attack
From My Portals, tap the play button on a portal to launch the Captive Portal Attack screen with that portal pre-selected. The screen has a mode picker at the top — switch between Evil Portal and Karma there. Long-press a portal to enter multi-select mode for bulk delete.
You can also reach the attack screen from your Quick Actions if you have Evil Portal or Karma Attack pinned.
Evil Portal mode
- From Selection — clones an AP you have selected on the WiFi scan screen. Toggle Enable deauth to disconnect existing clients from the real AP so they reconnect through your fake one.
- Manual — type any SSID (e.g.,
Free_Airport_WiFi) and pick a channel (1, 6, or 11).
Karma mode
- Tap Start sniff to listen for probe requests. Probed SSIDs appear as chips with the count of clients asking for each one.
- Tap a chip to impersonate that SSID, or type one manually.
- Pick a channel and start the attack. The device replies to probe requests and serves your portal to anyone who joins.
In either mode, tap Start Attack when ready. The button disables until you have a portal selected, an SSID set, and a connected device.
4. Watch credentials roll in
The attack screen shows a live captures section with the latest five entries. Captures are also written to the Captures tab on the Hub, so closing the attack screen — or even disconnecting and reopening the app — never loses what you have collected.
5. Stop
Tap Stop Attack to shut down the fake access point.
Custom Portal Templates
You can create and upload your own HTML portal templates.
- Open the Hub and switch to the Custom tab.
- Tap Start upload AP. The Biscuit broadcasts a temporary network called Biscuit-Upload.
- Connect your phone or computer to Biscuit-Upload in WiFi settings.
- Open
http://172.0.0.1in any browser and upload your HTML file (max 30 KB). - Tap Stop upload AP when finished. Your portal appears in My Portals.
Custom portals are standard HTML files with a form that submits credentials. Anything submitted to the form is captured.
Captures
The Captures tab is the canonical home for everything you have collected.
- Search — filter by portal, email, or password text.
- Refresh — pull the latest entries from your Biscuit if more were captured while the app was closed.
- Export CSV — share captures to any app via the system share sheet.
- Export JSON — same, structured for import elsewhere.
- Clear — wipe captures from this phone and the connected device in one step (or just the phone if no device is connected).
Captures persist on the phone, so you can review historical results without reconnecting.
Tips
- Choose an SSID that looks legitimate for the environment. A network called
Free_WiFiin a coffee shop is more convincing than something random. - Enabling deauth against the target AP increases the chance clients will join your fake AP, but it also creates more visible wireless disruption.
- Karma is often more effective than a static SSID because it targets networks devices are already looking for and may auto-connect to.
- Preview templates from Browse before downloading — community portals vary in quality and convincingness.
- Templates over 25 KB are flagged in My Portals because the device cap is 30 KB per portal.
Credit: dual-band probe-response Karma support builds on prior work by @justcallmekoko.