sud0nick Posted January 9, 2015 Posted January 9, 2015 (edited) Portal Auth is my first infusion. It allows you to directly authenticate the client radio with a captive portal. If you connect your Pineapple to an AP that has a captive portal you normally have to first authenticate with another client and then place that MAC address on the client radio. Portal Auth will detect captive portals and give you the ability to authenticate from the Pineapple. If you have any problems with this infusion or just have questions, please post them here. Edited January 9, 2015 by sud0nick Quote
newbi3 Posted January 9, 2015 Posted January 9, 2015 Nice infusion, I was going to do this but never got around to it. Quote
cheeto Posted January 9, 2015 Posted January 9, 2015 Hi sud0nick!! First of all congratulations on your first infusion! Thanks for contributing with a new tool. This is what makes this so much FUN! Regarding your infusion, let's see if if i understand correctly: Example: I go to a nearby Starbucks. And as everyone knows we are presented with a Splash screen before being granted internet access. Once we agree to the terms of the internet service, we are granted internet access. What your infusion does is: Bypass the spash screen and provide the mkv with an internet connection? Many thanks!!!! Quote
sud0nick Posted January 9, 2015 Author Posted January 9, 2015 Cheeto, The infusion essentially provides you with a basic browser using the file_get_contents() function provided in PHP. When the infusion tries to reach out to an internet site for specific data and retrieves something unexpected you will be presented with the splash page where you can then authenticate. Since captive portals work by authenticating with the device that is directly associated with it you can use anything to manage it (i.e. cell phone, laptop, etc) and it will only authenticate the Pineapple. I will be working on some updates this weekend as Seb brought some stuff to my attention when he tested it so expect an update soon. Quote
newbi3 Posted January 9, 2015 Posted January 9, 2015 Portal Auth is my first infusion. It allows you to directly authenticate the client radio with a captive portal. If you connect your Pineapple to an AP that has a captive portal you normally have to first authenticate with another client and then place that MAC address on the client radio. Portal Auth will detect captive portals and give you the ability to authenticate from the Pineapple. If you have any problems with this infusion or just have questions, please post them here. I think you have been doing this the long way. All you have to do to get your pineapple on a network is connect your phone or laptop to the pineapple and go to a web page, since all of your traffic is going through the pineapple they never see your phones mac only the pineapples and then the pineapple is authenticated. What would be awesome is if your infusion automatically detected a portal (which it does) and then authenticates to it with no user interaction at all (not even visiting the web interface). Quote
sud0nick Posted January 9, 2015 Author Posted January 9, 2015 I think you have been doing this the long way. All you have to do to get your pineapple on a network is connect your phone or laptop to the pineapple and go to a web page, since all of your traffic is going through the pineapple they never see your phones mac only the pineapples and then the pineapple is authenticated. What would be awesome is if your infusion automatically detected a portal (which it does) and then authenticates to it with no user interaction at all (not even visiting the web interface). I guess you're right. I thought about making it authenticate automatically and I'll probably start working on that now. I'll have to pull the code and inject some javascript to click the button for me which will still require loading the page. Quote
sud0nick Posted January 9, 2015 Author Posted January 9, 2015 Thanks for the ideas. This is what I like about communities such as this. Now I can improve upon my infusion and make it useful for everyone. Quote
DataHead Posted January 9, 2015 Posted January 9, 2015 Awesome!! no more client mac spoofing! :D Quote
newbi3 Posted January 9, 2015 Posted January 9, 2015 (edited) I guess you're right. I thought about making it authenticate automatically and I'll probably start working on that now. I'll have to pull the code and inject some javascript to click the button for me which will still require loading the page. Not necessarily, clicking the button isn't what authenticates you its the GET or POST request that is made when you click the button. So all you have to do is make the same request that clicking the button triggers and there wouldn't have to be any JS injection or anything, you just need to read the html and do what it does. Its probably a good 50ish lines of python Edited January 9, 2015 by newbi3 Quote
Oli Posted January 9, 2015 Posted January 9, 2015 Also, there are likely to be many edge cases - boxes to check, room numbers to enter, email addresses etc so the problem isn't as simple as it first might seem. In the EU you often have to enter a ton of information at the portal and each one is potentially slightly different. Using something like mitmproxy on a laptop to record something that can be replayed on the Pineapple might be a more fruitful / generic approach. Quote
sud0nick Posted January 9, 2015 Author Posted January 9, 2015 Not necessarily, clicking the button isn't what authenticates you its the GET or POST request that is made when you click the button. So all you have to do is make the same request that clicking the button triggers and there wouldn't have to be any JS injection or anything, you just need to read the html and do what it does. Its probably a good 50ish lines of python However, clicking the button does send the POST/GET data. Why would I create my own POST/GET request, scavenging the HTML for the right data, when I can use jQuery to simply click the button? I feel this is the more efficient route. Also, there are likely to be many edge cases - boxes to check, room numbers to enter, email addresses etc so the problem isn't as simple as it first might seem. In the EU you often have to enter a ton of information at the portal and each one is potentially slightly different. Using something like mitmproxy on a laptop to record something that can be replayed on the Pineapple might be a more fruitful / generic approach. Checkboxes, and similar elements, can be searched for by element name and enumerated. Then I can simply change the state and click the submit button with jQuery. Text fields are a different story but can probably be filled with random data as long as there is no need for credential authentication. What I will most likely end up doing is keeping the portal view option available but make it an option to attempt to auto authenticate. If it fails the user can then open the portal window and do it manually. I'll get something figured out. Thanks everyone for the input. Quote
DataHead Posted January 9, 2015 Posted January 9, 2015 also if the element type or post / get are different from what is searched, or as with everything else in the world, doesn't work as expected, maybe add some custom fields for it to look for to authenticate? Quote
newbi3 Posted January 9, 2015 Posted January 9, 2015 However, clicking the button does send the POST/GET data. Why would I create my own POST/GET request, scavenging the HTML for the right data, when I can use jQuery to simply click the button? I feel this is the more efficient route. Checkboxes, and similar elements, can be searched for by element name and enumerated. Then I can simply change the state and click the submit button with jQuery. Text fields are a different story but can probably be filled with random data as long as there is no need for credential authentication. What I will most likely end up doing is keeping the portal view option available but make it an option to attempt to auto authenticate. If it fails the user can then open the portal window and do it manually. I'll get something figured out. Thanks everyone for the input. Because if its javascript it would have to be executed by the user thats why. If you want something that doesn't require the user to have to do anything at all, not even load the page, then jquery isn't the answer unless you did some headless JS stuff but it would be way more work to do that than to use something like beautiful soup and requests with python. Quote
sud0nick Posted January 10, 2015 Author Posted January 10, 2015 (edited) Because if its javascript it would have to be executed by the user thats why. Technically, no. The way my infusion checks when it loads is by running the click function in window.onload, so it requires no interaction from the user and the same concept could be applied to the portal. I see what you are saying, though, and it would be better if I make it authenticate automatically without needing to load the portal. DataHead, you make a good point as well. Thanks again for the input, everyone. I will try to get an update out by the end of this weekend. Edited January 10, 2015 by sud0nick Quote
DataHead Posted January 10, 2015 Posted January 10, 2015 Take your time and don't stress to get it all implemented by the weekend :-) quality of updates vs quantity. you have done some mighty Good work though! And I look forward to seeing this progress Quote
Sebkinne Posted January 10, 2015 Posted January 10, 2015 If you want the WiFi Pineapple to do the authentication, I recommend looking at a program called portalsmash. I have had it on my to-do list for a long time, to port this over to python and include it into the WiFi Pineapple builds, but I haven't gotten around to that yet. Everything done in portalsmash CAN be done in python though. Oli is right though - especially in Europe, lots of captive portals require email addresses or other checkboxes. This could still be managed through a python script though. Best Regards, Sebkinne Quote
sud0nick Posted January 11, 2015 Author Posted January 11, 2015 (edited) Although I am not quite finished here is an update of what I've accomplished today. This script currently authenticates with a captive portal I have set up at home. It has not been tested elsewhere. As always, constructive feedback is welcome. Going off of newbi3's suggestion and considering Oli's as well I have come up with the following solution. Using python and BeautifulSoup I am able to pull in the splash page and try to do what it does in authenticating a user. It captures all of the "action" values of form elements (assuming there may be more than one and we don't want to send the request to the wrong one) and sends a POST request to each. The POST request is made up of the names of elements listed in the data = {} dictionary. This will be a list defined by the user in the infusion so wherever you are you can fine tune it to the norm. As Oli stated the EU likes to use a lot of edge cases. I don't see that as much in the US though. The values in the POST data are, at the moment, set to randomstring@fakedomain.com since some scripts may require email format for an email address but will also accept the same thing for a name. It will most likely strip out any unaccepted characters but I may just come up with a different solution for that. Check out the script and please let me know if you can think of ways to tweak it. # Import urllib2 library to make HTTP requests and load # BeautifulSoup to parse the HTML import urllib import urllib2 from bs4 import BeautifulSoup url = 'http://www.puffycode.com/' authtargets = [] # Attempt to open an external web page and load the HTML response = urllib2.urlopen(url) html = response.read() # Create a data structure for the POST/GET request data = {} tags = {"button", "input", "select"} # Create a BeautifulSoup object to hold our HTML structure soup = BeautifulSoup(html, "html.parser") # Find all forms (just in case if there are multiple) and grab the actions for form in soup.find_all('form'): authtargets.append(form.get('action')) # Find all button tags and get their names for item in tags: for elem in soup.find_all(item): key = elem.get('name') data[key] = "randomstring@fakedomain.com"; # Encode the data for a GET/POST request encoded_data = urllib.urlencode(data) # Prepare and execute a GET request #get_url = authtarget + "?" + encoded_data #response = urllib2.urlopen(get_url) try: for target in authtargets: # Prepare and execute a POST request request = urllib2.Request(target, encoded_data) response = urllib2.urlopen(request) except: pass I will also be working on the GET request part but for now it is commented out because it wasn't working. Edited January 11, 2015 by sud0nick Quote
DataHead Posted January 12, 2015 Posted January 12, 2015 (edited) Just recording ideas down, but since you are already discovering by automation. Or could even be a seperate infusion all together. But why not have an option to clone the auth portal, and have it be recreated with modified data to go along with say, evilportal or just dnsspoof? If this is out of the scope here, or just a rediculous idea, just discard this lol Edited January 12, 2015 by DataHead Quote
newbi3 Posted January 12, 2015 Posted January 12, 2015 Just recording ideas down, but since you are already discovering by automation. Or could even be a seperate infusion all together. But why not have an option to clone the auth portal, and have it be recreated with modified data to go along with say, evilportal or just dnsspoof? If this is out of the scope here, or just a rediculous idea, just discard this lol Have it clone the portal would be a feature that EP should have (which has been on my list of things to do). also sud0nick, I'd recommend using the requests library over urllib because its much nicer and easier to use http://docs.python-requests.org/en/latest/ Quote
sud0nick Posted January 14, 2015 Author Posted January 14, 2015 Hey everyone I just submitted version 1.1 and hopefully it will be available soon for download. Here are the changes I made thanks to all of your ideas. This is a copy of the change log that will be provided with the infusion. [->] Added the option to auto-authenticate with a captive portal. [->] Updated UI that now alerts you to what is happening. A progress bar appears when checking, loading, and auto-authenticating with captive portals. [->] Updated the Portal tab to display a progress bar and loading message when loading a portal. [->] Moved the Portal tab one position to the right so it won't automatically load every time the large tile is opened. [->] Added the Element Tags option in the Config tab for user-defined elements to search for when auto-authenticating. [->] Dependencies are now required for PortalAuth but can be removed in the Config tab. Only remove if you desire to uninstall PortalAuth. [->] Removed the Last Checked timestamp from the small tile. As always, please let me know if you experience any problems with this version. Please remember the Auto Auth feature is still brand new! It may not work under every condition so the Portal tab is still available to help you authenticate from the Pineapple. I hope you all enjoy this next version! Quote
sud0nick Posted January 15, 2015 Author Posted January 15, 2015 (edited) Just recording ideas down, but since you are already discovering by automation. Or could even be a seperate infusion all together. But why not have an option to clone the auth portal, and have it be recreated with modified data to go along with say, evilportal or just dnsspoof? If this is out of the scope here, or just a rediculous idea, just discard this lol I could see this being a part of either evil portal or portalauth. As you said DataHead, I could easily use the code I have already written to accomplish this. I'm going to do this for myself anyway but would be glad to hand the code over to newbi3 and let him add it to evil portal if he wishes. If not I will add it to my infusion. I'm thinking along the lines of this process: 1. Pull HTML from portal 2. Replace the value of all action attributes, in form tags, with $authtarget Remove value of action attributes and leave redirection up to the JavaScript. 3. Inject username and password fields 4. Inject an AJAX call to log the credentials 5. Place in portal directory on Pineapple. The basics are simple. Then I might add some options to insert images like the Facebook or GMail icon in order to make it look more official when asking for creds from a specific site. Edited January 15, 2015 by sud0nick Quote
cheeto Posted January 15, 2015 Posted January 15, 2015 Great Idea Sud0nick!!!! Looking forward to it Quote
sud0nick Posted January 16, 2015 Author Posted January 16, 2015 Wow, I didn't think I would get so much done so soon. I have a fully functional script now that pulls a portal, injects user defined HTML forms (while clearing the other forms) and user defined JS (this is where $authtarget will be), downloads all images to the images directory, replaces all image links within the HTML with $imagesDir, and saves the file as splash.html. The user will also be able to set whether they want to store the portal for later or use immediately. I expect to have an update pushed by the end of the weekend. Quote
cheeto Posted January 16, 2015 Posted January 16, 2015 I want this update!!! So will this work hand in hand with evil portal? If i understand correctly, your script will clone a portal page and adapt it to the Pineapple? Will we have to modify anything?? This really is getting to sound really good!! Cheers Quote
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.