Jump to content

[Official] Portal Auth


sud0nick

Recommended Posts

2 hours ago, monkeytrumpet said:

Its a UK hotel chain, Premier inn. The portal is serviced by Arqiva Wifi

I'm not sure why you would be spoofing a Premier Inn portal.

I'd like to remind everyone reading this thread that illegal activity is not condoned and shouldn't be discussed on these forums. Keep it legal :)

Link to comment
Share on other sites

  • Replies 293
  • Created
  • Last Reply

Foxtrot is right.  I don't think there is anything inherently wrong with cloning the portal if you want to test things on your own but you start to cross over to the dark side when you host a cloned portal without proper permission from the owners.  I would still like to know what is in that portal that's causing the cloner to crash so I can make it better for legitimate use.

Link to comment
Share on other sites

Trying to clone the Starbucks portal as per the tutorial video. Tried a few times but here are the error logs from the last two attempts:

 

Traceback (most recent call last): File "/pineapple/modules/PortalAuth/includes/scripts/portalclone.py", line 24, in cloner.cloneResources() File "/sd/modules/PortalAuth/includes/scripts/PortalCloner.py", line 123, in cloneResources r = self.session.get(urlparse.urljoin(self.url, script.get('src')), stream=True, verify=False) File "/sd/modules/PortalAuth/includes/scripts/libs/requests/sessions.py", line 473, in get return self.request('GET', url, **kwargs) File "/sd/modules/PortalAuth/includes/scripts/libs/requests/sessions.py", line 461, in request resp = self.send(prep, **send_kwargs) File "/sd/modules/PortalAuth/includes/scripts/libs/requests/sessions.py", line 573, in send r = adapter.send(request, **kwargs) File "/sd/modules/PortalAuth/includes/scripts/libs/requests/adapters.py", line 415, in send raise ConnectionError(err, request=request) requests.exceptions.ConnectionError: ('Connection aborted.', BadStatusLine("''",))

 

Traceback (most recent call last): File "/pineapple/modules/PortalAuth/includes/scripts/portalclone.py", line 24, in cloner.cloneResources() File "/sd/modules/PortalAuth/includes/scripts/PortalCloner.py", line 217, in cloneResources fw = open(self.portalDirectory + css_file, 'w') IOError: [Errno 2] No such file or directory: '/root/portals/starbuck/resources/1372221404_enUS.css'

 

Any ideas? It did work once before by I factory reset my Nano and now it fails every time. I'm using the Harvester payload.

 

Regards.

Link to comment
Share on other sites

Trying to clone the Starbucks portal as per the tutorial video. Tried a few times but here are the error logs from the last two attempts:

 

Traceback (most recent call last): File "/pineapple/modules/PortalAuth/includes/scripts/portalclone.py", line 24, in cloner.cloneResources() File "/sd/modules/PortalAuth/includes/scripts/PortalCloner.py", line 123, in cloneResources r = self.session.get(urlparse.urljoin(self.url, script.get('src')), stream=True, verify=False) File "/sd/modules/PortalAuth/includes/scripts/libs/requests/sessions.py", line 473, in get return self.request('GET', url, **kwargs) File "/sd/modules/PortalAuth/includes/scripts/libs/requests/sessions.py", line 461, in request resp = self.send(prep, **send_kwargs) File "/sd/modules/PortalAuth/includes/scripts/libs/requests/sessions.py", line 573, in send r = adapter.send(request, **kwargs) File "/sd/modules/PortalAuth/includes/scripts/libs/requests/adapters.py", line 415, in send raise ConnectionError(err, request=request) requests.exceptions.ConnectionError: ('Connection aborted.', BadStatusLine("''",))

 

Traceback (most recent call last): File "/pineapple/modules/PortalAuth/includes/scripts/portalclone.py", line 24, in cloner.cloneResources() File "/sd/modules/PortalAuth/includes/scripts/PortalCloner.py", line 217, in cloneResources fw = open(self.portalDirectory + css_file, 'w') IOError: [Errno 2] No such file or directory: '/root/portals/starbuck/resources/1372221404_enUS.css'

 

Any ideas? It did work once before by I factory reset my Nano and now it fails every time. I'm using the Harvester payload.

 

Regards.

Link to comment
Share on other sites

As it was cloning one of the CSS files it appears it couldn't find /root/portals/starbuck/resources/.

IOError: [Errno 2] No such file or directory: '/root/portals/starbuck/resources/1372221404_enUS.css'

Something must have happened to delete that directory while it was in the process of cloning the site.  I'm not sure what it could be unless if you went into Evil Portal and deleted the portal as it was being created which I doubt you would do.

Link to comment
Share on other sites

On 22/09/2016 at 7:50 PM, Foxtrot said:

I'm not sure why you would be spoofing a Premier Inn portal.

