bitsadmin/fakelogonscreen

一个绕过方法&A bypass method

0themhp opened this issue · 4 comments

点击五次shift键,然后点击弹出窗口的链接,就可以跳转到系统设置,实现绕过
Click the shift key five times, and then click the link in the pop-up window to jump to the system setting to bypass

Neat trick, I hadn't thought about that :) Would indeed be good to fix this, thanks for your report!

@bitsadmin glad that you are still updating this super cool project

I wish someone would add the password verification part to wifiphisher

So it works remotely on local devices on the same network :(

Windows Lock Screen Senario

Interesting idea, to show a fake logonscreen in a browser when a client connects to a rogue access point. However, because the browser is probably not full screen, users will be less prone to fall for entering their password.

Also, password verification of the password entered in the browser window is challenging, as you will somehow need to find a server/port to validate the password. For example in case of a domain-joined machine the Domain Controller to test the password against SMB (445/TCP) or LDAP (389/TCP). In case it is not a domain-joined machine, you can try the password against the host itself, if ports like SMB or RPC (135/TCP) are reachable. As mentioned, it is challenging, but could be possible to automate, at least the 2nd case.

Interesting idea, to show a fake logonscreen in a browser when a client connects to a rogue access point.

@bitsadmin Yeah thanks .... It can also be done in local network with some spoofing which is where it would be actually meaningful ... as for grabbing passwords from random devices doesn't make sense

However, because the browser is probably not full screen, users will be less prone to fall for entering their password.

Yeah you are right .... but it can be done using some quicky click jacking or something
Images of the tricks used these days

I can't find the one i fall for ... but it went like this .... an ad showed up on a page on my phone .... i tried closing while clicking that X an allow nonfiction pop showed the exact second that i wasn't even able to notice that i clicked it ... it was really done right

Anyway i think you don't even need to display anything on the page .... just the phishing page will do ... user will typically click on it to see what it's about ...and the full screen will kick (as it requires any click by the user || addEventListener & Chrome Fullscreen API )

Moreover I think you could monitor a certain target device network traffic and then when inactivity detected .... You launch the scam so when the users come back and see it they will input the password without double thought as it would look like the typical Sleep screen lock

Also, password verification of the password entered in the browser window is challenging, as you will somehow need to find a server/port to validate the password. For example in case of a domain-joined machine the Domain Controller to test the password against SMB (445/TCP) or LDAP (389/TCP). In case it is not a domain-joined machine, you can try the password against the host itself, if ports like SMB or RPC (135/TCP) are reachable. As mentioned, it is challenging, but could be possible to automate, at least the 2nd case.

Hmmm ... I don't know if this would work for domain-joined machine or not ... but this what i suggested in the comments of the pull request mentioned

From EAPHammer

Hostile Portal Attacks are a weaponization of the captive portals typically used to restrict access to open networks in environments such as hotels and coffee shops. Instead of redirecting HTTP traffic to a login page, as with a captive portal, the hostile portal redirects HTTP traffic to an SMB share located on the attacker's machine. The result is that after the victim is forced to associate with the attacker using a rogue access point attack, any HTTP traffic generated by the victim will cause the victim's device to attempt NTLM authentication with the attacker. This is, in essence, an assisted Redirect To SMB attack. The attacker also performs LLMNR/NBT-NS poisoning against the victim.

Regards