To demonstrate how credentials could be captured on a public Wi‑Fi network that uses a captive portal, which step should you take?

Testing credential capture on a public Wi‑Fi with a captive portal hinges on reproducing the login redirection users expect when they connect. A rogue access point that impersonates the legitimate network can intercept the initial connection and present a fake captive portal page. When users enter their credentials, they’re submitted to an attacker-controlled page under the illusion of authenticating to the public network, which demonstrates how such credentials could be captured in that scenario. The other options don’t recreate the captive portal flow: a phishing email targets users outside the local network interaction and doesn’t rely on the network’s redirection; intercepting traffic via a VPN tunnel routes data away from the local portal path; installing a local captive portal without redirecting users wouldn’t provoke the login interaction needed to capture credentials. In any real test, ensure you have explicit authorization and operate within a controlled environment.