I'd like to remind everyone reading this thread that illegal activity is not condoned and shouldn't be discussed on these forums. Keep it legal :)

Hi Foxtrot

Of course I understand, and you are absolutely right, and of course, I would absolutely not carry out any nefarious activity within an area with no permission!

And Nick, sorry, I don't have a link to the site!

Link to comment
Share on other sites

  • 1 month later...

Hi guys, before writing this post i did some reading but can't really find a clear answer.  So if anyone could give me a hand, I'd really appreciate it.

I had Portal Auth clone a simple webpage with an image.  I noticed that the image was stored in: /overlay/upper/root/portals/demosite/resources

My problem is the following, I'm trying to insert an additional image, so I uploaded it to the same directory of the cloned site (/overlay/upper/root/portals/demosite/resources)

but it won't load the image.   Can anyone tell me where I'm suppose to upload the images?

Thanks guys!!!

Link to comment
Share on other sites

This is more of an EP question but I can try to help.  After you added the image to the directory did you disable/enable the portal in EP?  EP creates a bunch of symlinks to the portal contents in a directory that's allowed to be accessed by the web server.  Maybe your file didn't get linked or something.

Link to comment
Share on other sites

Hey sud0nick!!
Thanks for jumping in.

I rebooted the Nano and fired up EP and the only image that appears is the one that Portal Auth captured.

As  mention in my post above, Portal Auth is storing the image it captures in: /overlay/upper/root/portals/demosite/resources

Is that the correct directory?  This is so different than the MKV versin of EP.  I remembered i had to call the images with image$ or something like that.

This is the line that im using to call the image that is not showing up:

<img border="0" height="44" src="resources/entry.jpg" width="200"/>

any ideas?  I imagine that there must be some way to insert images.

Many thanks!
 

Link to comment
Share on other sites

Hey Brett666 (maybe it helps Cheeto) - I had the same problem, specifically with the entire resources folder.. I ssh'd into the Nano and discovered that none of the resources files were being written (which is essentially all the images).

The solution for me was to use an SD card. I did find that if I tried to install some modules internal and some on the SD card I experienced unpredictable behavior (some crashing, etc - which is to say the Nano web interface would stop responding altogether and then the blue LED would indicate a reboot). I read in some threads this meant the Nano was out disk space or RAM. 

Using an SD card for all modules has dramatically increased overall stability. Likewise, it is worth noting the Nano is not a "true" embedded system - be sure to shutdown each time via the Nano's web admin interface.  For me, it was necessary to do a fresh install of the Nano's OS/Firmware, insert and format an SD (be sure it is recognized in the Configuation panel), and then install all modules to the SD card. This advice is not limited EP or PA, BTW

Link to comment
Share on other sites

Hey guys, thanks for your input.

sud0nick: Should i place the images here:  /www/captiveportal

It doesn't seem to look right..   But you never know.

I did some searching in with winscp and found some EP related directories,  Should i place the images in one of these?:

/root/portals:

/sd/modules/EvilPortal
 

cogtropolis:  Glad to hear that I'm not alone with this issue.

Can you tell me the location of where you are placing the images?   I have a fresh upgrade of the new firmware and I have all my modules on my SD.

I really thought that i had to place the additional images into the same directory where PA is storing them.   I would have made more sense.

 

thanks again guys!

 

Link to comment
Share on other sites

Cheeto,

I"m clearly still a novice myself but the attached pics should give you an idea. Based on my use of Portal Auth, it seems all html href values should be relative.  The trick to the SD card is that it uses symbolic links in the system and that can create a bit of confusion.

https://www.dropbox.com/s/t1ezhxczvtsoxao/Cheeto_Portals.PNG?dl=0

https://www.dropbox.com/s/vbxfbcxxd157q64/Cheeto_Portals_II.PNG?dl=0

 

Hopefully that helps.

Link to comment
Share on other sites

Thanks again for your input guys.

I was able to get EP to read my images to my portals by simply putting the images here:

/root/portals/PORTAL_FOLDER_NAME

Sorry for hijacking this thread as it isn't an AP issue but rather an EP like sud0nick mentioned.

Now I can start making some captive portals!!!  (I hope)

Cheers!

Link to comment
Share on other sites

Hey guys,

I'm having a little issue getting this all to work. 

Payload seems fine, portal seems fine, portalauth seems fine.

I cloned the starbucks page like you did, downloaded the payload to my windows 10 box, ran it....

I see on Portalauth - Payload "New Target Acquired 172.16.42.213 on port 0"

Under Available Targets I see: 

Address: 172.16.42.213
Port: 0
Hostname: DESKTOP-H960LSR
OS: Microsoft Windows NT 6.2.9200.0
 

But when I go to CursedScreech, Under targets there is nothing available. And thus, when I run Kruo, it times out and no connection is made. Sein is running on br-lan. I have my pineapple connected to the web via usb stick wlan2 and i'm accessing the open pineapple interface via wifi. (making changes and testing on the same machine if that matters, but it shouldn't)

 

I must have missed something, but I can't figure out what. 

