Evil Portal ++

[Street]

I created a custom Evil Portal landing page for the WiFi Pineapple. On joining the rouge access point Evil Portal opens up a Captive Portal. This is what normally is used by WiFi networks to register users before letting them onto the internet. You can phish for credentials this way usually with the Pineapple. However, I wanted to do something different. I wanted to send the users to another site after they register.

By adding a line of javascript to the body tag in the evil portal index.html page, the javascript automatically triggered the form button on the page. Then I changed the code which refreshed the evil portal page after the form button was triggered to load the page I wanted.

Finally I installed Evilginx on the new server. Evilginx is a man-in-the-middle attack framework used for phishing credentials and session cookies of any web service. It's core runs on Nginx HTTP server, which utilizes proxy_pass and sub_filter to proxy and modify HTTP content, while intercepting traffic between client and server.

Once that was up & running I squatted on another domain name. Replacing one letter of the name with a dash. It was something like www.mydom-in.com

The website stole the cookies and allowed me to hack my own account. However, my domain name was seized by the courts recently. Even though I never hacked anyone but myself. I have been keeping all of this & my code secret but don't want my adventure to be lost.  So here you go guys!

I changed this in index.php:

<BODY onload="document.forms['member_signup'].submit()">
       <div style="text-align: center;">
            <h1>Connecting to WiFi.</h1>            
            <p>The SSID you are connected to is <?=getClientSSID($_SERVER['REMOTE_ADDR']);?></p>
            <p>Your host name is <?=getClientHostName($_SERVER['REMOTE_ADDR']);?></p>
            <p>Your MAC Address is <?=getClientMac($_SERVER['REMOTE_ADDR']);?></p>
            <p>Your internal IP address is <?=$_SERVER['REMOTE_ADDR'];?></p>

            <form method="POST" action="/captiveportal/index.php" name="member_signup">
                <input type="hidden" name="target" value="<?=$destination?>">
                <button type="submit">Authorize</button>
            </form>

        </div>

    </BODY>

Change this in /www/captiveportal/Portal.php:

    /**
     * Where to redirect to on successful authorization.
     */
    protected function redirect()
    {
        header('Location: https://www.google.com');
    }

    /**
     * Override this to do something when the client is successfully authorized.
     * By default it just notifies the Web UI.
     */
    protected function onSuccess()
    {
        header('Location: https://www.google.com');
    }

 

[Powdersnow]

Mind giving a little more insight of setting up on the pineapple with evilginx?

[Street]

The pineapple forwards the user to an evilginx web server.

https://github.com/kgretzky/evilginx2

[Powdersnow]

I got the evilginx2 server set up and somewhat running on my VPS a while back, but in respect to the pineapple where it forwards the user to the evilginx server.

Where you mentioned it forwards the user to an evilginx server, just a change where  header('Location: https://www.google.com'); from google to the link of the evilginx portal? Thats where I'm tryna get between both the pineapple and evilginx server for the user from a captive portal through the pineapple.

[Street]

Have you got it to work yet? I haven't played with the pineapple in awhile. I did have another idea however.  You can give the access point any name you want. So why not typo-squat? Like if you know your neighbors router is myATT123 set yours to myATT123-5G. Then they might think it's an upgrade.

[b0N3z]

Evil twin on the pineap would do that

[Powdersnow]

On 8/4/2021 at 4:13 AM, Street said:

Have you got it to work yet? I haven't played with the pineapple in awhile. I did have another idea however.  You can give the access point any name you want. So why not typo-squat? Like if you know your neighbors router is myATT123 set yours to myATT123-5G. Then they might think it's an upgrade.

No, I haven't gotten evil portal & Evilginix to work yet on the portal where it pertains to social media captive portals to validate the login credentials and get a session cookie.

The suggestion you said about gathering router passwords with mimicking the AP name is accomplished easily.

[Twibow]

I had the same idea (for Evilginx) but before opening a new thread I found this one ^^

In my professional penetration testing context, using Evilginx would be useful to capture cookies that have already validated the 2FA. This is the great strength of Evilginx2 by the way, because it allows not only to retrieve login credentials, but especially a valid session cookie.

At this point, I don't see anything in this thread that explains exactly how to do it, too bad.
 

The best way IMO, is to install Evilginx on a VPS and embed the Evilginx phishing page directly as a EvilPortal phishing template in the Pineapple.

I imagine, it is enough to replace the action of the post to make it point towards that of Evilginx.

If it works, it would be a small revolution in the functionality of PineApple :-)

Note: with the pineapple Entereprise, it should be possible to install Evilginx directly on the box (rather than on a remote VPS).