Jump to content

[Portal Auth] Injection Sets

sud0nick

By sud0nick
in Mark V Infusions

 Share

Recommended Posts

sud0nick Newbie

sud0nick

Posted
Posted (edited)

This thread is for the Injection Set feature in Portal Auth. Any questions pertaining to injection sets may be asked here but any other feature of Portal Auth must be discussed on the official support thread. This first post will serve as a repository for links to injection sets. If you create one and would like to share it then please send me a private message with the link and I will post it here after a brief review. To start things off here is the default injection set that comes with Portal Auth.

Injection Sets:

Default (infotomb.com/jhh5p)
Free WiFi Week (infotomb.com/cpcw3)

It appears the files have been deleted from InfoTomb. If you would like to download them you can go to my website (http://www.puffycode.com/download/PortalAuth/InjectSets/) or you can download them directly from the Injects tab of the infusion.

Edited by sud0nick
Link to comment
Share on other sites
sud0nick Newbie

sud0nick

Posted
  • Author
Posted (edited)

No...how would you ever come to that conclusion?

Edit:

The only reason I can think of why you would ask such a question is maybe you think I will be sharing cloned portals. Injection Sets are not copies of portals they are simply extra code created by a user to inject into a portal. This can be useful during a pentest because maybe the company has a portal for public WiFi on their network and while cloning you want to include your own custom login form. Instead of being stuck with the default you now have the option of choosing which set to use before cloning. Other users here can create their own, export them, and share with other Pineapple users to include in their clones. It is a quick way to modify a portal while cloning it so you can get your Pineapple up and running as quick as possible.

Edited by sud0nick
Link to comment
Share on other sites
sud0nick Newbie

sud0nick

Posted
  • Author
Posted

This is the breakdown of an injection set:

injectjs.txt
injectcss.txt
injecthtml.txt
auth.php

backups/
    injectjs.txt
    injectcss.txt
    injecthtml.txt
    auth.php

backups only exist if you click the Back Up button for each file. This is so files can be restored back to their backed up state if you somehow mess up your code.

InjectJS is a file of JavaScript code

InjectHTML is a file of HTML code

InjectCSS is a file of CSS code

and auth.php is the PHP file you will use to log credentials

Some programming skills will be necessary to create a fully functional Injection Set. However, if you build something with a GUI and it allows you to export code to a file you can simply copy and paste it into the injection set. The whole point to this feature is those who know how to create web based login forms will be able to share what they have built. I will try to build some sets in the future to contribute to the repository.

Link to comment
Share on other sites
fringes Newbie

fringes

Posted
Posted

Ok, I can read back through all the posts, but I'm just going to ask instead risking the ire of those that already know the answer:

Has someone done a begining-to-end demo of using Portal Auth, especially using injection sets, to clone an example portal, and publish it via evil-portal? I've seen some pretty slick videos here lately, and I'd like to see one that demonstrates one or more common scenarios.

Link to comment
Share on other sites
cheeto Newbie

cheeto

Posted
Posted

don't expect to see too much information on the portal injects as it's rather new.

sud0nick might make a small tutorial on how to use it. But as he said, some programming skills might be necessary. I guess I'm screwed. :(

As for portal auth, it's perhaps the easiest infusion out there however to use it, you need access to a portal site. I shouldn't mention any commercial name of places that have them, but they're almost anywhere from Cafe's to hotels etc..

Link to comment
Share on other sites
sud0nick Newbie

sud0nick

Posted
  • Author
Posted

Ok, I can read back through all the posts, but I'm just going to ask instead risking the ire of those that already know the answer:

Has someone done a begining-to-end demo of using Portal Auth, especially using injection sets, to clone an example portal, and publish it via evil-portal? I've seen some pretty slick videos here lately, and I'd like to see one that demonstrates one or more common scenarios.

I'm working on one now and should have it online soon. I don't know if it will cover what you consider to be common scenarios but it does take you the process of creating, modifying, exporting, and importing injection sets as well as cloning a portal. I'll post it on the official support thread when it's ready.

Link to comment
Share on other sites
  • 5 months later...
  • 4 weeks later...
sud0nick Newbie

sud0nick

Posted
  • Author
Posted (edited)

I need some input from the community for a new injection set. I'm making one that is similar to the default but instead prompts the victim to download a Network Client program to proceed. This "Network Client" can be any payload that you upload to the Pineapple through the Portal Auth infusion. You can gather network information, create a reverse shell, or anything you can think of. The main issue I need help with is verifying the victim actually downloaded and ran the payload application. Here is how I would do it for myself:

1. Create basic application that does nefarious stuff in the bg and displays an access key to the victim.

2. After victim clicks download button from the cloned captive portal a window appears with a text field for them to enter the access key. This key would be the only way for the victim to access the content of the cloned captive portal (or network if the Pineapple is already authenticated with the portal) forcing the victim to run the application first.

3. The static access key would be stored in a file on the Pineapple for the auth.php script to verify the victim entered the proper key. If it's correct they can access the network. If not, alert them to run the application and enter the access key.

The only problem with this setup is it's not dynamic enough to distribute to all of you. What if you don't want to use my payload? What if you want to change the access key? It would result in the whole injection set being worthless. I also don't want to remove those options entirely because I don't want the victim to be able to bypass the cloned portal.

So, do you guys have any ideas?

Edit:

Here are some screenshots to give you an idea of what I'm talking about.

Zxxa7Pn.png?1

fLEpOtY.png?1

Edited by sud0nick
Link to comment
Share on other sites
DataHead Newbie

DataHead

Posted
Posted (edited)

Depending on the code needed, why not use python as the payload delivery language for such authkey, create a file somewhere on the target, and have the actual payload read from said file, and then use cx_freeze to make an executable of the python delivery system (or similar python to binary converters if needed). That way users of the payload can adjust the very payload to their needs.

This method of payload delivery should be sufficient for most target operating systems. And hell, could even target android with using stagefright (or other vuln if users need root or system privs), then with android and an apk with the proper permissions, can get some juicy info from the phone to make sure users are entering the real username credentials for said Gmail account. I also remember seeing an apk pakager for python scripts... somewhere..

python4android will take care of most access to proper permissions and such etcetcetc :-)

I'm sure you can get a general idea of the implementations scope from what I'm saying.

Just my 2 cents.

Edited by DataHead
Link to comment
Share on other sites
sud0nick Newbie

sud0nick

Posted
  • Author
Posted

Good stuff, DataHead! I actually started to move forward already by creating a payload in Python and compiling it with py2exe for the target machines which, I think, is what you are getting at. If I understand you correctly, cx_freeze could become a dependency of Portal Auth, the user would be able to modify the python scripts directly and compile them on the Pineapple, then if something needed to be changed such as an access key it would be trivial enough even for non-programmers.

I've never used cx_freeze before but I just looked it up and I'm guessing it is the same as py2exe but creates platform independent executables?

Link to comment
Share on other sites
onion2346 Newbie

onion2346

Posted
Posted

Hi,

quick question, not sure if this is the right thread to post in but...

in portal auth, i click on the "activate now" button after saving/creating a copy of the "freewifi" infusion (just named it freewificopy) that is already provided there... and then how i understand that is suppose to transfer this over to evil portal where i can find it under libraries > saved portals?

however when i do all this and then check in evil portal it simply says "you have no saved portals to view"

please help am i missing something or what?

Cheers,

onion

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
 Share
Go to topic listing

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...