It turns out that (modulo some details) it's possible to trick a Windows computer connected to a network you control into opening a browser that points to a URL of your choosing. That's because NCSI initiates probes using plain HTTP rather than HTTPS, so the usual injection attacks can be carried out without the user having to take any action of their own.
(The directory OP linked to appears to be a payload they just added to the repo that fingerprints users who are presumably on the receiving end of such an attack; the actual code to carry out the attack in the first place is outside of that directory.)
---
The interesting part about that is that that's more or less what captive portals are supposed to do. One imagines that where this gets interesting is when one couples it with one of those attacks where you convince someone's computer to disconnect from a public WiFi hotspot and connect to your computer instead; then you can force a page to pop up without them realizing you're not the owner of the WiFi hotspot.
I wonder how easy it would be to carry out a phishing attack via such a mechanism? Force a captive portal prompt to launch on an unsuspecting user and have it render UI that looks like Windows and tells them they need to re-enter their Microsoft account credentials or credit card number or something.
It is worth noting that you do not need to have "control" of the access point in question for this tool to work.
The only thing you need are credentials of the network if it is not an Open Access Point. If you have the credentials you then pop those into airtun-ng and now you'll have a NIC you can sniff on and inject to the network in question at the Monitor Mode level.
No arp-spoofing, DNS poisoning, etc, just straight up good old fashioned Layer 2 hacking and there is nothing the Access Point can do to stop you sans an IDS/IPS.
So yes, you could absolutely do what you described and deauth and hope they join your network, but no need in most cases.
As well the real beauty is that NCSI probing happens every single time the the computer connects to wifi, if edgeDressing catches the probe sequence and wins the race that computer's browser is opening. Broadbrush deauthing and poof, now you have a whole bunch of computers all opening up random pages. Not good.
> Force a captive portal prompt to launch on an unsuspecting user and have it render UI that looks like Windows and tells them they need to re-enter their Microsoft account credentials
I created the payload to create a stronger case for Microsoft stopping the nonsense that is NCSI probing. There is no reason to use HTTP in 2024 and doing so as a core feature of the Operating System is begging for bad things to happen.
If you're running edgeDressing and use it as the payload whenever a user connects to any wifi that you have credentials for to include open wifi as well, that user's browser will open and then you have full control to send their browser to whatever URL you want. In this case we fingerprint to gain insight.
Take action to remove HTTP from the workflow. There is 0 reason to use HTTP in 2024 for a core OS functionality, let alone one that can knowingly be abused just like edgeDressing does.
It turns out that (modulo some details) it's possible to trick a Windows computer connected to a network you control into opening a browser that points to a URL of your choosing. That's because NCSI initiates probes using plain HTTP rather than HTTPS, so the usual injection attacks can be carried out without the user having to take any action of their own.
(The directory OP linked to appears to be a payload they just added to the repo that fingerprints users who are presumably on the receiving end of such an attack; the actual code to carry out the attack in the first place is outside of that directory.)
---
The interesting part about that is that that's more or less what captive portals are supposed to do. One imagines that where this gets interesting is when one couples it with one of those attacks where you convince someone's computer to disconnect from a public WiFi hotspot and connect to your computer instead; then you can force a page to pop up without them realizing you're not the owner of the WiFi hotspot.
I wonder how easy it would be to carry out a phishing attack via such a mechanism? Force a captive portal prompt to launch on an unsuspecting user and have it render UI that looks like Windows and tells them they need to re-enter their Microsoft account credentials or credit card number or something.