[Support] Portal Auth

[sud0nick]

InfoTomb is back online. Everything should be functioning normally now.

[sud0nick]

A new test version is available on my server (v2.5.1). Included in this version is a command line executable that has multiple functions. These functions include scanning for open access points and automatically connecting as well as cloning a captive portal on that AP if it exists. Right now the automatic scan is not optional but cloning is. Here is the help output from the script that displays all of the functionality:

Usage: executable [-h] [-c] [-a] [-b] [-w] [-ijs] [-ihtml] [-icss] [-sjs]
                  [-scss] [-sl] [-sf] [-iset]
                  interface

Automatically search and connect to an open access point. Optionally, clone
and authenticate with a captive portal.

positional arguments:
  interface             Wireless interface to scan and connect

optional arguments:
  -h, --help            show this help message and exit
  -c, --clone           Attempt to clone a portal if it exists
  -a, --authenticate    Attempt to authenticate with a portal if it exists
  -b , --blacklist      Path to file containing SSIDs to ignore in scan
  -w , --whitelist      Path to file containing SSIDs to accept in scan
  -ijs, --injectjs      Cloner Option: Inject JavaScript from Injection Set
  -ihtml, --injecthtml  Cloner Option: Inject HTML from Injection Set
  -icss, --injectcss    Cloner Option: Inject CSS from Injection Set
  -sjs, --stripjs       Cloner Option: Strip JavaScript from cloned portal
  -scss, --stripcss     Cloner Option: Strip inline CSS from cloned portal
  -sl, --striplinks     Cloner Option: Strip links from cloned portal
  -sf, --stripforms     Cloner Option: Strip forms from cloned portal
  -iset , --injectionset 
                        Cloner Option: Name of Injection Set to use when
                        cloning

You'll notice that there is an option to include a blacklist or whitelist. The blacklist allows for you to skip over access points you don't want to connect to and the whitelist will attempt to connect only to the SSIDs listed within it.

Here are a couple of examples to run the script with these modes and attempt to clone a portal if it exists.

pineapple infusion portalauth -w whitelist.txt -c wlan1

pineapple infusion portalauth -b blacklist.txt -c wlan1

Remember that if you want to inject code into the portal you will need to include the name of the injection set along with the flags for what to inject/strip.

Current Bugs

As of now there is an issue when using the commands above to run the script. The entire script executes properly but it will hang afterward. If you cd to /sd/infusions/portalauth/executable/ and run ./executable wlan1 it will not hang. I don't know why it is doing this so if anyone has a solution please let me know.

One last note, the authentication portion has not been built in to the command line executable. If you attempt to use it nothing will happen.

[stunner2xx]

i cant seem to get it to work with mark 5 with latest firmware

[ZeteMkaa]

Same here, "Failed to install dependencies."

[sud0nick]

Sorry about that guys. I'm not sure if InfoTomb took the files offline. I'm away from home for a couple more weeks on a business trip but once I get home I'll get this fixed.

[sud0nick]

I'm home now and I've looked into the issue. It seems that the MD5 hash for BS4 doesn't match what I originally uploaded which leaves me wondering who changed the file on InfoTomb. This is why everyone is seeing errors when installing depends. I may just move these files back to my server but it would be awesome if Hak5 could find some space for the devs to store depends so user's don't have to worry about where their downloads are coming from.

I'll get this fixed and push an update to the Pineapple Bar.

Edit:

It seems as if the dependency files were deleted rather than modified on InfoTomb (I still don't know why). While we wait for the infusion approval process here is an updated version of the install_depends script:

#!/bin/sh

# Update the opkg list
opkg update > /dev/null;

# Check if wget (SSL version) is installed
test=$(opkg list-installed | grep 'wget')

if [ -z "$test" ]; then
	opkg install wget > /dev/null;
fi

# Make a temporary directory for downloading depends
if ! [ -d "/sd/tmp/" ]; then
	mkdir /sd/tmp
fi
mkdir /sd/tmp/portalauth;
cd /sd/tmp/portalauth;

