Jump to content

Captive Portal


Onus

Recommended Posts

Has anyone got the captive portal working?  I pulled the latest, and slapped it on switch 1.  

It starts to work.. shows up correctly and even opens a browser, but to the users home page, not the captive portal.. 

EDIT: should note that it doesn't prevernt me from accessing the web via my wifi, and shows that it is connected to the ethernet adapter as well but with no internet..

Windows 10 target

 

Edited by Onus
Link to comment
Share on other sites

Hi Onus,

Odd that the page opened is the user's homepage. That kind of sounds like default routes messing it up on the user's machine. Have you tried a different one? I have tested that the correct page is served on Windows, MacOS, and a couple of variants of Linux.

Something I don't currently do correctly is dropping ALL network traffic apart from redirecting port 80 to our IP:8080. I wanted to, but this was more of a PoC and I was rushed for time. As a result I didn't take the time to figure out the order of IPTables rules. You are welcome to submit a PR for this on Github -- the changes should be made in the setupNetworking function.

Link to comment
Share on other sites

1 hour ago, Sebkinne said:

Hi Onus,

Odd that the page opened is the user's homepage. That kind of sounds like default routes messing it up on the user's machine. Have you tried a different one? I have tested that the correct page is served on Windows, MacOS, and a couple of variants of Linux.

Something I don't currently do correctly is dropping ALL network traffic apart from redirecting port 80 to our IP:8080. I wanted to, but this was more of a PoC and I was rushed for time. As a result I didn't take the time to figure out the order of IPTables rules. You are welcome to submit a PR for this on Github -- the changes should be made in the setupNetworking function.

I'll look into it..  Yeah I actually got it to work on my windows machine once or twice when disconnecting from my wifi network even after it reconnected, but then yeah went back to normal internet.  I am wondering if its possible to make a captive portal run on a locked machine much like quick creds.. im totally new to responder so i need to look at that too.  I was thinking of rerouting with responder to the var www of the bunny don't know if that is possible

 

Link to comment
Share on other sites

2 hours ago, Onus said:

I'll look into it..  Yeah I actually got it to work on my windows machine once or twice when disconnecting from my wifi network even after it reconnected, but then yeah went back to normal internet.  I am wondering if its possible to make a captive portal run on a locked machine much like quick creds.. im totally new to responder so i need to look at that too.  I was thinking of rerouting with responder to the var www of the bunny don't know if that is possible

I got a bit sidetracked while creating a fix, so bear with me on this payload.

2 hours ago, Mohamed A. Baset said:

@Sebkinne Off topic, Can you please confirm if captive portals can automatically opens the browser if devices are locked or not?

Sorry, this does not work to my knowledge.

Link to comment
Share on other sites

I haven't submitted a PR because I'm still getting things up and running and am not sure what the standardised fix to this will be, but I've found that adding "source bunny_helpers.sh" to the payloads.txt, after the ATTACKMODE line, allows the helper \$SWITCH_POSITION to be used. With this modification, the payload works for me.

Link to comment
Share on other sites

10 hours ago, JBNZ said:

I haven't submitted a PR because I'm still getting things up and running and am not sure what the standardised fix to this will be, but I've found that adding "source bunny_helpers.sh" to the payloads.txt, after the ATTACKMODE line, allows the helper \$SWITCH_POSITION to be used. With this modification, the payload works for me.

Yup, someone's pr broke the captive portal. It was written before bunny helpers, and defaulted to switch1. 

Link to comment
Share on other sites

15 hours ago, JBNZ said:

Is the source for the captiveportal binary available? It would be nice for accountability to be able to attest to exactly how the payload is functioning.

Not at the moment, but I'll probably throw it up on my github at some point. It's a really simple little program that does two things:

  1. Spin up a webserver and serve the portal. Write any of the targeted fields to logfile
  2. Spin up a DNS server and always resolve to the Bash Bunny's IP

That's it.

Link to comment
Share on other sites

On 3/15/2017 at 2:28 PM, Onus said:

Has anyone got the captive portal working?  I pulled the latest, and slapped it on switch 1.  

It starts to work.. shows up correctly and even opens a browser, but to the users home page, not the captive portal.. 

EDIT: should note that it doesn't prevernt me from accessing the web via my wifi, and shows that it is connected to the ethernet adapter as well but with no internet..

