Jump to content

Offline Credential Harvesting HoneyPot -- Module (Phishing Module)


mondrianaire
 Share

Recommended Posts

I am almost finished with v0.1 of my offline phishing module. The premise of this module is simple. You set the ssid of an open wireless network (Free Public Wifi, etc.) When enabled, all requests will be forwarded to a 'walled garden' splash page. This will inform the viewer that they have limited access to only certain pages, and will give links to these pages. Every one of these pages are phishing pages that you can upload to the module (even your own!).

Since all phishing pages are hosted locally, this module is intended to work all of the time, without internet access. It gives the user the impression that they are connecting to pages on the internet, yet all credentials are harvested.

Another beautiful thing about this module is how little hardware it uses. I have been known to have up to 3 usb wifi cards plugged into my pineapple while using for deauth/wifi repeating etc... This module can be used with only a properly formatted flash drive, eliminating a need for a usb hub (and the extra power it consumes).

I need Seb or someone at wifipineapple.com to verify me for module submission.

I also would like to talk to Petertfm about this module. I have reused (embarrassingly large amounts of) his code from his RandomRoll module in this. Our modules are extremely similar in both frontend and backend. I would like to ask him a couple of questions/ get him to sign off on the parts of his code I used before making this public. I have tried to message him but he does not accept messages. Petertfm if you read this, please send me a message or an email at my uname [at] gmail.

post-40585-0-79145100-1352746310_thumb.p

post-40585-0-55107900-1352746318_thumb.p

Link to comment
Share on other sites

VERY cool, thanks for the efforts, can't wait to try it out!

This is PERFECT for using my spare MK4's...drop it with a battery and pick 'er up later! With no wifi card and no access, the power should last and last! :)

Thanks again to all of you who make this project such an awesome success!

Link to comment
Share on other sites

This looks good! Great work! B)

Just a couple of questions, what's the contents of the "Internet Access plan"?

Are you sure that the facebook favicon should be used at the welcome page?

And how do the url's look in the respective sites?

Looking forward to se this module evolve! :)

Link to comment
Share on other sites

If your looking for a name I thought a neat name would be "Gone Phishing"

Heya peterfm,

Does that mean that your original Gone Phishing module project idea is DOA?

I thought the difference between a "walled garden" approach like this and what you'd described was that Gone Phishing would be more transparent in that it would still allow Internet access (if provided) and that there was no "walled garden" approach, just redirection to the appropriate "phishing" pages, otherwise it would let the mark through to wherever?

I'd still love to see a more dns-integrated, selective approach like that if it's possible. It'd be great to have the two options as in certain cases, the "walled garden" isn't practical and would cause a reasonably astute user to question why their favorite WiFi spot is suddenly locked down.

Dont' get me wrong, I love this idea of "walled garden" and into the bag of tricks it goes! I just read your notion about calling *this* module "Gone Phishing" and paused to wonder if that original idea met a roadblock in some form or another.

Wish I was more adept at helping code some of these modules...I feel a bit parasitic sometimes on these modules but I'm eternally grateful for all the great work you all do developing these modules for the rest of us! ;)

Link to comment
Share on other sites

Heya peterfm,

Does that mean that your original Gone Phishing module project idea is DOA?

I thought the difference between a "walled garden" approach like this and what you'd described was that Gone Phishing would be more transparent in that it would still allow Internet access (if provided) and that there was no "walled garden" approach, just redirection to the appropriate "phishing" pages, otherwise it would let the mark through to wherever?

I'd still love to see a more dns-integrated, selective approach like that if it's possible. It'd be great to have the two options as in certain cases, the "walled garden" isn't practical and would cause a reasonably astute user to question why their favorite WiFi spot is suddenly locked down.

Dont' get me wrong, I love this idea of "walled garden" and into the bag of tricks it goes! I just read your notion about calling *this* module "Gone Phishing" and paused to wonder if that original idea met a roadblock in some form or another.

Wish I was more adept at helping code some of these modules...I feel a bit parasitic sometimes on these modules but I'm eternally grateful for all the great work you all do developing these modules for the rest of us! ;)

The issue with passing through traffic is it doesn't work right for most sites. To collect user/pass's with live traffic we need that keylogger function. I would still like to finish my redirection module that allows u to redirect only the MACs u want. I'm having an issue finding a iptables command that will actually work? It has to be Mac based rules. If someone knows more please let me know

Link to comment
Share on other sites

  • 2 weeks later...

waiting too. sweet, a selector screen like whats on the random roll module would be nice for phishing pages. i mean like to have a selector screen gui for fishing pages too, one thats not random though. and somehow have more than one fishing page on at the same time.

Edited by --nick--
Link to comment
Share on other sites

  • 3 weeks later...
I am almost finished with v0.1 of my offline phishing module. The premise of this module is simple. You set the ssid of an open wireless network (Free Public Wifi, etc.) When enabled, all requests will be forwarded to a 'walled garden' splash page. This will inform the viewer that they have limited access to only certain pages, and will give links to these pages. Every one of these pages are phishing pages that you can upload to the module (even your own!).

Since all phishing pages are hosted locally, this module is intended to work all of the time, without internet access. It gives the user the impression that they are connecting to pages on the internet, yet all credentials are harvested.

Another beautiful thing about this module is how little hardware it uses. I have been known to have up to 3 usb wifi cards plugged into my pineapple while using for deauth/wifi repeating etc... This module can be used with only a properly formatted flash drive, eliminating a need for a usb hub (and the extra power it consumes).

I need Seb or someone at wifipineapple.com to verify me for module submission.

I also would like to talk to Petertfm about this module. I have reused (embarrassingly large amounts of) his code from his RandomRoll module in this. Our modules are extremely similar in both frontend and backend. I would like to ask him a couple of questions/ get him to sign off on the parts of his code I used before making this public. I have tried to message him but he does not accept messages. Petertfm if you read this, please send me a message or an email at my uname [at] gmail.

Would be really great to see this module out in the wild. When is your release date?

Link to comment
Share on other sites

This sounds like it will be a great module! This would also be great while online. One thing I've noticed though with the phishing pages and redirect.php and error.php that I have is when I was testing them out they constantly refreshed to the same phishing page. I downloaded them from hak5 and they look similar to the ones I've seen throughout the forums. Anyway, so if I'm running dnsspoof and have my host set to 172.16.42.1 facebook.com, I browse there and am met with my phishing page as expected. I enter my credentials, the page refreshes, and I'm back on the facebook.html phishing page (as expected based on the code).

Have you, or anyone else, thought about checking the IP Address of the user then redirecting them to the real site if they have previously visited the phishing page? I think this would make it less suspicious that having a constantly reloading phishing page. For instance, log the requested url and ip address (or maybe check the urlsnarf log?), then IF (for instance) facebook is requested, search that user's ip address against either a log or urlsnarf's log and if they've already been served up the phishing page, redirect them to the real facebook and let them browse normally. Would this best be done with php, or javascript? i'm not 100% sure on how to do this, and what I wrote in php didn't work :huh: . I'm not very familiar with php yet; I have more experience with c++ and c#, but am still a novice at coding regardless of language.

Any ideas on how this could go? I'm sure it's much more simple than what I'm thinking LOL. Either way, it would be a good addition if the module was running and internet access was available.

Link to comment
Share on other sites

Aha, mondrianaire! You beat me to it! I've started coding something similar for work. So far, I've slowly churned through a friendly UI for the landing page and started on a couple of website categories. Similar to what you're doing, you'll be able to enable and disable websites you need to harvest, adding custom websites through the pineapple with only the need of a 160x160px logo, name and link.

I must admit, it's good to start coding after all these years- even if the quality at which I do write is atrocious! :lol:

post-41582-0-13779500-1357900747_thumb.j

Link to comment
Share on other sites

I'm storing all my data to a log file stored in the dnsspoof directory on the USB so that the dnsspoof module will pick it up. I think I'm going to link the UI and harvesting sites once I've organised it a bit better. It's very much a mess right now!

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

 Share

  • Recently Browsing   0 members

    No registered users viewing this page.

×
×
  • Create New...