Wi-Fi Pineapple Advanced Phishing

go back / p4p1


Created on Thu. 7 Mar 2024



Hello Hello, I is back for a new blog post on something cool that I wanted to achieve for a long time and I am so happy to finally showcase it in a blog! I have been working for the past week on the OSWP hopefully I'll pass it soon :)

In this post It's some pretty cool technique based upon the evil portal techniques and the rogue access point stuff. The concept here is actually kind-off sweet the idea is since we control the network of the twin why don't we just edit the DNS data to host our version of proxy to the website we want to fish the client on with something like evil-nginx.

The Attack

For this attack to be successful I'll be using two things on the attacking side a Wi-Fi Pineapple and a laptop running Modlishka. With this we will set it up so that when a client connects to our network and logs in to our target website we can do a sort of Man-In-The-Middle attack with the Modlishka proxy where the user gets automatically redirected when accessing the website and we can hopefully make the client use HTTP with us to not have the issues of certificates and send over their username, password and even session cookies to bypass 2FA!

In our example I am using notion.so as the target website. Note that this attack is not fail proof the users connecting will be able to connect but some core functionality on the website will be broken. Since some urls are going to break because of Modlishka.

The Setup

First things first we want to boot the pineapple connect to it with our laptop. I personally I am connected through wired-LAN on the pineapple. Once connected we have to SSH on the pineapple and edit the dns config. The DNS config is saved under /etc/dnsmasq.conf this tool dnsmasq handles DHCP and a small amount of DNS I did get this attack working with bind9 a more robust DNS server and you could totally use that it just requires a lot more configuration than the single line of dnsmasq.

This line configures the DNS server to redirect every DNS request to facebook.com to the ip address of my laptop which will be running Modlishka later on.

          
            address=/notion.so/172.16.42.107
          
        

After editing that file like previously shown we not need to restart the DNS / DHCP server so that the changes take place in the network.

From there we need to configure Modlishka so that we can start getting traffic on our proxy. The most important things to set is forceHTTP to true since we do not have our certificates on the victim machine and it will make things easier for us. After that we then want to set the proxyDomain and the target.

I recommend using the provided Modlishka templates to modify and create one similar to mine if you want to follow along. After this we then need to run modlishka with our config file which will then allow us to attack the victim.

          
            sudo Modlishka -debug -config file.conf
          
        

Now I did configure my Wi-Fi Pineapple to have a open access point called Starbuck's Wi-Fi that my phone will connect to which will represent the victim.

Attack!

Now on the victim side once connected on the Wi-Fi everything will seem normal and you can just do whatever. But once the victim opens any browser and navigates to tryhackme.com somethings is different. I know that earlier I said notion.so but I had a few issues with the JS on the page not loading you would need to do a lot of recon before hand to make sure the copy of the page on Modlishka takes into account as many subdomains as possible and such.

Yeah so this is the limitations since we are downgrading to HTTP most browsers do freak out either force HTTPS or navigate to the www subdomain which breaks modlishka also things like capcha and other dynamic JS loaded from other domains might break and the network is quite slow obviously since a lot of processing is done by modlishka. We could replace Modlishka with evil nginx in some way but hard to put in place in practice. Now lets look at the loot ^^

Now from that blurred out screenshot you can see the creds I got from my connection. Yeah it's nuts if the login is successful we do also get the cookies. On tryhackme's end they use capcha so we are not actually logged in on the client side but we did get our creds leaked :c


Well lads that is it a crazy cool attack that I wanted to showcase hopefully after I finished my certs this year I'll get to do more blog posts and more open source and bug bounty since right now crunching to get the OSEP and OSWP does suck a bit but hey I got some cool new attacks to showcase at least ^^ Follow me on github linked-in and X for more stuff like this you can also sponsor me through github if you want to fund more crazy projects.

p3ng0s
arch linux iso

A linux distribution with my entire config pre-installed. Great for learning linux and pentesting with a steep learning curve.

wiki | repo
Questions / Feedback
For any questions or feedback you can contact me on LinkedIn or twitter / X. I also use twitter as a platform to update on new posts!
Donate
sponsor me image

If you like the content of my website you can help me out by donating through my github sponsors page.