n0xa / m5stick-nemo

M5 Stick C firmware for high-tech pranks
Other
843 stars 162 forks source link

Alternative to an Evil Portal #106

Closed Rol3oT closed 9 months ago

Rol3oT commented 9 months ago

Evil Portal is really cool and all, but what if you wanted to capture a password for the Wi-Fi network itself? Would it be possible to clone a Target SSID and set a very difficult password so that when the user attempts to sign in to their WiFi SSID with the password they know, it will fail, but capture the attempted password? If there is not a package already in development I was thinking of looking in to making one. Does Marauder has anything similar? Bettercap?

n0xa commented 9 months ago

Wi-Fi authenticates via a relatively complicated cryptographic process. The vast majority of networks today use WPA or WPA2 with Pre Shared Keys (PSK), with WPA3 on the horizon that will further secure various parts of the Wi-Fi stack.

There's no straight-forward way to have a user try to authenticate to a rogue access point and expose the actual WPA/WPA2 pre-shared key. You can read up on how WPA2 cracking works with hashcat. Tools like Hash Monster, Pwnigotchi, Wifite, and bettercap automate some parts of these attacks, but some of which will illegally send deauthentication attacks against networks you aren't authorized to use, so be careful with them. I've had good luck using hcxtools, hcxpcapng and hashcat together on a Linux laptop, but there are ways to aid data collection with esp32.

I don't foresee NEMO delving too deep into real "pentesting" tool turf. Real, professional pentesters use laptops and best-in-class software for security assessments. Most of the time, they are commandline or text-based specialty tools. I have yet to see a real pro walk up to an engagement and pull out a flipper with a wifi board, a DSTIKE deauthenticator or some other microcontroller gadget, use it for the assessment, and expect to be taken seriously.

Rol3oT commented 9 months ago

I was more thinking of this How can I capture the passwords that people try out on my router (the wrong connection attempts)?

Exempt the router AP is created by Nemo.

Edit: Nevermind, read up on it futher, learned something new.

Thanks, case closed.