kurtm Posted February 11, 2013 Share Posted February 11, 2013 (edited) Hi, I just want to share my insights on getting Credentials Pineapple setup 3G -- Pineapple --- > client or Internet wifi --shared internet-- (wifi USB - pineapple) ---- > client 1. Create a Captive Portal (Sign in as Facebook, Twitter etc... - fake login) 2. User type to a web browser any URL. 3. User are redirected to a Captive Portal. 4. Once a user tried to login on fake login form from captive portal PHP will save credentials, just like ordinary phishing script. 5. The User can now be allowed to unrestricted internet access. Can anybody make this work on a pineapple? http://www.andybev.com/index.php/Using_iptables_and_PHP_to_create_a_captive_portal Edited February 11, 2013 by kurtm Link to comment Share on other sites More sharing options...
digininja Posted February 13, 2013 Share Posted February 13, 2013 I think you can get the nocatauth package for openwrt. That would do everything you want. Link to comment Share on other sites More sharing options...
Sebkinne Posted February 13, 2013 Share Posted February 13, 2013 Darren has something in the works for this ;) Stay tuned! Link to comment Share on other sites More sharing options...
kurtm Posted February 14, 2013 Author Share Posted February 14, 2013 that great? same as my concept? has anybody implemented this successfully ..nocatauth, wifidog chillispot? Link to comment Share on other sites More sharing options...
Zephyr Posted February 15, 2013 Share Posted February 15, 2013 Hey kurtm, please excuse my temporary ignorance on the matter, but are you suggesting the idea of using a facebook or twitter page as a captive portal page to logon to our fake hotspot? In other words, "Unlimited WiFi Provided Here! Just Login Using Your Facebook Account For Unrestricted Access!" Something like that? Link to comment Share on other sites More sharing options...
kurtm Posted February 16, 2013 Author Share Posted February 16, 2013 Exactly.. when some one connects to the hotspot .. any url they type will be redirected to a captive portal ( restricted access ) , unless they login to as FB or twitter account. Ofcourse it will be hard or impossible? To authenticate with fb or twitter A fake login will do.. as long as they are restricted at first and unrestricted when they login ( doesnt matter if its correct password or login ) - of course its better if they put their real login - :) Link to comment Share on other sites More sharing options...
CrackAlot Posted February 16, 2013 Share Posted February 16, 2013 LOL, I do this with a boingo page... free internet if you use your gmail account.. but the letting them get to the internet afterwards is as stated not working, but I am ready for it ;) Link to comment Share on other sites More sharing options...
CrackAlot Posted February 16, 2013 Share Posted February 16, 2013 (edited) **Removed** Here is my page, its ruff, but you get the idea. Edited February 18, 2013 by Mr-Protocol Link to comment Share on other sites More sharing options...
Zephyr Posted February 16, 2013 Share Posted February 16, 2013 I was thinking a bit of something like this a little earlier ... like just having a phish facebook page pop up as soon as they connect via Karma .... but you have definitely refined the idea to perfection. Yes, a Captive Portal page! will give lots of cred to to feel safe and go ahead and log in. I like it I like it! Muhahahaaaaa evil hackers think alike ;) Link to comment Share on other sites More sharing options...
kurtm Posted February 16, 2013 Author Share Posted February 16, 2013 yah.. its easy to create a captive portal but no internet connection after login.. the hard part fo me is to let iptables...etc ..etc to note that the user already logged in and have an internet connection Link to comment Share on other sites More sharing options...
CrackAlot Posted February 16, 2013 Share Posted February 16, 2013 I was thinking a frame or something and passing a cookie to the client.. but that just seems like a bad idea with poor results.. Link to comment Share on other sites More sharing options...
CrackAlot Posted February 16, 2013 Share Posted February 16, 2013 (edited) Here is my fake ebay, playing arround with it. any one have a better one? **Removed** Edited February 17, 2013 by Mr-Protocol Link to comment Share on other sites More sharing options...
Zephyr Posted February 16, 2013 Share Posted February 16, 2013 Hey kurt, I'm a little over my head at this point as to all what's involved but I'll get there quickly. I have to say though your idea is brilliant :) Link to comment Share on other sites More sharing options...
mreidiv Posted February 16, 2013 Share Posted February 16, 2013 (edited) Here is my fake ebay, playing arround with it. any one have a better one? I like your disclaimer... Edited February 17, 2013 by Mr-Protocol Link to comment Share on other sites More sharing options...
CrackAlot Posted February 16, 2013 Share Posted February 16, 2013 yeah, I am putting that on all of them.. just to make sure to atleast make an effort for them to know I am messing with them. If they dont get it, there is not much I can do.. lol Link to comment Share on other sites More sharing options...
Mr-Protocol Posted February 17, 2013 Share Posted February 17, 2013 Let's keep in mind the Pineapple is intended for pen testing. I have not heard of a need for a phishing site for ebay needed for a pen test. And it is not on topic with "Captive Portal" as the thread suggests. Link to comment Share on other sites More sharing options...
Recommended Posts