Onus Posted March 15, 2017 Posted March 15, 2017 (edited) Has anyone got the captive portal working? I pulled the latest, and slapped it on switch 1. It starts to work.. shows up correctly and even opens a browser, but to the users home page, not the captive portal.. EDIT: should note that it doesn't prevernt me from accessing the web via my wifi, and shows that it is connected to the ethernet adapter as well but with no internet.. Windows 10 target Edited March 15, 2017 by Onus Quote
Sebkinne Posted March 16, 2017 Posted March 16, 2017 Hi Onus, Odd that the page opened is the user's homepage. That kind of sounds like default routes messing it up on the user's machine. Have you tried a different one? I have tested that the correct page is served on Windows, MacOS, and a couple of variants of Linux. Something I don't currently do correctly is dropping ALL network traffic apart from redirecting port 80 to our IP:8080. I wanted to, but this was more of a PoC and I was rushed for time. As a result I didn't take the time to figure out the order of IPTables rules. You are welcome to submit a PR for this on Github -- the changes should be made in the setupNetworking function. Quote
Sebkinne Posted March 16, 2017 Posted March 16, 2017 Actually, scratch that. I just saw there was a PR that broke the payload completely. I'm about to push a fix for it. Quote
Onus Posted March 16, 2017 Author Posted March 16, 2017 1 hour ago, Sebkinne said: Hi Onus, Odd that the page opened is the user's homepage. That kind of sounds like default routes messing it up on the user's machine. Have you tried a different one? I have tested that the correct page is served on Windows, MacOS, and a couple of variants of Linux. Something I don't currently do correctly is dropping ALL network traffic apart from redirecting port 80 to our IP:8080. I wanted to, but this was more of a PoC and I was rushed for time. As a result I didn't take the time to figure out the order of IPTables rules. You are welcome to submit a PR for this on Github -- the changes should be made in the setupNetworking function. I'll look into it.. Yeah I actually got it to work on my windows machine once or twice when disconnecting from my wifi network even after it reconnected, but then yeah went back to normal internet. I am wondering if its possible to make a captive portal run on a locked machine much like quick creds.. im totally new to responder so i need to look at that too. I was thinking of rerouting with responder to the var www of the bunny don't know if that is possible Quote
Mohamed A. Baset Posted March 16, 2017 Posted March 16, 2017 @Sebkinne Off topic, Can you please confirm if captive portals can automatically opens the browser if devices are locked or not? 1 Quote
Sebkinne Posted March 16, 2017 Posted March 16, 2017 2 hours ago, Onus said: I'll look into it.. Yeah I actually got it to work on my windows machine once or twice when disconnecting from my wifi network even after it reconnected, but then yeah went back to normal internet. I am wondering if its possible to make a captive portal run on a locked machine much like quick creds.. im totally new to responder so i need to look at that too. I was thinking of rerouting with responder to the var www of the bunny don't know if that is possible I got a bit sidetracked while creating a fix, so bear with me on this payload. 2 hours ago, Mohamed A. Baset said: @Sebkinne Off topic, Can you please confirm if captive portals can automatically opens the browser if devices are locked or not? Sorry, this does not work to my knowledge. Quote
Onus Posted March 17, 2017 Author Posted March 17, 2017 its cool.. i think responder and impacted tools might work for my purposes Quote
JBNZ Posted March 19, 2017 Posted March 19, 2017 I haven't submitted a PR because I'm still getting things up and running and am not sure what the standardised fix to this will be, but I've found that adding "source bunny_helpers.sh" to the payloads.txt, after the ATTACKMODE line, allows the helper \$SWITCH_POSITION to be used. With this modification, the payload works for me. Quote
Sebkinne Posted March 19, 2017 Posted March 19, 2017 10 hours ago, JBNZ said: I haven't submitted a PR because I'm still getting things up and running and am not sure what the standardised fix to this will be, but I've found that adding "source bunny_helpers.sh" to the payloads.txt, after the ATTACKMODE line, allows the helper \$SWITCH_POSITION to be used. With this modification, the payload works for me. Yup, someone's pr broke the captive portal. It was written before bunny helpers, and defaulted to switch1. Quote
JBNZ Posted March 20, 2017 Posted March 20, 2017 I've submitted a PR. Is the source for the captiveportal binary available? It would be nice for accountability to be able to attest to exactly how the payload is functioning. Quote
Sebkinne Posted March 20, 2017 Posted March 20, 2017 15 hours ago, JBNZ said: Is the source for the captiveportal binary available? It would be nice for accountability to be able to attest to exactly how the payload is functioning. Not at the moment, but I'll probably throw it up on my github at some point. It's a really simple little program that does two things: Spin up a webserver and serve the portal. Write any of the targeted fields to logfile Spin up a DNS server and always resolve to the Bash Bunny's IP That's it. Quote
