Help on Creating Captive Portal using Iptables

[kurtm]

Hi, I just want to share my insights on getting Credentials

Pineapple setup

3G -- Pineapple --- > client

or

Internet wifi --shared internet-- (wifi USB - pineapple) ---- > client

1. Create a Captive Portal (Sign in as Facebook, Twitter etc... - fake login)

2. User type to a web browser any URL.

3. User are redirected to a Captive Portal.

4. Once a user tried to login on fake login form from captive portal PHP will save credentials, just like ordinary phishing script.

5. The User can now be allowed to unrestricted internet access.

Can anybody make this work on a pineapple?

http://www.andybev.com/index.php/Using_iptables_and_PHP_to_create_a_captive_portal

Edited February 11, 2013 by kurtm

[digininja]

I think you can get the nocatauth package for openwrt. That would do everything you want.

[Sebkinne]

Darren has something in the works for this ;)

Stay tuned!

[kurtm]

that great? same as my concept? has anybody implemented this successfully ..nocatauth, wifidog chillispot?

[Zephyr]

Hey kurtm, please excuse my temporary ignorance on the matter, but are you suggesting the idea of using a facebook or twitter page as a captive portal page to logon to our fake hotspot? In other words, "Unlimited WiFi Provided Here! Just Login Using Your Facebook Account For Unrestricted Access!" Something like that?

[kurtm]

Exactly.. when some one connects to the hotspot .. any url they type will be redirected to a captive portal ( restricted access ) , unless they login to as FB or twitter account.

Ofcourse it will be hard or impossible? To authenticate with fb or twitter

A fake login will do.. as long as they are restricted at first and unrestricted when they login ( doesnt matter if its correct password or login ) - of course its better if they put their real login - :)

[CrackAlot]

LOL, I do this with a boingo page... free internet if you use your gmail account.. but the letting them get to the internet afterwards is as stated not working, but I am ready for it ;)

[CrackAlot]

**Removed**

Here is my page, its ruff, but you get the idea.

Edited February 18, 2013 by Mr-Protocol

[Zephyr]

I was thinking a bit of something like this a little earlier ... like just having a phish facebook page pop up as soon as they connect via Karma .... but you have definitely refined the idea to perfection. Yes, a Captive Portal page! will give lots of cred to to feel safe and go ahead and log in. I like it I like it! Muhahahaaaaa evil hackers think alike ;)

[kurtm]

yah.. its easy to create a captive portal but no internet connection after login.. the hard part fo me is to let iptables...etc ..etc to note that the user already logged in and have an internet connection

[CrackAlot]

I was thinking a frame or something and passing a cookie to the client.. but that just seems like a bad idea with poor results..

[CrackAlot]

Here is my fake ebay, playing arround with it. any one have a better one?

**Removed**

Edited February 17, 2013 by Mr-Protocol

[Zephyr]

Hey kurt, I'm a little over my head at this point as to all what's involved but I'll get there quickly. I have to say though your idea is brilliant :)

[mreidiv]

Here is my fake ebay, playing arround with it. any one have a better one?

I like your disclaimer...

Edited February 17, 2013 by Mr-Protocol

[CrackAlot]

yeah, I am putting that on all of them.. just to make sure to atleast make an effort for them to know I am messing with them. If they dont get it, there is not much I can do.. lol

[Mr-Protocol]

Let's keep in mind the Pineapple is intended for pen testing. I have not heard of a need for a phishing site for ebay needed for a pen test.

And it is not on topic with "Captive Portal" as the thread suggests.