# Download the depends
wget -q http://www.puffycode.com/download/PortalAuth/beautifulsoup4-4.4.0.tar.gz > /dev/null;
wget -q http://www.puffycode.com/download/PortalAuth/requests-v2.5.1.tar.gz > /dev/null;
wget -q http://www.puffycode.com/download/PortalAuth/tinycss-0.3.tar.gz > /dev/null;
wget -q http://www.puffycode.com/download/PortalAuth/setuptools-18.2.tar.gz > /dev/null;

# Check MD5 of BS4
if ! [ `md5sum beautifulsoup4-4.4.0.tar.gz | awk '{print $1}'` == "63d1f33e6524f408cb6efbc5da1ae8a5" ]; then
	echo "MD5 of BS4 does not match"
	rm -rf /sd/tmp/portalauth
	exit
fi

# Check MD5 of Requests library
if ! [ `md5sum requests-v2.5.1.tar.gz | awk '{print $1}'` == "3c5bd282c56353d56ac39b6dee12560f" ]; then
	echo "MD5 of Requests does not match"
	rm -rf /sd/tmp/portalauth
	exit
fi

# Check MD5 of TinyCSS library
if ! [ `md5sum tinycss-0.3.tar.gz | awk '{print $1}'` == "13999e54453d4fbc9d1539f4b95d235e" ]; then
        echo "MD5 of TinyCSS does not match"
        rm -rf /sd/tmp/portalauth
        exit
fi

# Check MD5 of SetupTools
if ! [ `md5sum setuptools-18.2.tar.gz | awk '{print $1}'` == "52b4e48939ef311d7204f8fe940764f4" ]; then
        echo "MD5 of SetupTools does not match"
        rm -rf /sd/tmp/portalauth
        exit
fi

# Unpack
tar -xzf beautifulsoup4-4.4.0.tar.gz > /dev/null 2>&1;
tar -xzf requests-v2.5.1.tar.gz > /dev/null 2>&1;
tar -xzf tinycss-0.3.tar.gz > /dev/null 2>&1;
tar -xzf setuptools-18.2.tar.gz > /dev/null 2>&1;

# If /sd/depends does not exist, create it
if ! [ -d "/sd/depends/" ]
then
        mkdir /sd/depends/;
fi

# Install the libraries
cp -R beautifulsoup4-4.4.0 /sd/depends/bs4;
cp -R kennethreitz-requests-d2d576b /sd/depends/requests;
cp -R tinycss-0.3 /sd/depends/tinycss;
cp -R setuptools-18.2 /sd/depends/setuptools;

# Create symbolic links for the dependencies so they can be accessed by the default search path
ln -s /sd/depends/bs4 /usr/lib/python2.7/site-packages/bs4;
ln -s /sd/depends/requests /usr/lib/python2.7/site-packages/requests;
ln -s /sd/depends/tinycss/ /usr/lib/python2.7/site-packages/tinycss;

# Run the setup.py scripts
cd /sd/depends/setuptools/;
python setup.py build > /dev/null 2>&1;
python setup.py install > /dev/null 2>&1;

cd /sd/depends/bs4/;
python setup.py build > /dev/null 2>&1;
python setup.py install > /dev/null 2>&1;

cd /sd/depends/requests/;
python setup.py build > /dev/null 2>&1;
python setup.py install > /dev/null 2>&1;

cd /sd/depends/tinycss/;
python setup.py build > /dev/null 2>&1;
python setup.py install > /dev/null 2>&1;

# Remove tmp directory
rm -rf /sd/tmp/portalauth;
echo "Complete"

Just place this file in /pineapple/components/infusions/portalauth/includes/scripts/ and click Install Dependencies from the web interface. Everything should install properly now. Keep in mind that these dependencies are being downloaded from my personal server and not InfoTomb or Hak5. I am still using InfoTomb for the Captive Portal check file as that has not been deleted.

Edit 2:

Since it appears the Injection Sets were also deleted I will be moving them to my site as well.

