Prevent triggering warnings for the target clients.

[evgeniy4587]

Do you want to request a feature or report a bug?

feature

What is the current behaviour?

Warnings are displayed when a client of the target AP has been disconnected and attempts to connect to the fake AP (on some devices and newer versions of Android and iOS).

What do you think the expected behaviour should be?

The target AP clients might hesitate connecting if those warnings are present. I think Fluxion could attempt to suppress those warnings somehow. Maybe, as optional feature, filter all requests from the target client except "internet checking" addresses.

If this is a feature request, what is the motivation or use case for the added feature?

I believe this would make fluxion more effective.

Specs

These are some urls requested by phones right after connecting to the fake AP:

captive.apple.com www.apple.com mesu.apple.com www.icloud.com p40-mailws.com gsa.apple.com query.ess.apple.com apple.com init-p01st.push.apple.com gspe35-ssl.ls.apple.com p40-keyvalueservice.icloud.com p40-ckdatabase.icloud.com p40.fmf.icloud.com p40-fmip.icloud.com lcdn-locator.apple.com time-ios.apple.com gs-loc.apple.com c15.apple.com

android.clients.google.com cdn.eyeofcloud.com connect.rom.mini.com connectivitycheck.gstatic.com www.google.com clients3.google.com alt5-mtalk.google.com beacons5.gvt2.com android.clients.google.com

[MPX4132]

@evgeniy4587 I rewrote your post to make it clearer, since I think this is a very good and sensible idea.

[MPX4132]

I removed the part about internet, but you can add it again if you really need that. I think we might be able to solve this issue without it.

[evgeniy4587]

It's ok, does not matter will be it with or without internet. We just need to make target client open browser.

[minanagehsalalma]

@evgeniy4587 and without showing Safety warnings at every single unsupported page

[MPX4132]

@minanagehsalalma Those safety warnings are there because the page is asking the user to send potentially sensitive data (the password/key) over an unencrypted channel (http, not https)... this can be solved by using a valid SSL certificate, which you would have to purchase from somewhere, and place it under the certificate directory in Fluxion. It’s the reason it asks you for a certificate in the first place (and people usually choose to generate one automatically, but those aren’t valid because they’re not verified by a trusted third party).

[minanagehsalalma]

@MPX4132 but how this doesn't happen with mikrotik https://www.youtube.com/watch?v=Mka4HpJQfZM .. without buying any thing ??

[MPX4132]

@minanagehsalalma It looks like they're using some type of protocol, I'll look into it later on today.

[MPX4132]

It could also be they're not labeling their forms with something obvious like, "password," but I'm not sure. I'll check it out later.

[evgeniy4587]

I think about ssl certificates also and that's why I'm propose give it connect to original site(for example captive.apple.com). Because it will be easier to realize than get real apple\android ssl certificates.

P.S. or maybe it doesn't need ssl certificates just connection to that sites\servers.

[Hritik14]

I suppose the device just pings those domains and checks if it's successful. Maybe replying for every domain work. Perhaps using a local DNS work ?

[deltaxflux]

We use a local dns server, the problem are the unsigned certificates.

[evgeniy4587]

I will try to make some bridge connection with two wifi adapters. Just need to figure out how target user can connect only to specified site. How to restrict all addresses on local dns server exept captive.apple.com and others.

[deltaxflux]

Well redirect the requests to your own gateway

[evgeniy4587]

Ok

[MPX4132]

I made some progress, here's the commit. I'm having trouble suppressing them on Android, though. I suspect it's trying to do the checks with ssl, but I'm not sure. If that's the case, Android's out of luck. We need to look into what exactly it requires to get it to shut the hell up. I just sinked about five hours trying different things. Realistically, we'll probably have to look at the exchange it does with google with Wireshark or something.

[evgeniy4587]

wireshark.zip I used crackatack script with testnetwork and connect to that network from apple and android phones. And sniff that connection with wireshark. You can look on it in wireshark dump-files. Also attaching phone screen of connection without warnings.

