TO DO IDEAS
Opened this issue · 4 comments
1-EAP GTC Downgrade
maybe using one of these scripts (eaphammer - cupid - scapy.fakeap - SniffAir the best one )
or manually by using this conf file
2-evil twin with channel hopping using one adapter
*user
Add to this that make the page save the entered password to send it later in case of that the victim connection was lost while the script was looking for the ap new channel so when he reconnect the password gets sent.
3-Scenario asks user to push the wps button if it is available it will need this too and maybe this
4-Powershell / Bash scripts that exfiltrate WPA2 PSK using local server
or we can do it using a this cool VBScript
We can get it auto download without a Warning using tools like this
5- Fake web-based network manager for android
6- maybe malicious apk that exfiltrate wifi password Scenario ... Or maybe using something like this to auto get root permissions and extract the password directly
We can get it auto download without a Warning using tools like this
7- improving the sign in pop and make the page auto open with more success rate
8- a Sextortion based phishing page
9- an auto exploit mode that exploits the devices when they connect to the fake AP if they are
vulnerable to RCE exploits or just a network scanner that detects open ports and checks if they are
vulnerable and reports it to just like Nessus - this auto exploit tool or Nmap Scripts and of course you will find a lot of other Nmap scripts .
10- add confirm password in the evil twin page so they don't type a random wifi password .
11- Save the target AP clients while doing the network scan so we can divide the Priority in a correct way especially in wep and csrf attack Descending from the really original clients to the guests
12- HTTPS redirect support -------- the important comments 2 -- 3 looks like what MPX4132 said was wrong .. the only option is Create a legitimate certificate using LetsEncrypt and similar sites for free and automate it so it get's updated every three months
Renew letsencrypt with zerossl online tool - or auto update or scripts like this 1 - 2
or we can use the idea number 17
13- auto fill hack in csrf router attack method to automatically get the admin credentials .. as the two urls are the same (just add the input fields and the browser will auto fill it for us all we have to do is when the fields gets the creds is send the login creds to the server and the router ) .. or maybe to get other sites creds using this more info from the devs wiki with code ---- a better poc with the code
A repo that contains the source code
Edit : seems like google doesn't automatically auto fill when the page loads (in the new version)and needs an additional click on the saved username/password from the drop menu ... so we would need the page to be non existing auto focusing on the pass or username input bar so he clicks on auto file drop menu just like this
Edit 2 : chrome doesn't auto fill http only sites so we have two options the first is to get them to install a self trusted certificate the second one which is a lot better is to provide the network with internet connection and use a free Let's Encrypt certificate ... and also this attack won't work on sites with Self-signed certificate which shows us warning page before visiting them as chrome doesn't support password saving on such sites!
14- spoofed domain name phishing using evil twin
Try to make the browser think that Facebook IP is the same ip of an phishing page made with ngrok ... Using the first version of the hotspot tool and an js that makes an internet checking like httprequest and make the local server redirect it to your phishing page (it will do this already just change the url of the page that you ping to a new one ) ... Just like the problem you we tried to fix in first time. . so when he gets back to his network on the internet connection is back make the script redirects him to the fb url which will result in a page with fb url but with the phishing page content and when he tries to open the page in a new tab the same thing will happen again maybe for 10-15 minutes. .
15- EVIL twin Scenario that asks for saved wifi qr code for phones that supports it
we can add a gif in that page explains how to get and upload it . ... but we have to set an public available server to receive the img cause they have to be connected to their network to be able to share the qr code .
it mostly exists in android 8 & 9 and it's officially in android 10
after a little search it's on all huawei/Honor android 7 and later devices & all android 4.1.2 and later xiaomi devices & for android 9 Samsung devices . and all android Q devices.
16- Phone models collecting attack
it's a mix of karma attack + deauth and a web server to catch the user agent and log the ap name + user & ap bssid + the user agent
to make the other attacks easier and it would be very useful for the qr code attack Scenario .
just like this
17- install a root certificate to get the internet working phishing method
just like this without vbs to support android devices too like this ios trick
or using bettercap
18- bluetooth phishing just like this but instead of arrows we ask them to double click (or triple click or any wanted amount of clicks or even ask them to wait a certain amount of time between clicks ) on the same location based on the screen resolution of the phone after we ask them to turn the bluetooth on to get the internet working or enable networking sharing .and then we monitor the list for new devices then on the next click we try to connect to them using bluetooth so they click on allow without intend and then hack the device using such hacks and proceed to extract the wanted info .
19- A WPA 2 karma attack (saved network handshaker )
as karma attacks works on saved open networks only and not secured ones so we will need to have the password first to get it work although this seems a bit hard... the number of saved networks Guarantee that there is a one with a weak password... so will need to make the karma attack start two networks of the targeted prob one open and the second secured and the victim will auto connect to the one with the correct configuration with the saved obviously correct password and we save that handshake with the other handshakes captured form the same device to brute force and break the ones with the weak passwords.
2● also we can take advantage of weak default wifi passwords and the poor habits of users with saved networks and the fact that some Manufacturers that password for the admin panel too which will definitely make the csrf much easier ●3 it can be useful in case of forcing them to reset the router using ddos as you can make it stop automatically when detecting the network ssid changed to the default one.
