Skip to content

Bug: Evil Portal / Evil Twin client log lines counted as passwords #9

Description

@phutur1st

Bug: Evil Portal / Evil Twin client log lines counted as passwords

Evil Portal and Evil Twin sessions appear to count non-credential log lines as captured passwords.

What happens

During portal/twin sessions, client status messages such as client connects or client count updates can be written into the same capture logs used for credential totals:

  • portal_passwords.log
  • evil_twin_capture.log

The loot database then counts each line in those files as a password/capture, so non-form events inflate the password totals.

Expected behavior

Only received form data / POST submission lines should count as captured credentials.

Client activity should still be visible or retained for debugging/session review, but it should not affect password counts.

Proposed fix

  • Treat only received form data lines as portal/twin credential captures.
  • Keep credential logs form-only:
    • portal_passwords.log
    • evil_twin_capture.log
  • Preserve portal/twin client and form activity separately:
    • portal_events.log
    • evil_twin_events.log
  • Recount historical portal/twin capture logs using the same form-line rule.
  • Bump the loot DB version so cached totals rebuild with corrected counts.

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions