Jump to content
Hak5 Forums

Archived

This topic is now archived and is closed to further replies.

sud0nick

[Support] Portal Auth

Recommended Posts

Portal Auth is my first infusion. It allows you to directly authenticate the client radio with a captive portal. If you connect your Pineapple to an AP that has a captive portal you normally have to first authenticate with another client and then place that MAC address on the client radio. Portal Auth will detect captive portals and give you the ability to authenticate from the Pineapple. If you have any problems with this infusion or just have questions, please post them here.

Share this post


Link to post
Share on other sites

Nice infusion, I was going to do this but never got around to it.

Share this post


Link to post
Share on other sites
Hi sud0nick!!

First of all congratulations on your first infusion! Thanks for contributing with a new tool.

This is what makes this so much FUN!


Regarding your infusion, let's see if if i understand correctly:


Example: I go to a nearby Starbucks. And as everyone knows we are presented with a Splash screen before being granted internet access.


Once we agree to the terms of the internet service, we are granted internet access.


What your infusion does is:


Bypass the spash screen and provide the mkv with an internet connection?


Many thanks!!!!

Share this post


Link to post
Share on other sites

Cheeto,

The infusion essentially provides you with a basic browser using the file_get_contents() function provided in PHP. When the infusion tries to reach out to an internet site for specific data and retrieves something unexpected you will be presented with the splash page where you can then authenticate. Since captive portals work by authenticating with the device that is directly associated with it you can use anything to manage it (i.e. cell phone, laptop, etc) and it will only authenticate the Pineapple.

I will be working on some updates this weekend as Seb brought some stuff to my attention when he tested it so expect an update soon.

Share this post


Link to post
Share on other sites

Portal Auth is my first infusion. It allows you to directly authenticate the client radio with a captive portal. If you connect your Pineapple to an AP that has a captive portal you normally have to first authenticate with another client and then place that MAC address on the client radio. Portal Auth will detect captive portals and give you the ability to authenticate from the Pineapple. If you have any problems with this infusion or just have questions, please post them here.

I think you have been doing this the long way. All you have to do to get your pineapple on a network is connect your phone or laptop to the pineapple and go to a web page, since all of your traffic is going through the pineapple they never see your phones mac only the pineapples and then the pineapple is authenticated. What would be awesome is if your infusion automatically detected a portal (which it does) and then authenticates to it with no user interaction at all (not even visiting the web interface).

Share this post


Link to post
Share on other sites

I think you have been doing this the long way. All you have to do to get your pineapple on a network is connect your phone or laptop to the pineapple and go to a web page, since all of your traffic is going through the pineapple they never see your phones mac only the pineapples and then the pineapple is authenticated. What would be awesome is if your infusion automatically detected a portal (which it does) and then authenticates to it with no user interaction at all (not even visiting the web interface).

I guess you're right. I thought about making it authenticate automatically and I'll probably start working on that now. I'll have to pull the code and inject some javascript to click the button for me which will still require loading the page.

Share this post


Link to post
Share on other sites

Thanks for the ideas. This is what I like about communities such as this. Now I can improve upon my infusion and make it useful for everyone.

Share this post


Link to post
Share on other sites

I guess you're right. I thought about making it authenticate automatically and I'll probably start working on that now. I'll have to pull the code and inject some javascript to click the button for me which will still require loading the page.

Not necessarily, clicking the button isn't what authenticates you its the GET or POST request that is made when you click the button. So all you have to do is make the same request that clicking the button triggers and there wouldn't have to be any JS injection or anything, you just need to read the html and do what it does. Its probably a good 50ish lines of python

Share this post


Link to post
Share on other sites

Also, there are likely to be many edge cases - boxes to check, room numbers to enter, email addresses etc so the problem isn't as simple as it first might seem.

In the EU you often have to enter a ton of information at the portal and each one is potentially slightly different.

Using something like mitmproxy on a laptop to record something that can be replayed on the Pineapple might be a more fruitful / generic approach.

Share this post


Link to post
Share on other sites

Not necessarily, clicking the button isn't what authenticates you its the GET or POST request that is made when you click the button. So all you have to do is make the same request that clicking the button triggers and there wouldn't have to be any JS injection or anything, you just need to read the html and do what it does. Its probably a good 50ish lines of python

However, clicking the button does send the POST/GET data. Why would I create my own POST/GET request, scavenging the HTML for the right data, when I can use jQuery to simply click the button? I feel this is the more efficient route.

