solstice.sh Pentesting, Offensive Security Research & Development

EAPHammer Version 1.8.0 - EAP downgrade attacks


EAPHammer version 0.9.0 was released back in June 2019, and introduced the ability to execute both GTC and generic EAP downgrade attacks. Due to issues that were uncovered during field testing (see Controlling EAP negotiation with EAPHammer), the implementation of these attacks has been almost completely overhauled in version 1.8.0.

EAPHammer Version 0.7.0 - Certificate Handling


The latest version of EAPHammer greatly expands its ability to generate, import, and manage private keys and x509 certificates. This post describes these new features in detail and provides the necessary background information to understand why these new features were needed.

EAPHammer Version 0.5.0 - Legacy Crypto Support


A couple of days ago, EAPHammer version 0.5.0 was released. This update introduces a very subtle, yet very important capability to the project: SSLv2/3 support.

EAPHammer Version 0.4.0 - Password Spraying Attacks


As a version 0.4.0, EAPHammer supports the ability to perform password spraying attacks against WPA2-EAP wireless networks. Password spraying is a type of bruteforce attack in which multiple successive login attempts are made using a single password and a large number of accounts. A recent study published in May 2018 by GCHQ’s National Cyber Security Centre (NCSC) revealed that 75% of participating organizations had accounts with passwords featured in top-1000 password lists. With this in min...

Reflected XSS Through iFrame


Imagine we are targeting an instance of Damn Vulnerable Web App on an enterprise network. In this totally realistic scenario, there is also an instance of Web Cal running on the same network. The Web Cal instance is vulnerable to clickjacking. To gain access to DVWA, we can create a malicious web page that masquerades as the Web Cal instance using an iframe. We then could place a second iframe into the page that executes a reflected XSS attack against the target DVWA instance on page load. We...

XSS Session Hijacking Part II


In Part I of this series, we learned how to create two modern cookie stealers for stealthily carrying out session hijacking attacks. Although highly effective in many cases, both cookie stealers were useless against websites that employ HttpOnly session cookies.

XSS Session Hijacking Part I