|
|
|
|
|
|
by javawizard
566 days ago
|
|
|
For anyone asking what this has to do with NCSI, have a look at the README of the parent repo: https://github.com/stryngs/edgedressing/tree/main It turns out that (modulo some details) it's possible to trick a Windows computer connected to a network you control into opening a browser that points to a URL of your choosing. That's because NCSI initiates probes using plain HTTP rather than HTTPS, so the usual injection attacks can be carried out without the user having to take any action of their own. (The directory OP linked to appears to be a payload they just added to the repo that fingerprints users who are presumably on the receiving end of such an attack; the actual code to carry out the attack in the first place is outside of that directory.) --- The interesting part about that is that that's more or less what captive portals are supposed to do. One imagines that where this gets interesting is when one couples it with one of those attacks where you convince someone's computer to disconnect from a public WiFi hotspot and connect to your computer instead; then you can force a page to pop up without them realizing you're not the owner of the WiFi hotspot. I wonder how easy it would be to carry out a phishing attack via such a mechanism? Force a captive portal prompt to launch on an unsuspecting user and have it render UI that looks like Windows and tells them they need to re-enter their Microsoft account credentials or credit card number or something. |
|
|
The only thing you need are credentials of the network if it is not an Open Access Point. If you have the credentials you then pop those into airtun-ng and now you'll have a NIC you can sniff on and inject to the network in question at the Monitor Mode level.
No arp-spoofing, DNS poisoning, etc, just straight up good old fashioned Layer 2 hacking and there is nothing the Access Point can do to stop you sans an IDS/IPS.
So yes, you could absolutely do what you described and deauth and hope they join your network, but no need in most cases.
As well the real beauty is that NCSI probing happens every single time the the computer connects to wifi, if edgeDressing catches the probe sequence and wins the race that computer's browser is opening. Broadbrush deauthing and poof, now you have a whole bunch of computers all opening up random pages. Not good.