[minanagehsalalma]

@evgeniy4587 try the same on an open network (-)

[evgeniy4587]

open-network.zip it's with fluxion hostapd access point. On both target devices it shows ssl certificate warnings.

Can't create an open access point with redirection like in krackatack.

[minanagehsalalma]

can you take a look on this http://systemzone.net/mikrotik-hotspot-configuration-using-winbox/ @evgeniy4587 it may help you

[MPX4132]

@evgeniy4587 that’s convenient, thanks for the capture with wireshark. I was hoping I wouldn’t have to do it myself, lol. I think the Captive Portal has SSL warnings because it has a submittable form, and browsers don’t like sending forms unencrypted. It could also be that you’re being redirected to the https portal, which is using a self-signed certifícate and that’s a massive red flag for all browsers. I’ll check out the wire shark capture in a bit.

[MPX4132]

@minanagehsalalma Yeah, they’re suppressing the warnings by actually allowing some access to the internet. It’s not really a problem, support for that can be added. I haven’t added it because it can compromise the attacker. If a client of the target AP sends a request to an allowed url, the receiving server will have a log of traffic coming from your internet gateway.

[MPX4132]

@evgeniy4587 I can't use the capture files you posted because they're missing the interaction between Android and Google. The only useful info in the ones you gave are the DNS lookups but, even that I've already implemented into the script. I just need to know what Android is looking for when it connects to a network that has internet. If you would like to do another capture, make sure you have the access point connected to the internet. That way we can see what's going on between the two.

If you want to do it, otherwise I'll have to try doing it myself.

If you do it yourself, and want to post it, make sure you strip away all personal info in the capture.

[evgeniy4587]

I tried to make access point open in hostapd in crackatack script but looks like it don't want work without any encryption(as open). Also can't figure out how to configere adapter as hotspot with internet access.

[deltaxflux]

For me it is working without any issues. (Oreo)

[MPX4132]

@deltaxflux So you aren't getting any "no internet connection" warnings? Where you getting any warnings before?

[deltaxflux]

Yes I don't get any internet warnings but I also could happend because I build up my own custom oreo rom.

[MPX4132]

@deltaxflux Oh okay, so you think you didn't add the connectivity checks to your custom build?

[deltaxflux]

Yeah, maybe or they work completely different in the original builds. However, I discovered that the check do work on some networks. Do you have the same experience?

[MPX4132]

I test fluxion with my phone running the latest version of iOS. I've never experienced the warning on iOS. I had to borrow an Android phone to verify the warnings. I noticed, like @evgeniy4587 mentioned, that Android devices make contact with some of the domains he posted. I read online they always request a domain, like client3.google.com, or connectivitycheck.gstatic.com, plus the url "/response_204". That just returns a 204 response code with no content (I checked with Safari, Chrome, and Firefox). So, that's what I added to fluxion. When clients make requests to those domains, I route them to a directory with the proper response code and content, but it still shows as no internet on the device I was testing with.

The weird thing is the results I got from a capturing session I did on the Android (v6.0) device, because before I was relying on information I read from some place online. It does just like they said, it goes to those domains and receives the 204 code plus no content... That leads me to think it's doing something else to check for connectivity... It could also be manufacturer dependent, but that might not be realistic, since they would all have to implement their proprietary methods to check for connectivity. However, I did notice the device would always communicate first with some LG server, before making any other requests right after connecting. I didn't look into it because, again, it looks like it's unfeasible to make every manufacturer write their own connectivity check. It could be some type of feature by LG, but I doubt it.

On the Apple side, we have it easy. The check iOS does is always captive.apple.com, so all I did was add that single domain and return what I sniffed from my phone's traffic... the response code 200 plus a body containing "Success".

[deltaxflux]

Yeah, sounds weird. However I noticed still problems with ssl sites. Unknown ssl error or something after the latest update. I can take a look at this if you want.