Edit 3:

Version 2.6 has been submitted to the Pineapple Bar. During testing I noticed that my Pineapple was running out of space for the libraries required (I may just have more stuff installed than others) but if you run into this problem I recommend the following:

1. Move /usr/lib/python2.7/site-packages/ to /sd/depends/site-packages.

2. Create a symlink between the two.

3. Install dependencies.

mv /usr/lib/python2.7/site-packages /sd/depends/site-packages
ln -s /sd/depends/site-packages/ /usr/lib/python2.7/site-packages

Edited August 28, 2015 by sud0nick

[sud0nick]

v2.6 is now available.

[sud0nick]

I found a couple of things that needed fixing so I've released yet another version. v2.7 has been submitted to the Pineapple Bar with the following updates:

Version 2.7 - Released Aug 30, 2015

	[->] Added support for downloading multiple files with the same name from a site.
	
	[->] Fixed encoding/decoding issue with external CSS files that would cause the operation to crash.
	
	[->] Removed AP search from command line executable and updated cloning options.

The encoding issue was what prompted me to push an update. I didn't have a problem with it in previous versions but for some reason I couldn't clone websites that I could before. I looked into the problem, with my handy error logs, and realized when the script attempts to modify the CSS files it wasn't able to decode them properly which would cause the program to crash and leave you with all of the files from the site but no splash.html file.

I also updated the command line executable so you can now clone portals from the command line or in a script and activate them immediately. I originally had the script set up to scan for open WiFi networks, connect automatically, check for a captive portal, and clone it if one existed. I took that out as I don't have the proper means to test it fully and I doubt it was used much anyway. If anyone still wants that feature I can probably find a place around town that has that type of environment. Just let me know.

Enjoy

[onion2346]

Hi,

quick question, not sure if this is the right thread to post in but...

in portal auth, i click on the "activate now" button after saving/creating a copy of the "freewifi" infusion (just named it freewificopy) that is already provided there... and then how i understand that is suppose to transfer this over to evil portal where i can find it under libraries > saved portals?

however when i do all this and then check in evil portal it simply says "you have no saved portals to view"

please help am i missing something or what?

Cheers,

onion

[sud0nick]

This is the proper thread for Portal Auth questions. Please only use the Injection Sets thread for questions about injection sets.

When you click activate now, while cloning a portal, the portal is placed in the /etc/nodogsplash/htdocs/ directory. Your saved portals from Portal Auth appear, by default, in /sd/portals/. Mine appear in Evil Portal II but they can't be edited or activated from there. What I normally do to activate my portals is use the activateportal.sh script in /sd/infusions/portalauth/includes/scripts/ which requires two arguments: 1. portal directory, and 2. portal name.

./activateportal.sh /sd/portals/ TestPortal

[sud0nick]

It seems that InfoTomb doesn't hold on to files forever like they claim. The portal test page has disappeared now as well. Although I always recommend you use your own so you know which servers your Pineapple is connecting to when checking for captive portals I do have a page setup on my server.

http://www.puffycode.com/download/PortalAuth/cptest.txt

The expected data field in Portal Auth should be set to "No Captive Portal"

[onion2346]

Hi,

Many thanks for this good info!

For me however, nothing saves in the /sd/portals/ folder at all??

It seems that InfoTomb doesn't hold on to files forever like they claim. The portal test page has disappeared now as well. Although I always recommend you use your own so you know which servers your Pineapple is connecting to when checking for captive portals I do have a page setup on my server.

http://www.puffycode.com/download/PortalAuth/cptest.txt

The expected data field in Portal Auth should be set to "No Captive Portal"

Also, not quite sure what you mean by this?? apologies... not sure what to do...

Cheers,
onion

[sud0nick]

Hi,

Many thanks for this good info!

For me however, nothing saves in the /sd/portals/ folder at all??

