The Flipper Zero is a Swiss army knife for hacking, and you can use it to test networks around you and learn about how they work. One thing that you can do as well if you have the WiFi Devboard module is host web portals on your Flipper Zero. These web portals can be used for all kinds of things, including collecting data from people around you. This particular application is called "Evil Portal."

As with all things Flipper Zero, you shouldn't use it to break the law. These web portals can be used for phishing purposes, which is illegal. This tutorial is for educational purposes only, for learning about the different things that you can use your Flipper Zero for, and to make you aware that a free Wi-Fi hotspot may not necessarily be safe to connect to and use if you spot one when you're out and about.

This tutorial assumes you have a custom firmware like Momentum set up on your Flipper Zero with Marauder on your WiFi Devboard, though you can install the Evil Portal application manually. Custom firmware for the Flipper Zero and the WiFi Devboard typically comes with the Evil Portal app already present.

How host a web portal on the Flipper Zero

This tutorial assumes you have a custom firmware installed

To host a web portal on your Flipper Zero, you'll first need to grab compatible HTML files that you can place on your Flipper's SD card. The app on Flipper Zero is called "Evil Portal", and you can find HTML files that can be used for it on GitHub. Download any of your choosing, navigate to your SD card using the qFlipper application, and go to apps_data and evil_portal. Simply copy the ap.config.txt and index.html here, and you're ready to go.

For this tutorial, we'll be using a basic Google home page.

1. Open the Marauder app under GPIO on your Flipper Zero
2. Scroll down to Load Evil Portal HTML file
3. Navigate to where you copied your HTML file and load it. It should under apps_data, evil_portal
4. Scroll back up to SSID, scroll across and select add name. Type any name that you want here, although some configuration files will come with ap.config.txt information which sets the name for you.
5. Scroll down to Evil Portal, select Start

All going well, you should now have an Evil Portal instance configured and ready to go. I connected my phone to it, and I was prompted on my phone to sign in to the free hotspot.

Once I entered my (fake) credentials, I could see the following on the Flipper Zero.

As you can see, it collected the username and password. It also dumps this information into a file on the SD card for later retrieval. It's incredibly easy to collect data this way, and hopefully, it makes you wary of free access hotspots that you see when you're out and about. The only saving grace is that this portal has no actual internet access, meaning that most people will realize they've been phished as soon as they enter their details and still don't have internet access.

This basic Google sign-in page isn't the only one out there, either. There are countless portals that are made to look like popular websites, aimed at targeting people in all kinds of places. Be careful out there, but we hope this has opened your eyes to how easy it can be for someone to collect your data without you even realizing it.