Jump to content

how can i force a captive portal to pop up using brup suite ?


mooooon

Recommended Posts

  • Replies 52
  • Created
  • Last Reply

Top Posters In This Topic

3 minutes ago, digininja said:

I was thinking of a more general attack

@digininja

it's general but it depends on you.

i though about this and got the idea that after launching this a lot of people would like it and they would contribute to it and add the router payloads for their model ... and by time we would have a finger printing db that works on a big number of devices.

Link to comment
Share on other sites

1 minute ago, digininja said:

I still think getting beyond a very limited lab environment will be tricky.

@digininja give it quick try : launch airodump with wps view enabled and see the APs around who and how many exposes their model .. take that model and search their name + exploit or default password i am sure that you will find something.

 

also about the def pass in case of unique pass , the passwords pages will show you a wrong pass but you can get an idea of how the password looks like by searching the device in a market shop or what ever site sells used products.

4 minutes ago, digininja said:

Good luck with it.

you too , so if there any hints you can give me with the captive portal problem ? and wow you are fast at reading.

5 minutes ago, digininja said:

limited lab environment

i think i live in a one and you do too ūüėČ
 

i am gonna archive this using https://web.archive.org/ that was a lot of writing.

 

Link to comment
Share on other sites

2 minutes ago, digininja said:

but if anyone can help with getting your captive portal working

@digininja the thing that automatically closes or the brup suite thing ? cause the first isn't fixable at all.
 

3 minutes ago, digininja said:

it will probably be them.

but it they more specialized at wireless networking not networking.

Link to comment
Share on other sites

1 minute ago, digininja said:

If it is Burp, not brup, you want help with

nope not burp it was just a test to spare me with having to launch a fake ap and dns masq each time i want to test the captive portal. 

 

my current problem is CP auto closing.

 

btw do you think that this will be added to pineapple if it turned out to be successful ?

Link to comment
Share on other sites

If you can write it as a very stable module that works in over 90% of cases and appealed to the masses then it might get added. But I can't see this getting there, as I said before, this seems like a very niche attack that is going to be quite fiddly to get working practically outside the lab.

Link to comment
Share on other sites

Just now, digininja said:

you can write it as a very stable module that works in over 90%

the target enumeration? maybe.

the reset , not really this meant to be more like a targeted attack 

 

targeted attacks are mostly successful compared to the generic ones ( evil twin)

 

which will add a new tool to the play ground.

Link to comment
Share on other sites

Did you check about webview caching responses? Looks like it doesn't by default so you would need to find an instance where it is enabled

https://stackoverflow.com/questions/34606785/how-to-enable-caching-in-webview-android#:~:text=You can use the WebView cache to enable caching in WebView.

 

 

Link to comment
Share on other sites

13 minutes ago, digininja said:

Did you check about webview caching responses? Looks like it doesn't by default so you would need to find an instance where it is enabled

https://stackoverflow.com/questions/34606785/how-to-enable-caching-in-webview-android#:~:text=You can use the WebView cache to enable caching in WebView.

 

the answer : use 
 

Quote

webView.getSettings().setCacheMode(WebSettings.LOAD_CACHE_ELSE_NETWORK);

see about the webview and all its questions on stackover flow about apps not the captive portal which is just a webpage rendered by the webview ... you can't do anything more than a sandboxed browser.

 

 
Link to comment
Share on other sites

10 minutes ago, digininja said:

An extra thought, you'd have to find one that was running over http or didn't do certificate checking to inject your code in.

this Literally what i didn't like in the original link that i shared way in the start project dribbel. 

Link to comment
Share on other sites

first what did you mean by saying 

27 minutes ago, digininja said:

An extra thought, you'd have to find one that was running over http or didn't do certificate checking to inject your code in.

injecting the attack payload when the victim browses a http only page , right ? 

23 hours ago, mooooon said:

so i tried a couple of keywords in google and found this (and a couple of awesome writes) which is so similar to what i was thinking about minus the cache minus counting  on the chance of them opening an http page in a browser minus giving them internet access or letting them connect to our ap for more than 15 sec.

 

Link to comment
Share on other sites

There are two types of web traffic, HTTP and HTTPS. Assuming the application is using HTTPS and not doing certificate checking, which most should be doing, I'll admit though, not all, you will not be able to proxy or modify any of the web traffic. This will block you injecting things. You would have to hope to get lucky and either see HTTP traffic or find a request from an app that isn't doing cert checking.

The link to the article doesn't mention certificates or how to get around them.

And on the webview, unless the application has caching enabled, which from that one article (could be old or wrong, I don't know) seems like is not the default, then any injection you do, even if you set all the cache headers, will be lost as the app won't cache the response.

Link to comment
Share on other sites

1 minute ago, digininja said:

find a request from an app that isn't doing cert checking

does this work if it just a request in the background like the app is checking for stuff or something , trying http canary and disconnecting then reconnecting to the internet results in a tons of http requests of apps checking and updating stuff.
 

3 minutes ago, digininja said:

The link to the article doesn't mention certificates or how to get around them.

are you sure that you read it ? cause he Literally said

Quote

I let her browse the web while still connected to the fake access point and patiently waited for her to end up on an HTTP only web site.

 
Link to comment
Share on other sites

26 minutes ago, digininja said:

You were talking about webview, not standard browsing.

 

ahhhhhhhhhh ....... he did in standard browsing while i , me trying to do it using the captive portal pop up that opens using webview to get it to work instantly and avoid the lack of HTTP/1.1

soooooo ..........

Edited by mooooon
Link to comment
Share on other sites

  • 4 weeks later...
On 11/27/2020 at 11:52 PM, digininja said:

I was thinking of a more general attack.

@digininja speaking of general i got an idea for auto logging in so it works on all devices , not as he did in the article " generating the password hash and grabbing the tokens manually then sending them using a post request" ..... instead we let the page do its thing just like how it's normally operated ....

  • grab the page code
  • then insert it into the current page code¬†
  • then use chrome auto fill forms regex to find the username and password input form
  • then set the values to a desired one¬†
  • just like this
    Frm_Username.value="ohohoh"
    Frm_Password.value="nooooo"
  • then call the submit function¬†dosubmit()
  • traaa done¬†

for some reason i have trouble running the¬†¬†dosubmit() after inserting the code into page even using eval ... idk what the problem really is ūüėē¬†... sadly i am missing tons and tons of research.

what do you think , is it a good idea ? ūüôā¬†

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

  • Recently Browsing   0 members

    • No registered users viewing this page.

×
×
  • Create New...