Bug: Evil Portal / Evil Twin client log lines counted as passwords
Evil Portal and Evil Twin sessions appear to count non-credential log lines as captured passwords.
What happens
During portal/twin sessions, client status messages such as client connects or client count updates can be written into the same capture logs used for credential totals:
portal_passwords.log
evil_twin_capture.log
The loot database then counts each line in those files as a password/capture, so non-form events inflate the password totals.
Expected behavior
Only received form data / POST submission lines should count as captured credentials.
Client activity should still be visible or retained for debugging/session review, but it should not affect password counts.
Proposed fix
- Treat only received form data lines as portal/twin credential captures.
- Keep credential logs form-only:
portal_passwords.log
evil_twin_capture.log
- Preserve portal/twin client and form activity separately:
portal_events.log
evil_twin_events.log
- Recount historical portal/twin capture logs using the same form-line rule.
- Bump the loot DB version so cached totals rebuild with corrected counts.
Bug: Evil Portal / Evil Twin client log lines counted as passwords
Evil Portal and Evil Twin sessions appear to count non-credential log lines as captured passwords.
What happens
During portal/twin sessions, client status messages such as client connects or client count updates can be written into the same capture logs used for credential totals:
portal_passwords.logevil_twin_capture.logThe loot database then counts each line in those files as a password/capture, so non-form events inflate the password totals.
Expected behavior
Only received form data / POST submission lines should count as captured credentials.
Client activity should still be visible or retained for debugging/session review, but it should not affect password counts.
Proposed fix
portal_passwords.logevil_twin_capture.logportal_events.logevil_twin_events.log