Also, there are likely to be many edge cases - boxes to check, room numbers to enter, email addresses etc so the problem isn't as simple as it first might seem.

In the EU you often have to enter a ton of information at the portal and each one is potentially slightly different.

Using something like mitmproxy on a laptop to record something that can be replayed on the Pineapple might be a more fruitful / generic approach.

Checkboxes, and similar elements, can be searched for by element name and enumerated. Then I can simply change the state and click the submit button with jQuery. Text fields are a different story but can probably be filled with random data as long as there is no need for credential authentication.

What I will most likely end up doing is keeping the portal view option available but make it an option to attempt to auto authenticate. If it fails the user can then open the portal window and do it manually. I'll get something figured out.

Thanks everyone for the input.

Share this post


Link to post
Share on other sites

also if the element type or post / get are different from what is searched, or as with everything else in the world, doesn't work as expected, maybe add some custom fields for it to look for to authenticate?

Share this post


Link to post
Share on other sites

However, clicking the button does send the POST/GET data. Why would I create my own POST/GET request, scavenging the HTML for the right data, when I can use jQuery to simply click the button? I feel this is the more efficient route.

Checkboxes, and similar elements, can be searched for by element name and enumerated. Then I can simply change the state and click the submit button with jQuery. Text fields are a different story but can probably be filled with random data as long as there is no need for credential authentication.

What I will most likely end up doing is keeping the portal view option available but make it an option to attempt to auto authenticate. If it fails the user can then open the portal window and do it manually. I'll get something figured out.

Thanks everyone for the input.

Because if its javascript it would have to be executed by the user thats why. If you want something that doesn't require the user to have to do anything at all, not even load the page, then jquery isn't the answer unless you did some headless JS stuff but it would be way more work to do that than to use something like beautiful soup and requests with python.

Share this post


Link to post
Share on other sites

Because if its javascript it would have to be executed by the user thats why.

Technically, no. The way my infusion checks when it loads is by running the click function in window.onload, so it requires no interaction from the user and the same concept could be applied to the portal. I see what you are saying, though, and it would be better if I make it authenticate automatically without needing to load the portal.

DataHead, you make a good point as well.

Thanks again for the input, everyone. I will try to get an update out by the end of this weekend.

Share this post


Link to post
Share on other sites

Take your time and don't stress to get it all implemented by the weekend :-) quality of updates vs quantity. you have done some mighty Good work though! And I look forward to seeing this progress

Share this post


Link to post
Share on other sites

If you want the WiFi Pineapple to do the authentication, I recommend looking at a program called portalsmash.

I have had it on my to-do list for a long time, to port this over to python and include it into the WiFi Pineapple builds, but I haven't gotten around to that yet.

Everything done in portalsmash CAN be done in python though.

Oli is right though - especially in Europe, lots of captive portals require email addresses or other checkboxes. This could still be managed through a python script though.

Best Regards,

Sebkinne

Share this post


Link to post
Share on other sites

Although I am not quite finished here is an update of what I've accomplished today. This script currently authenticates with a captive portal I have set up at home. It has not been tested elsewhere. As always, constructive feedback is welcome.

Going off of newbi3's suggestion and considering Oli's as well I have come up with the following solution. Using python and BeautifulSoup I am able to pull in the splash page and try to do what it does in authenticating a user. It captures all of the "action" values of form elements (assuming there may be more than one and we don't want to send the request to the wrong one) and sends a POST request to each. The POST request is made up of the names of elements listed in the data = {} dictionary. This will be a list defined by the user in the infusion so wherever you are you can fine tune it to the norm. As Oli stated the EU likes to use a lot of edge cases. I don't see that as much in the US though. The values in the POST data are, at the moment, set to randomstring@fakedomain.com since some scripts may require email format for an email address but will also accept the same thing for a name. It will most likely strip out any unaccepted characters but I may just come up with a different solution for that. Check out the script and please let me know if you can think of ways to tweak it.

