search

s0lst1c3 / eaphammer

Targeted evil twin attacks against WPA2-Enterprise networks. Indirect wireless pivots using hostile portal attacks.
GNU General Public License v3.0
2.11k stars 307 forks source link

Coercing HTTP Authentication Via Captive Portal Without User Interaction #214

Open gjhami opened 5 months ago

gjhami commented 5 months ago

Is your feature request related to a problem? Please describe. Coerce NetNTLM authentication over HTTP with the captive portal and without user interaction by getting intranet-zoned. This feels especially relevant given patching around the redirect to SMB feature.

Describe the solution you'd like Concisely, I'd like the option to specify a custom captive portal URL and disable EAPHammer's HTTP server funcionality. That way I can poison DNS/NBNS/LLMNR to get intranet zoned and run NTLMRelayx's HTTP server as the captive portal:

  1. Get intranet-zoned by taking over as gateway and responding to DNS, NetBIOS, LLMNR requests or taking over as DNS server by including it in a DHCP config served by a rogue DHCP server. Then respond to requests for a hostname (ex. attacker).
  2. Automatically direct, or if not possible, redirect users to a captive portal with the intranet-zoned name (ex. http://attacker).
  3. Prompt for authentication by returning a 401, as is done by NTLMRelayx's HTTP server.
  4. Without any user interaction, receive NetNTLM authentication from the browser, because the attacker host is intranet-zoned.
  5. Crack the authentication offline
  6. (If Possible) If the attacker has a connection to the victim's network via an additional NIC, then relay the authentication to other services on the victim network, such as LDAP, to escalate access.

Describe alternatives you've considered Rather than allowing for the use of NTLMRelayx for the server + responder/DHCP/DNS poisoning, this could be built directly into EAPHammer. I don't know much about the implementation for the HTTP component, but I'm guessing the code for NTLMRelayx's HTTP server would provide a strong starting point and responder functionality is already built into EAPHammer.

For the short term though, I think it's best to be able to take over as gateway and direct users to a captive portal at a specified URL with EAPHammer. Then leave the poisoning and HTTP authentication challenge to existing tools.

Additional context

s0lst1c3 commented 1 week ago

Shouldn't be terribly difficult to implement. I'll add the ability to selectively turn background services on / off first (like the HTTP/S server), then move on the to the other stuff.