digininja Posted November 27, 2020 Share Posted November 27, 2020 Good luck with it. I still think getting beyond a very limited lab environment will be tricky. Link to comment Share on other sites More sharing options...
mooooon Posted November 27, 2020 Author Share Posted November 27, 2020 3 minutes ago, digininja said: I was thinking of a more general attack @digininja it's general but it depends on you. i though about this and got the idea that after launching this a lot of people would like it and they would contribute to it and add the router payloads for their model ... and by time we would have a finger printing db that works on a big number of devices. Link to comment Share on other sites More sharing options...
mooooon Posted November 27, 2020 Author Share Posted November 27, 2020 1 minute ago, digininja said: I still think getting beyond a very limited lab environment will be tricky. @digininja give it quick try : launch airodump with wps view enabled and see the APs around who and how many exposes their model .. take that model and search their name + exploit or default password i am sure that you will find something. also about the def pass in case of unique pass , the passwords pages will show you a wrong pass but you can get an idea of how the password looks like by searching the device in a market shop or what ever site sells used products. 4 minutes ago, digininja said: Good luck with it. you too , so if there any hints you can give me with the captive portal problem ? and wow you are fast at reading. 5 minutes ago, digininja said: limited lab environment i think i live in a one and you do too 😉 i am gonna archive this using https://web.archive.org/ that was a lot of writing. Link to comment Share on other sites More sharing options...
mooooon Posted November 27, 2020 Author Share Posted November 27, 2020 @digininja if i was looking for a help with it , where do you think i can look ? Link to comment Share on other sites More sharing options...
digininja Posted November 27, 2020 Share Posted November 27, 2020 Could try the Aircrack-ng forum. Link to comment Share on other sites More sharing options...
mooooon Posted November 27, 2020 Author Share Posted November 27, 2020 10 minutes ago, digininja said: Could try the Aircrack-ng forum. @digininjait's kinda dead/ unactive but what Category do you suggest i post in ? Link to comment Share on other sites More sharing options...
mooooon Posted November 27, 2020 Author Share Posted November 27, 2020 @digininja sorry for being annoying ... but how should i word the post at least the title and which paragraph of the long ones i wrote should i include.? Link to comment Share on other sites More sharing options...
digininja Posted November 28, 2020 Share Posted November 28, 2020 I don't know, I'm not an active user of that forum, but if anyone can help with getting your captive portal working, it will probably be them. Link to comment Share on other sites More sharing options...
mooooon Posted November 28, 2020 Author Share Posted November 28, 2020 2 minutes ago, digininja said: but if anyone can help with getting your captive portal working @digininja the thing that automatically closes or the brup suite thing ? cause the first isn't fixable at all. 3 minutes ago, digininja said: it will probably be them. but it they more specialized at wireless networking not networking. Link to comment Share on other sites More sharing options...
digininja Posted November 28, 2020 Share Posted November 28, 2020 If it is Burp, not brup, you want help with, not sure where to ask, have you looked to see if Portswigger has a forum? Link to comment Share on other sites More sharing options...
mooooon Posted November 28, 2020 Author Share Posted November 28, 2020 1 minute ago, digininja said: If it is Burp, not brup, you want help with nope not burp it was just a test to spare me with having to launch a fake ap and dns masq each time i want to test the captive portal. my current problem is CP auto closing. btw do you think that this will be added to pineapple if it turned out to be successful ? Link to comment Share on other sites More sharing options...
digininja Posted November 28, 2020 Share Posted November 28, 2020 If you can write it as a very stable module that works in over 90% of cases and appealed to the masses then it might get added. But I can't see this getting there, as I said before, this seems like a very niche attack that is going to be quite fiddly to get working practically outside the lab. Link to comment Share on other sites More sharing options...
mooooon Posted November 28, 2020 Author Share Posted November 28, 2020 Just now, digininja said: you can write it as a very stable module that works in over 90% the target enumeration? maybe. the reset , not really this meant to be more like a targeted attack targeted attacks are mostly successful compared to the generic ones ( evil twin) which will add a new tool to the play ground. Link to comment Share on other sites More sharing options...
digininja Posted November 28, 2020 Share Posted November 28, 2020 Did you check about webview caching responses? Looks like it doesn't by default so you would need to find an instance where it is enabled https://stackoverflow.com/questions/34606785/how-to-enable-caching-in-webview-android#:~:text=You can use the WebView cache to enable caching in WebView. Link to comment Share on other sites More sharing options...