# Import urllib2 library to make HTTP requests and load
# BeautifulSoup to parse the HTML
import urllib
import urllib2
from bs4 import BeautifulSoup

url = 'http://www.puffycode.com/'
authtargets = []

# Attempt to open an external web page and load the HTML
response = urllib2.urlopen(url)
html = response.read()

# Create a data structure for the POST/GET request
data = {}
tags = {"button", "input", "select"}

# Create a BeautifulSoup object to hold our HTML structure
soup = BeautifulSoup(html, "html.parser")

# Find all forms (just in case if there are multiple) and grab the actions
for form in soup.find_all('form'):
	authtargets.append(form.get('action'))

# Find all button tags and get their names
for item in tags:
	for elem in soup.find_all(item):
		key = elem.get('name')
		data[key] = "randomstring@fakedomain.com";

# Encode the data for a GET/POST request
encoded_data = urllib.urlencode(data)

# Prepare and execute a GET request
#get_url = authtarget + "?" + encoded_data
#response = urllib2.urlopen(get_url)

try:
	for target in authtargets:
		# Prepare and execute a POST request
		request = urllib2.Request(target, encoded_data)
		response = urllib2.urlopen(request)
except:
	pass

I will also be working on the GET request part but for now it is commented out because it wasn't working.

Share this post


Link to post
Share on other sites

Just recording ideas down, but since you are already discovering by automation. Or could even be a seperate infusion all together.

But why not have an option to clone the auth portal, and have it be recreated with modified data to go along with say, evilportal or just dnsspoof?

If this is out of the scope here, or just a rediculous idea, just discard this lol

Share this post


Link to post
Share on other sites

Just recording ideas down, but since you are already discovering by automation. Or could even be a seperate infusion all together.

But why not have an option to clone the auth portal, and have it be recreated with modified data to go along with say, evilportal or just dnsspoof?

If this is out of the scope here, or just a rediculous idea, just discard this lol

Have it clone the portal would be a feature that EP should have (which has been on my list of things to do).

also sud0nick, I'd recommend using the requests library over urllib because its much nicer and easier to use

http://docs.python-requests.org/en/latest/

Share this post


Link to post
Share on other sites

Hey everyone I just submitted version 1.1 and hopefully it will be available soon for download. Here are the changes I made thanks to all of your ideas.

This is a copy of the change log that will be provided with the infusion.

[->] Added the option to auto-authenticate with a captive portal.

[->] Updated UI that now alerts you to what is happening.  A progress bar appears when checking, loading, and auto-authenticating with captive portals.
	
[->] Updated the Portal tab to display a progress bar and loading message when loading a portal.
	
[->] Moved the Portal tab one position to the right so it won't automatically load every time the large tile is opened.
	
[->] Added the Element Tags option in the Config tab for user-defined elements to search for when auto-authenticating.
	
[->] Dependencies are now required for PortalAuth but can be removed in the Config tab.  Only remove if you desire to uninstall PortalAuth.

[->] Removed the Last Checked timestamp from the small tile.

As always, please let me know if you experience any problems with this version. Please remember the Auto Auth feature is still brand new! It may not work under every condition so the Portal tab is still available to help you authenticate from the Pineapple.

I hope you all enjoy this next version!

Share this post


Link to post
Share on other sites

Just recording ideas down, but since you are already discovering by automation. Or could even be a seperate infusion all together.

But why not have an option to clone the auth portal, and have it be recreated with modified data to go along with say, evilportal or just dnsspoof?

If this is out of the scope here, or just a rediculous idea, just discard this lol

I could see this being a part of either evil portal or portalauth. As you said DataHead, I could easily use the code I have already written to accomplish this. I'm going to do this for myself anyway but would be glad to hand the code over to newbi3 and let him add it to evil portal if he wishes. If not I will add it to my infusion. I'm thinking along the lines of this process:

1. Pull HTML from portal

2. Replace the value of all action attributes, in form tags, with $authtarget

Remove value of action attributes and leave redirection up to the JavaScript.

3. Inject username and password fields

4. Inject an AJAX call to log the credentials

5. Place in portal directory on Pineapple.

The basics are simple. Then I might add some options to insert images like the Facebook or GMail icon in order to make it look more official when asking for creds from a specific site.

Share this post


Link to post
Share on other sites

Wow, I didn't think I would get so much done so soon. I have a fully functional script now that pulls a portal, injects user defined HTML forms (while clearing the other forms) and user defined JS (this is where $authtarget will be), downloads all images to the images directory, replaces all image links within the HTML with $imagesDir, and saves the file as splash.html. The user will also be able to set whether they want to store the portal for later or use immediately. I expect to have an update pushed by the end of the weekend.

Share this post


Link to post
Share on other sites

I want this update!!!

So will this work hand in hand with evil portal?

If i understand correctly, your script will clone a portal page and adapt it to the Pineapple?

Will we have to modify anything??

This really is getting to sound really good!!

Cheers

Share this post


Link to post
Share on other sites

  • Recently Browsing   0 members

    No registered users viewing this page.

×