User router page collector

[minanagehsalalma]

1- deauth the user from his original network
2- broadcast an AP from his prob ssid list so it will connect
3- the captive portal page that contains ajax code opens
4-Disconnect him from our ap
5- The cached page (obviously it should be the same IP as the router because of SOP) with ajax will connect to the router page (when it detects internet connection) and will send us the page code and images (base 64 encoded) to our puplic server that can be anything.
6- download the page to our device and add to a note the AP ssid and bssid and the client bssid

Notes maybe make the page show in large text "internet is loading" with a little cute spinning circle so the victim waits

also if router ip isn't the default we will need an additional step something like this js script for scanning local network then after you receive the ip in our server (maybe ngrok with port forwarding) we deauth it again so he reconnects and we update the page ip with the correct one .

The key is timing
What do you think ?

[pidgy]

What is the goal here?

[minanagehsalalma]

What is the goal here?

@trashbo4t
If knowing the exact router model of the target isn't enough ... you can simple deliver a successful csrf attack the next time you launch the rouge ap with the same steps in case of the password is the default (or maybe brute force it if the router doesn’t have a lock out ) or you can even phish the router password as now you have the page and you can use it in the captive portal (or even better catch the auto filled saved passwords) ..... or search for the router exploits and maybe deliver a better crsf or an RCE(as you can grab the pup ip from the serv).....

Or you can keep the database of your collected router pages and use them later you need them or whenever you want.
Or even make a list of the routers around you and the vunrable status of them (new - old - manufacture year )

What you can do with such info is up to the the size of your imagination .

Huh , what do you think now ?

[pidgy]

Wow that sounds like a very precise attack. I think its out of my scope haha

[minanagehsalalma]

I think its out of my scope haha

@trashbo4t Not really it just a very simple mix of js and ajax And a maximum ten lines of php to log the date into the server
I have the html page and the php in a private repo but it's just a Csrf no grapping the router page or any thing i made for some crappy routers i got ...
I didn't even add dns rebinding into this so it doesn't seem complex.