zone13.io Posted October 10, 2016 Share Posted October 10, 2016 Hi, I have written a blog post on using mubix's discovery to grab AD creds using an Evil twin AP and Responder. https://zone13.io/post/Snagging-credentials-over-WiFi-Part1/ pros: • no physical access required • no driver installations.. I can see that Tetra/Nano has Responder modules but not much info on using it. I don't have a Pineapple handy at the moment to try it out. Anyone care to give this a go on tetra/nano? Happy to answer any queries on working. cheers. Quote Link to comment Share on other sites More sharing options...
zone13.io Posted October 10, 2016 Author Share Posted October 10, 2016 Demo Quote Link to comment Share on other sites More sharing options...
b0N3z Posted October 11, 2016 Share Posted October 11, 2016 I haven't tried it on anything but a raspberry pi zero, but I thought about the using the Nano to do it but have not got around to making it happen. The Nano would be best, just plug it in and let it run. Quote Link to comment Share on other sites More sharing options...
zone13.io Posted October 11, 2016 Author Share Posted October 11, 2016 Agree. My current setup - TP Link MR3020 + RPi3 Now trying to do it all on a RPi3. This should be pretty straightforward with a Nano since it has a Responder module already. Quote Link to comment Share on other sites More sharing options...
b0N3z Posted October 11, 2016 Share Posted October 11, 2016 12 hours ago, zone13.io said: Agree. My current setup - TP Link MR3020 + RPi3 Now trying to do it all on a RPi3. This should be pretty straightforward with a Nano since it has a Responder module already. Agreed and I have it set up on a PiZero and it works great with Raspbian lite. The only problem I see with the Nano, is that 1.) it operates with OpenWRT and 2.) the amount of time it takes for the Nano to startup and get going might not be suitable for this type of attack 3.) the antenna, It is, for being small, maybe to big of a device to carry around and pull this off as it is noticeable when plugged in. Quote Link to comment Share on other sites More sharing options...
zone13.io Posted October 12, 2016 Author Share Posted October 12, 2016 I think you misunderstood my method here b0N3z.. You don't need to plug in the Nano into the USB port... That happens to be the biggest advantage also. If you see the demo videos on 2nd reply, you will see that the machines connect to rogue Ap and give up the creds. 1 Quote Link to comment Share on other sites More sharing options...
kamileon Posted October 12, 2016 Share Posted October 12, 2016 So could you just not use a MANA attack with this. That way you dont have to know the SSID, just need to be within wifi range of the target. Quote Link to comment Share on other sites More sharing options...
zone13.io Posted October 12, 2016 Author Share Posted October 12, 2016 4 hours ago, kamileon said: So could you just not use a MANA attack with this. That way you dont have to know the SSID, just need to be within wifi range of the target. It can be done.. just need some tweaking with the configs.. Monitor client probes.. create evil twin for the Open WiFi probe.. Assign IP for client.. Wait till Responder snatches the creds, maybe do a couple of de-auths.. Importantly, avoid any DHCP, DNS, HTTP service conflicts.. For the PoC, I wanted to keep it as a simple targeted attack and so off-loaded the router function to an actual wifi router.. It was stable that way.. less tinkering to do.. Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.