20-https hack by faking responses to ntp so the computer time changes to one far away into the future or older and all the sites show an error message so you be able to Downgrade them to http
mostly the attack won't work probably against windows but time skimming will so when the user gets an error message to change the time like this
when he tries to change it using the update now in the time option (The manual auto time update) we will be able to change his time without limits just like the mac os attack
the attack idea
the demo against mac os
Time skimming against windows os
The manual auto time update that changes time with no limit ( the best )
NTP Main-in-the-Middle tool
21- todo ideas.txt
22- the same as 14 and 17 but more advanced and kinda doesn't require user interaction.
todo ideas#2.txt
23- karma attack in evil twin on Multi devices on the same target network with different saved networks list by creating multi ssids
http://wiki.stocksy.co.uk/wiki/Multiple_SSIDs_with_hostapd
24- router model detector using the multi ssid feature to prob for networks based on the mac vendor of the target using a list of default ssids and if the victim auto connects to one of them that's the right ssid for his router model.... also if the target still have the default ssid not changed then the check can be preformed without affecting the target
25- double click trick number @4
26- Reset Detection Attack
1● we ddos the router so the victim resets the router with two options without a rouge ap or with an rouge ap but the captive portal page will ask the user to reset the router to fix the internet problems and get it working 2● the script detects if the user have factory reset the router or not by monitoring network ssid and security properties like wps and we can detect if the ssid is the default one or not by generating it using the mac address and comparing the results 3● the user will get asked to enter router default wps pin or the default wpa password if he knows it.. and will be asked if he wants to capture a handshake of the network with the default password when the reset happens or not..he can already capture it without the need of reset using idea n19 point 2 and the script should mention that when selecting this attack
4● when the script detects that the reset has been made it has three options based on the router default security options and user selections first if the network is open it Alerts the user so he and then auto connects to the network to check if the router pages uses https or not if it doesn't the script disconnects then it monitors the network packets from outside using airodump and if it does then it keeps connected to the network and uses ssl strip to sniff the packets second if the network sec is wpa and has wps enabled and the user didn't enter the password the script attacks the wps automatically and prints the password if succeed and alerts the user then just like the first point connect/monitor the network packets and decrypt it using the wpa key third if the network sec is just wpa without wps and if he has choosed i have the handshake and entered the password the script will do the same monitor process from the first step and alert him and if he selected that he doesn't have the handshake and doesn't know the password then the script automatically tries to capture the handshake after the reset happens
NOTE : the script can be set to automatically make changes to the router after connecting only if the router model is known and he have the commands
the user can choose whatever he wants from all the above options so the script doesn't need to do the auto attack method selection part and only perform what he selected
27-todo ideas.txt number@5 similar to idea 4 but better.
28- A very cool default password generator point●6
29- taking advantage of idea num 17 & 20 to exfiltrate more data todoideas.txt number 7 to achieve double click like attack but without user interaction.
30- add original ap checker and print the info if its online or not to a network status tab.
31- Clients Saved APs Tracking for better deauthing success rate
it should have two modes the first is if any of the prob requests from the clients connected to the target network matches the the name of other nearby networks we mark it as a possible saved network (but this method accuracy is somewhat low) the second mode would be deauthing the clients and see if they would connect to any other network and if they did it markes it as a saved network.
32- wps unlock out detection attack
Similar to num 26 but more dedicated to wps.... it's a mix of ddos and monitoring the network wps info.. that you can use incase if the wps is locked and when the user restarts the router because of the ddos the router wps lock should be unlocked then the script automatically uses pixie dust on it to get the pin then grab the password ... this attack is meant only to be used in case if the wps configuration is pbc not pin ......● and even it can be used with a hotspot + captive portal page that asks the user to restart the router to fix the connection issues (to speed up the attack for us).
#note after the router restart is detected and still the wps is locked then the router have settings that needs wps to be manually unlocked (which mostly won't happen ) or a reset to get wps open which would be the job of idea num 26... so the script should print router isn't vulnerable to wps unlock by restart please use the reset detection attack instead.
33- the wps scan should show the wps config type pbc or pin .... and if its pbc and not zte or livebox the ones that are vulnerable to null pin then it marks them as not vulnerable to wps attack...with an option to filter them out the results as they won't be useful and show the vulnerable ones only.
34- wifi hacking scripts and tutorials that you may like
35- enjooooyyy and make the best script ever :)
good ideas but less time . i will try my better
<script> ;)thanks
I know that you don't have time but migrating those idea gonna make your script powerful
1: Add Hashcat besides Aircrack-ng and put some rules to make the probes generated and capital
in arabic (Ghir bash tfhem ash ban9ssed shi merrat kaykon pass low cass o ana w93at lia 2 merrat kanl9a password f 2 probes mfar9in b7al messi2010 o probe akhra fiha messi2010 o pass howa messi2010messi2010 olmera tanya kan cve4a9wyc2 o lpass howa CVE4A9WYC2 )
2: Save the probes into a file or into desktop (tmp.txt)
3: Add Direct attack using aireplay-ng mac targeting for better handshake capturing
4: That's it Thanks for your script I really appreciate it
good ideas but less time . i will try my better
<script> ;)thanks
You are welcome mate .. keep it up .. and after a year if we are still alive i will try to catch up with you :) and maybe come up with more new ideas 😊
@Abdssamadh thank you too for your ideas. i will try to improve it soon ;)