@rmor%GOD Posted March 22, 2017 Posted March 22, 2017 On 3/15/2017 at 2:28 PM, Onus said: Has anyone got the captive portal working? I pulled the latest, and slapped it on switch 1. It starts to work.. shows up correctly and even opens a browser, but to the users home page, not the captive portal.. EDIT: should note that it doesn't prevernt me from accessing the web via my wifi, and shows that it is connected to the ethernet adapter as well but with no internet.. Windows 10 target I also have the same issue where the bbq shows a green led, but when I open a browser it just goes to my home page. No auto open browser, and goes to home page on IE and Chrome. No active portal displayed. Quote
SRG Posted March 22, 2017 Posted March 22, 2017 Note that this is configured to only http. If your home page is https, it won't be automagically redirected as is. Try a direct http link to see if it is perhaps being redirected now. It wasn't working for me yesterday but today's pull seems to be working. I can't say for certain that I tried http yesterday unsuccessfully but can say that the current version is working fine for me. Quote
Opticon Posted March 28, 2017 Posted March 28, 2017 Hello World! Ok. So here's the rub, even with the code provided by JBNZ and Sebkinne, it absolutely does not work on any browser on any of my 10.9, 10.10, and 10.11 Macs. You have to manually type the IP and port, and only sometimes will that actually work. However, on a Windows 10 computer, that I never use, it ran on it's first try- opened a browser, redirected to the Captive Portal, and recorded every failed attempt in a nice log file! Perhaps it helps that there's a nice EXE for Windows to use, but what about Apple's architecture? What's handling that? Final question- how is this practical? The Bash Bunny is meant to be inserted into the target computer that the "mark" will be using. So, how do we get it back? Please take mercy on my first post and I promise to read every response. Thank you all in advance :-) Quote
SRG Posted March 28, 2017 Posted March 28, 2017 Just to confirm, could you ensure you're loading an HTTP page and not HTTPS? When I tested and was most frustrated, I realized I was clicking on favorites links, all of which were HTTPS. In the payload, only port 80 is being redirected to the captive portal. For the final question, that's all about how you plan to do your pentesting. Most of the payloads are meant to be quick ways of performing "unexpected backups" or injecting keystrokes to configure a computer, then make a quick exit with the BashBunny. This one would likely be more useful for while you're nearby. Maybe get the captive portal running while you're in a meeting with someone to capture creds, then once captured, grab the BashBunny and exit. Quote
Opticon Posted March 29, 2017 Posted March 29, 2017 Thank you for getting back to me, SRG. After I read your reply, I immediately realized that I had not factored that into the equation. So, I went to twelve different sites, all with HTTP only. Sure enough none of them forwarded to the captive portal. I figured trying Chrome, Canary, Chromium, Safari and Firefox would help me in reducing the problem, but alas, nada. However, it runs great under Windows, which is exactly what I plan to exploit! It just bothers me that I can't figure it out- there's got to be more running under the hood that we can't access. Thank you SRG for all of your efforts and answering the second part of that question :-) -Cheers! Quote
Opticon Posted March 29, 2017 Posted March 29, 2017 @Mohamed A. Baset I can confirm that on an unlocked Windows box captive portal will automatically launch a browser and direct it to the "evil portal." I hope this helps you. As for Mac, it won't automatically launch a browser as it does in Windows. -Cheers! Quote
Mohamed A. Baset Posted March 29, 2017 Posted March 29, 2017 21 minutes ago, Opticon said: @Mohamed A. Baset I can confirm that on an unlocked Windows box captive portal will automatically launch a browser and direct it to the "evil portal." I hope this helps you. As for Mac, it won't automatically launch a browser as it does in Windows. -Cheers! The idea is to do this on a locked machine not unlocked, I got the bunny days ago and tried the captive portal payload and i can confirm that the browser firing automatically scenario won't happen on any OS so this stopped my idea on exploiting a browser on a locked machine :) Thanks for your catch up @Opticon Quote
s00500 Posted April 8, 2017 Posted April 8, 2017 Hi all I just got my bunny and tried to get this to work... I immediatly upgraded to 1.1 Now there are several things that don't make sense to me: captiveportal is not executed because the systemd service kills the payload script when It is "done", effectively killing the background process with it and then unmounts /root/udisk... To avoid this I put a wait command into the script but then the next thing is the TimeOut... So I added something like TimeoutSec=10min into /lib/systemd/system/bunny.service... Now it works, but is there something I got wrong? I saw @Sebkinne last commit messages on the repo said Updated Captiveportal for Bash Bunny v1.1 Cheers Quote
JBNZ Posted April 8, 2017 Posted April 8, 2017 Just tested this out to confirm. Haven't dug into the 'why' as far as @s00500 but can confirm that where captiveportal used to work, it no longer does. The only changes @Sebkinne made in that commit were to align the payload with the new extension and LED format, so if breaking changes were made to the framework, this won't have addressed those. Quote
Bryfi Posted April 8, 2017 Posted April 8, 2017 (edited) Seems like you guys got farther than I have. I was and still am unable to get this payload to work. Others do so its not my bb. Is there more I have to do other than copying the files into a switch1/2 folder? I have installed impacket and responder correctly. Edited April 8, 2017 by Bryfi Quote
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.