So, after you clone a captive portal, and the message appears that the portal was cloned successfully, you SSH into the Pineapple and check /sd/portals/ and nothing is there? If you open the large tile in Portal Auth, under the config tab, you should see a field for the portal directory that by default has /sd/portals/ in it. If it doesn't then you need to check the directory that's listed there instead.

Also, not quite sure what you mean by this?? apologies... not sure what to do...

Cheers,

onion

Under the Config tab in the large tile there is a field labeled Test Website. This is a URL to a webpage for Portal Auth to check if a captive portal is present. Since InfoTomb took down the file that Portal Auth links to by default I put up another link to my server. You can put that link in the Test Website field so you don't get false positives.

[onion2346]

Hi Sudonick,

very much appreciate your responses! Thank you!

I may have miscommunicated my thoughts however, what I was trying to convey was that, I have not yet tried to clone an actual captive portal from scratch, as I have not yet investigated/learned how to do this yet (although your info has helped tremendously!)

What I have been doing is trying to somehow utilize the default portal options that are already there (i think one of the default options that is already loaded into there is called "freewifi" or something) cant I just use those just the same as cloning my own portal from scratch? also why are those default options already there for?

sorry for all the questions!

p.s. i would like to learn how to clone my own portal from scratch etc... and will proceed to do so soon hopefully!

Cheers.

onion

[sud0nick]

What I have been doing is trying to somehow utilize the default portal options that are already there (i think one of the default options that is already loaded into there is called "freewifi" or something) cant I just use those just the same as cloning my own portal from scratch? also why are those default options already there for?

You have to clone a captive portal, or webpage, to use the injection sets. They are injected into the portal as it is copied to the Pineapple. I'm currently working on a new version of Portal Auth and I'll make a full guide on how to use every feature once it's finished but until then you can watch this video on some of the features. https://forums.hak5.org/index.php?/topic/34421-support-portal-auth/?p=258766

Edited September 15, 2015 by sud0nick

[sud0nick]

Version 2.8 has been submitted to the Pineapple Bar. Here is the change log:

[->] Added Payload tab which includes the Portal Auth Shell Server (PASS), payload upload center, and a default payload for Windows and OS X.
[->] Modified the auth log tab to auto refresh.
[->] Moved the Test Website and depends back to PuffyCode.com.
[->] Added the Payloader injection set for delivering payloads to victim machines.

Also, I put together a complete how to video on Portal Auth. Check it out in the Pineapple University forum.

[cheeto]

Thanks for this UPDATE & the VIDEO!! I hope to install it this weekend.

Couple questions:

- If the victim installs the server onto his/her computer, can i have remote access to that computer at a later time too? (like a trojan)

- Can a payload be made for android? If so, i think the user might get a warning about installing from outside of the playstore., right?

Thanks again and good job! I think I'm going to watch the tutorial again.

[sud0nick]

If the victim installs the server onto his/her computer, can i have remote access to that computer at a later time too? (like a trojan)

Just to be clear, the victim won't install the server on their computer. The payload I included will set up a listening socket (which is what I think you meant) so as long as that program is running in the background on their system you will be able to access it.

Can a payload be made for android? If so, i think the user might get a warning about installing from outside of the playstore., right?

The point of the NetClient page is to upload any payload you want. If you can make a payload for android then you can upload it to the Android section. The Payloader injection set will use the user-agent string of the victim's browser to determine what OS they are on. If they are on Android they will receive the Android payload, if they are on Windows they will receive the Windows payload, etc. By default I included the code for a Windows and OS X payload but you can always use the veil framework or metasploit to create your own payloads. I plan on playing around with the veil framework sometime this week as I have recently discovered it and it seems awesome.

[phibertap]

Awesome video, and I love the new features you added. I only wish to have the 2.8 update now :)

[sud0nick]

v2.8 is now available!

[phibertap]

To test this new version, I did a factory restore on my pineapple. Then I installed the infusion from the bar.

Clicking on the "Install dependancies" link in the small tile does nothing.

