From 5baec46e103e9711f7cf38b2a1c3212137ae57d7 Mon Sep 17 00:00:00 2001
From: Greg Revelle <31642433+grevelle@users.noreply.github.com>
Date: Wed, 30 Dec 2020 16:01:14 -0600
Subject: [PATCH] Update README.md

---
 README.md | 13 +++++++++++--
 1 file changed, 11 insertions(+), 2 deletions(-)

diff --git a/README.md b/README.md
index 77476e4..d0ad451 100644
--- a/README.md
+++ b/README.md
@@ -47,13 +47,13 @@ See the comments and commands bin/pfatt.sh for details about the netgraph setup.
 
 ## Install
 
-1. Edit the following configuration variables in `bin/pfatt.sh` as noted below. `$RG_ETHER_ADDR` should match the MAC address of your Residential Gateway. AT&T will only grant a DHCP lease to the MAC they assigned your device. In my environment, it's:
+1. Edit the following configuration variables in `bin/pfatt.sh` as noted below. `$RG_ETHER_ADDR` should match the MAC address of your Residential Gateway. AT&T will only grant a DHCP lease to the MAC they assigned your device.
     ```shell
     ONT_IF='xx0' # NIC -> ONT / Outside
     RG_ETHER_ADDR='xx:xx:xx:xx:xx:xx' # MAC address of Residential Gateway
     ```
 
-2. Copy `bin/pfatt.sh` to `/root/bin` (or any directory):
+2. Copy `bin/pfatt.sh` to `/root/bin` (or any directory) and make executable:
     ```
     ssh root@pfsense mkdir /root/bin
     scp bin/pfatt.sh root@pfsense:/root/bin/
@@ -92,6 +92,15 @@ See the comments and commands bin/pfatt.sh for details about the netgraph setup.
 
 If everything is setup correctly, netgraph should be bridging EAP traffic between the ONT and RG, tagging the WAN traffic with VLAN0, and your WAN interface configured with an IPv4 address via DHCP.
 
+## Extracting Certificates
+Certificates can be extracted by the exploitation of the residential gateway to get a root shell. Here is a good way to do it using windows: https://github.com/iwleonards/extract-mfg
+
+References
+
+https://www.devicelocksmith.com/2018/12/eap-tls-credentials-decoder-for-nvg-and.html
+https://www.nomotion.net/blog/sharknatto/
+https://github.com/MakiseKurisu/NVG589/wiki
+
 # IPv6 Setup
 
 Once your netgraph setup is in place and working, there aren't any netgraph changes required to the setup to get IPv6 working. These instructions can also be followed with a different bypass method other than the netgraph method. Big thanks to @pyrodex1980's [post](http://www.dslreports.com/forum/r32118263-) on DSLReports for sharing your notes.