mooooon Posted November 28, 2020 Author Share Posted November 28, 2020 13 minutes ago, digininja said: Did you check about webview caching responses? Looks like it doesn't by default so you would need to find an instance where it is enabled https://stackoverflow.com/questions/34606785/how-to-enable-caching-in-webview-android#:~:text=You can use the WebView cache to enable caching in WebView. the answer : use Quote webView.getSettings().setCacheMode(WebSettings.LOAD_CACHE_ELSE_NETWORK); see about the webview and all its questions on stackover flow about apps not the captive portal which is just a webpage rendered by the webview ... you can't do anything more than a sandboxed browser. Link to comment Share on other sites More sharing options...
digininja Posted November 28, 2020 Share Posted November 28, 2020 You can't control the webview though, only the http response. An extra thought, you'd have to find one that was running over http or didn't do certificate checking to inject your code in. Link to comment Share on other sites More sharing options...
mooooon Posted November 28, 2020 Author Share Posted November 28, 2020 10 minutes ago, digininja said: An extra thought, you'd have to find one that was running over http or didn't do certificate checking to inject your code in. this Literally what i didn't like in the original link that i shared way in the start project dribbel. Link to comment Share on other sites More sharing options...
digininja Posted November 28, 2020 Share Posted November 28, 2020 What do you mean? Link to comment Share on other sites More sharing options...
mooooon Posted November 28, 2020 Author Share Posted November 28, 2020 first what did you mean by saying 27 minutes ago, digininja said: An extra thought, you'd have to find one that was running over http or didn't do certificate checking to inject your code in. injecting the attack payload when the victim browses a http only page , right ? 23 hours ago, mooooon said: so i tried a couple of keywords in google and found this (and a couple of awesome writes) which is so similar to what i was thinking about minus the cache minus counting on the chance of them opening an http page in a browser minus giving them internet access or letting them connect to our ap for more than 15 sec. Link to comment Share on other sites More sharing options...
digininja Posted November 28, 2020 Share Posted November 28, 2020 There are two types of web traffic, HTTP and HTTPS. Assuming the application is using HTTPS and not doing certificate checking, which most should be doing, I'll admit though, not all, you will not be able to proxy or modify any of the web traffic. This will block you injecting things. You would have to hope to get lucky and either see HTTP traffic or find a request from an app that isn't doing cert checking. The link to the article doesn't mention certificates or how to get around them. And on the webview, unless the application has caching enabled, which from that one article (could be old or wrong, I don't know) seems like is not the default, then any injection you do, even if you set all the cache headers, will be lost as the app won't cache the response. Link to comment Share on other sites More sharing options...
mooooon Posted November 28, 2020 Author Share Posted November 28, 2020 1 minute ago, digininja said: find a request from an app that isn't doing cert checking does this work if it just a request in the background like the app is checking for stuff or something , trying http canary and disconnecting then reconnecting to the internet results in a tons of http requests of apps checking and updating stuff. 3 minutes ago, digininja said: The link to the article doesn't mention certificates or how to get around them. are you sure that you read it ? cause he Literally said Quote I let her browse the web while still connected to the fake access point and patiently waited for her to end up on an HTTP only web site. Link to comment Share on other sites More sharing options...
digininja Posted November 28, 2020 Share Posted November 28, 2020 You were talking about webview, not standard browsing. Link to comment Share on other sites More sharing options...
mooooon Posted November 28, 2020 Author Share Posted November 28, 2020 26 minutes ago, digininja said: You were talking about webview, not standard browsing. ahhhhhhhhhh ....... he did in standard browsing while i , me trying to do it using the captive portal pop up that opens using webview to get it to work instantly and avoid the lack of HTTP/1.1 soooooo .......... Link to comment Share on other sites More sharing options...
mooooon Posted December 21, 2020 Author Share Posted December 21, 2020 On 11/27/2020 at 11:52 PM, digininja said: I was thinking of a more general attack. @digininja speaking of general i got an idea for auto logging in so it works on all devices , not as he did in the article " generating the password hash and grabbing the tokens manually then sending them using a post request" ..... instead we let the page do its thing just like how it's normally operated .... grab the page code then insert it into the current page code then use chrome auto fill forms regex to find the username and password input form then set the values to a desired one just like this Frm_Username.value="ohohoh" Frm_Password.value="nooooo" then call the submit function dosubmit() traaa done for some reason i have trouble running the dosubmit() after inserting the code into page even using eval ... idk what the problem really is 😕 ... sadly i am missing tons and tons of research. what do you think , is it a good idea ? 🙂 Link to comment Share on other sites More sharing options...
digininja Posted December 25, 2020 Share Posted December 25, 2020 Does Chrome autofill on IP address based sites over HTTP rather than HTTPS? And is a user likely to have their router creds stored in Chrome in their phone? I don't. Link to comment Share on other sites More sharing options...
Recommended Posts
Archived
This topic is now archived and is closed to further replies.