[MPX4132]

Yeah, if you can find out anything about those errors, that would be great. It might have to do with sites using HSTS, or something.

[minanagehsalalma]

I think The only solution is to display https so only http websites can be opened ..

On Dec 3, 2017 11:51 PM, "Matias Barcenas" notifications@github.com wrote:

Yeah, if you can find out anything about those errors, that would be great. It might have to do with sites using HSTS, or something.

— You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub https://github.com/FluxionNetwork/fluxion/issues/252#issuecomment-348817723, or mute the thread https://github.com/notifications/unsubscribe-auth/ATmETmxPQQkQEMqgB82XaihfZXBASwRQks5s8xfUgaJpZM4QdR-L .

[MPX4132]

@minanagehsalalma did you mean to say we should block https and only allow http sites? What you wrote contradicts itself.

[minanagehsalalma]

Yes i meant to say block https and only allow http.. Sorry my mistake

On Dec 4, 2017 12:22 AM, "Matias Barcenas" notifications@github.com wrote:

@minanagehsalalma https://github.com/minanagehsalalma did you mean to say we should block https and only allow http sites? What you wrote contradicts itself.

— You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub https://github.com/FluxionNetwork/fluxion/issues/252#issuecomment-348820679, or mute the thread https://github.com/notifications/unsubscribe-auth/ATmETjW2I0dR2N_d1skWOXx3m9OMA6zFks5s8x8jgaJpZM4QdR-L .

[MPX4132]

@minanagehsalalma I suppose we can try that. Before I rewrote fluxion, the https server was disabled or it just wasn’t working. When I rewrote it I enabled listening for https, but I never noticed warnings. Then again, I was only checking with iOS.

The problem is that the site will probably still show a “not secure” warning because the captive portal has forms which could contain private data. It’s just the browser waning people it could be unsafe to submit forms because they’re sent unencrypted.

[evgeniy4587]

Is it posible to make connection by https to captive portal?

[MPX4132]

Right now, it is possible.

[evgeniy4587]

May be it will resolve ssl warnings? Try, pleasem, to rewrite fluxion in that way.

[MPX4132]

I actually did make those changes earlier, I just haven’t pushed them to the repo because I forgot lol. I disabled ssl, I’ll push it now.

[evgeniy4587]

Ok, thank you!

[MPX4132]

@evgeniy4587 Check it out, and let me know if anything changes.

[evgeniy4587]

Ok, will check it a little bit later today. Don't have my adapter right now with me :)

[MPX4132]

Thanks for the help.

[huxibei]

what are you talking about

[evgeniy4587]

see first two pictures in this post

[deltaxflux]

Yeah it use at the beginning a http server and strip all ssl site which work with most sites. However the problem with your own ssl certificate is that it is self signed (untrustfull). However it is also against terms and condition to use Lets Encrypt certificates.

[MPX4132]

@deltaxflux yeah, that was one of the problems about enabling ssl portals. I disabled it again to see if it fixes anything. If it doesn't we can just reenabled it.

[evgeniy4587]

Tried to test new version of fluxion. Tried it with awus036h(only airbase) and on ios it shows that network "unreliable" and than that it don't have an internet. Today at evening will try it with other adapter with hostapd. Also when I choose airbase method and start captive portal, the DNS-server window start for few seconds and disappear. And when I'm trying to connect to fluxion AP it can't connect me to the AP. After 1-2 minutes fluxion AP was disappear. May be it is because I have an old adapter :) Today will try with other.

[evgeniy4587]

Checked once more with other adapter with hostapd. DNS-server window start normaly. Connected from ios, screenshots shows that it don't have warnings about no internet connection only that connection is not secured. Anfortuanetly I was failed connect from android, probably because my wifi adapter it's week laptop broadcom adapter(tried with airbase and hostapd). In general it looks better, no warning about "network without internet connection". Need someone to check it with android.

[evgeniy4587]