I don’t know, if you’ve already have full control over routing and have some form of local presence, seems to me you could do something interesting with a proxy, maybe even route the traffic back to the tunnel adapter.
I can’t see routing traffic to some kind of local presence and then routing back to the target machine to route out through the tunnel adapter without a successful compromise of at least one other vulnerability.
That’s not to say there’s nothing you could do… I could see some kind of social engineering attack maybe… leaked traffic redirects to a local web server that presents a fake authentication screen that phishes credentials , or something like that. I could only see that working in a very targeted situation… would have to be something more than just a some rouge public wi-fi. They’d have to have some prior knowledge of the private network the target was connecting to.
I don’t know, if you’ve already have full control over routing and have some form of local presence, seems to me you could do something interesting with a proxy, maybe even route the traffic back to the tunnel adapter.
I can’t see routing traffic to some kind of local presence and then routing back to the target machine to route out through the tunnel adapter without a successful compromise of at least one other vulnerability.
That’s not to say there’s nothing you could do… I could see some kind of social engineering attack maybe… leaked traffic redirects to a local web server that presents a fake authentication screen that phishes credentials , or something like that. I could only see that working in a very targeted situation… would have to be something more than just a some rouge public wi-fi. They’d have to have some prior knowledge of the private network the target was connecting to.
We’re already assuming you have something that can compromise DHCP. Once you make that assumption who’s to say you don’t have a VM hanging out.