[Snagging AD credentials over WiFi]

4 hours ago, kamileon said:

So could you just not use a MANA attack with this.  That way you dont have to know the SSID, just need to be within wifi range of the target. 

It can be done.. just need some tweaking with the configs..

Monitor client probes.. create evil twin for the Open WiFi probe.. Assign IP for client.. Wait till Responder snatches the creds, maybe do a couple of de-auths.. Importantly, avoid any DHCP, DNS, HTTP service conflicts..

For the PoC, I wanted to keep it as a simple targeted attack and so off-loaded the router function to an actual wifi router.. It was stable that way.. less tinkering to do..

[Snagging AD credentials over WiFi]

I think you misunderstood my method here b0N3z.. You don't need to plug in the Nano into the USB port... That happens to be the biggest advantage also.

If you see the demo videos on 2nd reply, you will see that the machines connect to rogue Ap and give up the creds. 

[Snagging AD credentials over WiFi]

Agree. 

My current setup - TP Link MR3020 + RPi3

Now trying to do it all on a RPi3.

This should be pretty straightforward with a Nano since it has a Responder module already.

[Snagging AD credentials over WiFi]

Demo

 

 

 

 

[Snagging AD credentials over WiFi]

Hi,

I have written a blog post on using mubix's discovery to grab AD creds using an Evil twin AP and Responder.

https://zone13.io/post/Snagging-credentials-over-WiFi-Part1/

pros:

• no physical access required 

• no driver installations..

I can see that Tetra/Nano has Responder modules but not much info on using it. I don't have a Pineapple handy at the moment to try it out.

Anyone care to give this a go on tetra/nano? 

Happy to answer any queries on working.

cheers.