Captive Portal for Targeted Phishing

[vidkun]

First off, my web dev skills are greatly rusty these days. It's been a while since I've had the chance to work on anything. Anyway, I was thinking about a way to use the MKIV for a targeted phishing attack.

The Idea:

A captive portal for harvesting domain credentials of a targeted company (for legitimate pen testing engagements).

Using Karma (and possibly a deauth flood), clients connect to the MKIV.

DNSSpoof forwards all requests to the local index.php which checks if the client has a valid session.

If session is valid, it redirects the client to their requested URL.

If session is NOT valid, it redirects the client to captiveportal.html where they are prompted to login with their domain credentials.

Submitting the form POSTs to process.php which opens creds.txt, writes the entered credentials, builds the session, and redirects to success.html.

Success page makes the client feel good and then redirects to the originally requested page.

Implementation:

I have attached* what I have done so far for anyone that wants to help out. I currently have a few of the pages done up. Index.php is properly redirecting to captiveportal.html, but when I submit the form I just get a blank white page for process.php. It doesn't look like it ever writes out the credentials or builds any session info. Drawing blanks on that for now. Any thoughts, feedback, code is appreciated.

I'd like to eventually get this to the point that it can be wrapped up into a module/infusion for quick and easy implementation. This way, attacking companies with better wireless implementations becomes easier. You no longer have to use freeradius-wpe to capture the challenge/response and then crack. Why waste that time when you can just ask them nicely for their credentials?

*It won't let me upload any of the files, so I threw it up in on github here: https://github.com/vidkun/captivePhish

Edited November 18, 2012 by vidkun

[vidkun]

I fixed the process.php and it now properly writes the credentials to file and builds the session.

Does anyone have any ideas on handling the issue of passing along the originally requested URL and then redirecting to it from success.html?

[stealthkit]

I like the idea... I am going to throw out an idea that I have had for a while, since you are going pretty close to that route. My idea would be creating either a real proxy or what looks like to be a proxy popup window *Cisco's Ironport* module. I have 2 of them in my network and since they are LDAP supported, that means that you have to use your domain username and passoword. For example when you get on my network it prompts you for your creditials as soon as you open a web browser. So it should not be that hard to harvest the creditials right afterwards. I would do this but I am not sure how to redirect to a pop up per say. I would say as long as the pop up looked like a real proxy login page then that is really all you would have to configure. Well along with the spoofing and the redirect. Just thought I would throw that out there incase someone wanted a fairly simple module I think. I just wish I had the extra time to get on it.

-Stealthkit

[vidkun]

stealkit: My skills aren't anywhere good enough to code what you are talking about, though it would be a cool idea. I had also wondered how hard it would be, and why it hasn't be done yet, to serve as a proxy for 802.1x authentication. Using two wireless radios, one running karma. Client connects to karma on one radio requesting an AP that the other radio sees there already. Then the second radio initiates a connection to the legit AP, proxying/relaying the challenge response between the legit AP and the client.

Anyway, as for my project here I have a quick question. I was planning to use DNSSpoof to redirect a client's request for any web page to the captive portal page on the pineapple. The portal then checks if there is a valid session, and if so, passes the client's requested URL along. At least that was the plan until I actually vocalized that to someone today and realized that DNSspoof would just end up catching the redirection at the end and result in a loop. Is there a way to only spoof the request if it is from the clients and have the pineapple use a real DNS server (8.8.8.8) to handle the PHP redirect after logging into the portal?

Any thoughts/suggestions on that would be helpful. Thanks.

Also, I'll be pushing some code changes to github soon for some fixes to the session handling.