Windows 10 target

 

I also have the same issue where the bbq shows a green led, but when I open a browser it just goes to my home page. No auto open browser, and goes to home page on IE and Chrome. No active portal displayed.

Link to comment
Share on other sites

Note that this is configured to only http.  If your home page is https, it won't be automagically redirected as is.  Try a direct http link to see if it is perhaps being redirected now.

It wasn't working for me yesterday but today's pull seems to be working.  I can't say for certain that I tried http yesterday unsuccessfully but can say that the current version is working fine for me.

Link to comment
Share on other sites

Hello World!

Ok. So here's the rub, even with the code provided by JBNZ and Sebkinne, it absolutely does not work on any browser on any of my 10.9, 10.10, and 10.11 Macs. You have to manually type the IP and port, and only sometimes will that actually work. However, on a Windows 10 computer, that I never use, it ran on it's first try- opened a browser, redirected to the Captive Portal, and recorded every failed attempt in a nice log file!

Perhaps it helps that there's a nice EXE for Windows to use, but what about Apple's architecture? What's handling that? Final question- how is this practical? The Bash Bunny is meant to be inserted into the target computer that the "mark" will be using. So, how do we get it back? Please take mercy on my first post and I promise to read every response. Thank you all in advance :-)

Link to comment
Share on other sites

Just to confirm, could you ensure you're loading an HTTP page and not HTTPS?  When I tested and was most frustrated, I realized I was clicking on favorites links, all of which were HTTPS.  In the payload, only port 80 is being redirected to the captive portal.

For the final question, that's all about how you plan to do your pentesting. Most of the payloads are meant to be quick ways of performing "unexpected backups" or injecting keystrokes to configure a computer, then make a quick exit with the BashBunny. This one would likely be more useful for while you're nearby. Maybe get the captive portal running while you're in a meeting with someone to capture creds, then once captured, grab the BashBunny and exit.

Link to comment
Share on other sites

Thank you for getting back to me, SRG. After I read your reply, I immediately realized that I had not factored that into the equation. So, I went to twelve different sites, all with HTTP only. Sure enough none of them forwarded to the captive portal. I figured trying Chrome, Canary, Chromium, Safari and Firefox would help me in reducing the problem, but alas, nada. However, it runs great under Windows, which is exactly what I plan to exploit! It just bothers me that I can't figure it out- there's got to be more running under the hood that we can't access. Thank you SRG for all of your efforts and answering the second part of that question :-)

-Cheers!

Link to comment
Share on other sites

21 minutes ago, Opticon said:

@Mohamed A. Baset I can confirm that on an unlocked Windows box captive portal will automatically launch a browser and direct it to the "evil portal." I hope this helps you. As for Mac, it won't automatically launch a browser as it does in Windows.

-Cheers!

The idea is to do this on a locked machine not unlocked, I got the bunny days ago and tried the captive portal payload and i can confirm that the browser firing automatically scenario won't happen on any OS so this stopped my idea on exploiting a browser on a locked machine :)

Thanks for your catch up @Opticon 

Link to comment
Share on other sites

  • 2 weeks later...

Hi all

I just got my bunny and tried to get this to work... I immediatly upgraded to 1.1

Now there are several things that don't make sense to me:

captiveportal is not executed because the systemd service kills the payload script when It is "done", effectively killing the background process with it and then unmounts /root/udisk...

To avoid this I put a wait command into the script

but then the next thing is the TimeOut...

So I added something like TimeoutSec=10min into /lib/systemd/system/bunny.service...

Now it works, but is there something I got wrong? I saw @Sebkinne last commit messages on the repo said Updated Captiveportal for Bash Bunny v1.1

Cheers

 

Link to comment
Share on other sites

Just tested this out to confirm. Haven't dug into the 'why' as far as @s00500 but can confirm that where captiveportal used to work, it no longer does. The only changes @Sebkinne made in that commit were to align the payload with the new extension and LED format, so if breaking changes were made to the framework, this won't have addressed those.

Link to comment
Share on other sites

Seems like you guys got farther than I have. I was and still am unable to get this payload to work. Others do so its not my bb. Is there more I have to do other than copying the files into a switch1/2 folder? I have installed impacket and responder correctly.

 

 

 

 

 

 

 

Edited by Bryfi
Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...