As a version 0.4.0, EAPHammer supports the ability to perform password spraying attacks against WPA2-EAP wireless networks.
Leave a Comments0lst1c3 Posts
At DEF CON 26 I introduced an attack that can be used to bypass 802.1x-2010 and MACsec when weak EAP methods are used. The attack, known as a Rogue Gateway, forces the supplicant to authenticate with a rogue radius server by mechanically diverting ethernet traffic to the attacker’s rogue device. The attack can be performed remotely with the assistance of a side channel interface, and can also be implemented completely in software to attack 802.1x-2004. I also introduced several improvements to the classical bridge-based 802.1x bypass, along with EAP-MD5 Forced Reauthentication attack.
Leave a CommentThe is the first of a two part series about our attempts to make rogue AP attacks against 802.11n and 802.11ac networks a bit easier. Up until this point, we haven’t really seen any serious attempts to provide out-of-the-box support for rogue AP attacks against 802.11ac and 802.11n. Considering that most modern wireless networks use these versions of the 802.11 standard, we decided to find out why and attempt to do something about the problem ourselves.
Leave a CommentBack in November 2017, Tenable Network Security released a Nessus plugin that was capable of identifying the HTTP Listeners used by the Empire post-exploitation framework [1]. Since Empire is a tool that I often use during pentests and red team engagements, I felt inspired to develop a patch for Empire’s HTTP Listeners (both HTTP and HTTP_Com) that renders this plugin ineffective.
Leave a CommentAt DEF CON 25 and Hackfest 0x9 I introduced a novel attack that can be used to bypass port-based access controls in WPA2-EAP networks.
Leave a CommentThis blog post will cover the development of sentrygun, from the algorithms used to detect rogue APs to the design patterns used to leverage those algorithms by network administrators.
Leave a CommentIn Part I of this series, we learned how to create two modern cookie stealers for stealthily carrying out session hijacking attacks. Although highly effective in many cases, both cookie stealers were useless against websites that employ HttpOnly session cookies. In this tutorial, we’re not going to be focusing on stealing sessions. Instead, we’re going to learn how to log keystrokes in realtime using WebSockets, as well as map keystrokes to specific DOM elements.
Leave a CommentImagine we are targeting an instance of Damn Vulnerable Web App on an enterprise network. In this totally realistic scenario, there is also an instance of Web Cal running on the same network. The Web Cal instance is vulnerable to clickjacking. To gain access to DVWA, we can create a malicious web page that masquerades as the Web Cal instance using an iframe. We then could place a second iframe into the page that executes a reflected XSS attack against the target DVWA instance on page load. We could then use social engineering to trick a user into navigating to our fake Web Cal page, and by doing so steal the user’s DVWA session.
Leave a CommentIn this tutorial we will be develop three different cookie stealers of increasing complexity and effectiveness. We will also demonstrate how to use these cookie stealers to perform session hijacking attacks using a web page vulnerable to XSS.
Leave a CommentIn many cases, developers faced with patching a SQL injection will attempt to be clever by turning off error output instead of trying to fix their broken code. This results in a situation in which the target web page is vulnerable to SQLi, but no messages from the database are shown except for the intended output onto the page. This forces us to get creative when attempting to extract information from the target database.
Leave a Comment