 

additionally, how could I go about changing the Visual Studio payload to execute a meterpreter session routed to my kali attacker machine rather than CursedScreech? I know I could just substitute the payload, but that negates the functionality of portalauth.

 

thanks nick, everything runs butter smooth. :)

Link to comment
Share on other sites

  • 2 weeks later...

@sud0nick,

Today I was messing around with Portal Auth.   Boy has it come a long way.  Congrats!!

Anyway, i tried cloning a portal with a BLANK injector.   

Seems to have done a pretty good job.   BUT  this particular portal is a bit different than ones that i've seen before.

It has sub-menus.  For example, the 1st page says welcome to bla bla bla....   Then the user muist select  GUEST or Premium user.   So Regardless of the option that you select it will open anther html file and ask for some credentials etc.....

So, my question is, does PA clone the 1st layer of a Portal or can it go deeper into sub menu's?

thx!!

Link to comment
Share on other sites

@cheeto it only clones the top-level page and every resource required by that page.  It does not recursively clone every page on the site for a couple of reasons.  One, the cloning process would drag on f..o..r..e..v..e..r and two, you could quickly fill up the space on your Pineapple with pages that you don't even need in your portal.  I suggest getting creative with those available buttons.

Link to comment
Share on other sites

Hey nick,

First let me thank you and everyone at hak5. You guys are great, and your ideas are even better, seriously can't thank yall enough! So I have been trying to re-create the video you did for the CaptivePortal, CursedScreech, Papers, and PortalAuth modules, just to get a better understanding on how everything works. However, I have come across a couple differences, odds are issues on my end.

1. I noticed when I use my "victim" VM to connect to the open pineapple network, I am able to search the internet without coming across the captive portal site. At first I noticed the only different from normal behavior was when visted google, URL showed "https://www.google.com" except the https part was crossed out in red. When I tried to re-create issue to take picture, I was unable to get this again. Yet, was still able to go to any website without issues.

2. The only way I was able to get to the CP, was I had to wait for the bubble message to appear by the wireless signal bar, with yellow exclamation point, in the corner to show "additional log in information...required" (picture of message). When clicked, then browser opened to CP page. I then noticed, while trying to get message to appear again, if waited long enough the yellow exclamation mark would disappear and taskbar would look completely normal, even though never got to CP page.

3. When I finally got to CP page, downloaded the NetCli.exe file, then when tried to open I got an error message saying program has stopped. It stops almost immediately after opening. For sure, not enough time to run program.

photos here -> https://www.dropbox.com/sh/y0esiwj2wc4tjlg/AABsZ0zjWlA6wRCZt0ETk7zta?dl=0

If anyone has any ideas on how to get this fixed I am all ears. Thanks!

Link to comment
Share on other sites

Keep getting this error recently when cloning. 

 

clone_error_06_11_42.txt

/pineapple/modules/PortalAuth/includes/scripts/libs/requests/packages/urllib3/connectionpool.py:747: InsecureRequestWarning: Unverified HTTPS request is being made. Adding certificate verification is strongly advised. See: https://urllib3.readthedocs.org/en/latest/security.html InsecureRequestWarning)

/pineapple/modules/PortalAuth/includes/scripts/libs/requests/packages/urllib3/connectionpool.py:747: InsecureRequestWarning: Unverified HTTPS request is being made. Adding certificate verification is strongly advised. See: https://urllib3.readthedocs.org/en/latest/security.html InsecureRequestWarning) 

Link to comment
Share on other sites

@JohnnyQuestVenture your first two problems have nothing to do with PortalAuth.  They are limitations of Evil Portal.  Currently you have to browse to a site using HTTP in order for the portal to appear.  HTTPS will just bypass the portal altogether.  Your 3rd issue, again, has nothing to do with PortalAuth.  It is an issue with your payload that could be the result of not including the keys in the exe or simply not having the right version of .NET on the target.  If you have more trouble with the payload or CursedScreech in general please post your questions in the official support thread for that module.  From this point forward I will not respond to off topic questions in support threads.

@jermzz I'm surprised you're getting this error because I strictly turned off certificate verification so this error wouldn't pop up.  Could you PM me the URL of the site you're trying to clone?  I've been super busy lately but I'll try to cut out some time to troubleshoot.

Link to comment
Share on other sites

  • 3 weeks later...

Archived

This topic is now archived and is closed to further replies.

  • Recently Browsing   0 members

    • No registered users viewing this page.

×
×
  • Create New...