Executing the following command via ssh gives the following error:

# pineapple infusion portalauth
Traceback (most recent call last):
  File "/pineapple/components/infusions/portalauth/executable/executable", line 6, in <module>
    import requests
ImportError: No module named requests

Continuing, I manually ran the check_depends.sh script, then the install_depends.sh script.

root@Pineapple:/sd/infusions/portalauth/includes/scripts# ./check_depends.sh
Not Installed

root@Pineapple:/sd/infusions/portalauth/includes/scripts# ./install_depends.sh
zip_safe flag not set; analyzing archive contents...
unable to execute mips-openwrt-linux-uclibc-gcc: No such file or directory
no previously-included directories found matching 'docs/_build'
unable to execute mips-openwrt-linux-uclibc-gcc: No such file or directory
no previously-included directories found matching 'docs/_build'
zip_safe flag not set; analyzing archive contents...
tinycss.tests.speed: module references __file__
Complete

After that was complete, I tried the "pineapple infusion portalauth" command, this time a different error.

root@Pineapple:/sd/infusions/portalauth/includes/scripts# pineapple infusion portalauth

Traceback (most recent call last):
  File "/pineapple/components/infusions/portalauth/executable/executable", line 87, in <module>
    response = requests.get(settings['testSite'], verify=False)
  File "/usr/lib/python2.7/site-packages/requests-2.5.1-py2.7.egg/requests/api.py", line 65, in get
    return request('get', url, **kwargs)
  File "/usr/lib/python2.7/site-packages/requests-2.5.1-py2.7.egg/requests/api.py", line 49, in request
    response = session.request(method=method, url=url, **kwargs)
  File "/usr/lib/python2.7/site-packages/requests-2.5.1-py2.7.egg/requests/sessions.py", line 447, in request
    prep = self.prepare_request(req)
  File "/usr/lib/python2.7/site-packages/requests-2.5.1-py2.7.egg/requests/sessions.py", line 378, in prepare_request
    hooks=merge_hooks(request.hooks, self.hooks),
  File "/usr/lib/python2.7/site-packages/requests-2.5.1-py2.7.egg/requests/models.py", line 303, in prepare
    self.prepare_url(url, params)
  File "/usr/lib/python2.7/site-packages/requests-2.5.1-py2.7.egg/requests/models.py", line 360, in prepare_url
    "Perhaps you meant http://{0}?".format(url))
requests.exceptions.MissingSchema: Invalid URL u'': No schema supplied. Perhaps you meant http://?

Am I missing something?

Thanks!

PT

Edited September 30, 2015 by phibertap

[sud0nick]

So it appears the depends installed properly but told you they did not. After installing them manually did you check the ./check_depends.sh script again or try from the web GUI? What browser are you using and did a progress bar come up when you clicked Install Depends or did an error come up?

That final error came up because you ran it from the command line without a test website set. You should see a link in the small tile to configure the test website. Do that then try the command line version again. That's why you see

Invalid URL u'': No schema supplied. Perhaps you meant http://?

If the command line version works you should be able to use the GUI version. They are exactly the same.

[onion2346]

Hi Sud0nik,

THanks for this great work!

I try to click the upload payload button but get the error "failed to upload the payload" ?

i followed the default steps for uploading/setting up the default windows payload (netcli.exe) you provided as per your tutorial.

any thoughts?

Cheers,

Onion

[sud0nick]

Did you click the link for configuring uploads? It will run a script that modifies your nginx and php configuration to allow uploads larger than 2 MB. If you clicked the link and it still isn't working try rebooting your Pineapple. Maybe the configuration files didn't reload even though they should have.

[onion2346]

yea i tried rebooting, but still get the same issue unfortunately? (and yea i clicked the link to allow higher uploads it says it worked) ?

also when running on kali/iceweasel i get that install new dependencies popup you created for portal auth poping up at the bottom of the screen, its like always there, despite everything being installed properly (atleast it all seems to have installed properly).

P.s. I get this same issue on the mac using the chrome browser

should i try re-flash the pineapple and reinstall?

Cheers,

Onion

Edited September 30, 2015 by onion2346