tx
-
Posts
92 -
Joined
-
Last visited
Posts posted by tx
-
-
Off the top of my head, think i have:
Laptop,
Laptop backup battery (also poweres AP)
Linksys wrt54g wifi router
Pens paper
leatherman
screwdrivers
Two usb NIC's
Few cat5e cables
Crossover Jack
Battery powered HUB
Cat5's with croc clips on the end (Think of these... and a hub... and a cat5 cable running along a corridoor... suddenly you see :).. (*oh and some snips*)
Snips.. < see ;P
Gaffa tape
PVC Tape
PCMCIA Wifi card
+9db antanna for wifi card
case of Cd's
lockpick kit
LED torch
multimeter
USB Pendisk
sweedish firesteel! < That stuff rocks!
Body Spray (Cant have a smelly techie can we lol)
aand i think thats it :P
-
Actually hadnt thaught of that!
However, come to think of it, you may want to be physically MITM, just having everything replayed to you wouldnt help you if it was SSL traffic and you needed to present a fake cert.
-
-
Im not saying change the NAT gateway, im saying insert two interfaces into the routers conf just before the final 'OUT' and modify routing tables to pass through those first.
Depends on the routers in question. If you can create pretty much a virtual interface or two, use GRE (or vpn tunneling whatever) to get two endpoints to YOUR sniffing router, and then modify the routing tables on your router and their router to pass through that tunnel and back again, should work fine... Obiously theres bandwidth implications.
Also, what VPN software were you trying to use. My VPN success rate sucked soo much untill i started to use openVPN.
-
If i remember something that i found years ago, on a win2k Active dirctory network.. (and seems to work accross all of them 2k/xp based).. and dosnt seem to have a group policy object to control..
Just try tripple clicking (i know... sounds strange!) on the word 'programs' or 'all programs' in 2k/xp's start menu...
That should open up the start menu folder in whatever profile you are logged in as (C:documents and settingsblahstart menu)... its amazing how far pressing the up (updir) butt will now get you!
Also, you may want to try in a program that has user visible Filesystem access, which dosnt seem to listen to other system policies... like word 2000 / 200whatever
Open word... goto file > save as...
In filename type * and press enter to see all files
and then try just entering paths in the filename box, pressing enter, and see what happens.
(file://C:/windows or C:/windows) may work (WINNT on 2000)
Just some pointers anyway, dunno if it will get you anywhere... Why the C drive anyway... local pc contents wont have anything special. and yes... you will still be bounf in some places to NTFS restrictions... but if they have hidden C, its the best your gonna get if you dont want to boot from a live OS.
(*Btw... dont do it without permission.. its illegal.. naughty boy.. etc etc etc*)
-
Don't get me wrong, I would never use any of the information i gained from login portals, ccards etc etc.. just all gets piped to /dev/null.... but its something to do on the train on the way home... and allows you to laugh at peoples stupidity...
Hmm... now entering someones box on 'MY' WIFI......
Guessing that would have different implications?
-
Ive been thinking about the legalaties of this for a while, and the 'whats in your backpack' thread told me that at least one other person carries a wifi AP and a battery to power it...
So.. If say, i found myself on a train... with lots of people using laptops on the way home from work... and in all the stations there's big posters saying 'Wifi on trains is here... blah blah' However not on the one im on...
So i cash in on this by setting up my AP as 'TrainCompanyNameWIFI' and dont set a wep key, setting DHCP up and setting gateway and DNS to my laptop.. where i have a 3G connection to the internet for aaaalll to use.. if they really want..
Now comes my question.
Their on MY network, using MY connection to the web. I havnt told them to connect, nor given them permission.... and if i have set up a portal in which they click accept to get onto the wifi... which has in very small print that by accepting they accept that aministrators of the network they are joining may monitor or log the traffic they send....
Am i legally doing anything wrong by watching their traffic?
*expecting at least one reply of 'who cares, its doable, no1's any the wiser..' but im bored and rambling is all good fun.. hi people :)*
-
-
-
I finds backtrack pretty good, gui mode gets a bit messy (slow due to cd boot) but everythings pretty easy to access through the shell, before that was auditor (which baktrack is now derived from)
both at www.remote-exploit.org
That and the NT password offline editor :)
And Vako, is it worrying i have a Cat5 Etherkiller :P? .. only with a 3 pin UK plug on... Long live power over ethernet lol!
-
If you gained remote access to a gateway router on your victims lan (accross the internet.) Then you could pretty much do the same to that lan as a local ARP poision using GRE tunnels, providing you have enough bandwidt at your end to act as their lan gateway for a short time ;) but for reasons thease chaps have explained, thats about as near to 'poisoning the internet' your gonna come.
Just my 10p :)
-Tx
-
See you in starbucks!
lmao
-
Yes, thats what im saying, level7 filtering to block on an application level instead of port levels (Stateful packet filtering wouldnt be any use unless used to block against a l7 packet match) (im sure you know the principals behind l7 filtering just trying to make the thread readable to everyone!) But on ALL the public hotspots ive found there is NEVER anything of the sort, im guessing its not financially viable to put that technology on the ap's for a company thats buying and installing thousands of them!
So for now anyway (and has been for a considerable time) it works well.
And also, since its usually one company with lots of IP's... (big ones are tmobile or btopenzone, or the cloud in the uk) You dont have to worry about different settings between places, as you know all the AP's for one particular companys wifi implimentation will be the same.
Have fun ppl :)
-
There's always DBAN.
Im sure many of you have it, but for those that havn't its a small bootable linux distro that basically copies randomness from /dev/urandom (i think) to your hdd multiple times.
Failing that, i find that a hdd, a small pile of thermite, a peice of magnesium ribbon, and a lighter, works very very well ;)
Night people.
TX
-
Theres also 'port stealing' (Is what i think ettercap calls it) which is a different way of getting the same effect as Arp Poisioning, just without needing to send arp packets to the client. (As some client firewall software (although not many... sygate PFP is the onlyone i have activley tested upto now) actually stop arp attacks at the client side) Therefore this allows pretty much the same attack to take place by only affecting the switch. (The downside is its slower, and i should imagine from the way it works it would fall down under heavy load)
You could of course always beat the resident DHCP server to its job... ooor if you have physical access to the switch, theres nothing wrong with creating a bridge accross two NIC's on your lappy and sitting literally in between the connection.
Other than that, im all out of ideas, so take this, and the other advice in this thread... and get yourself ettercap! (to start with... but you really should learn what ettercap does to make things easier on your brain if you cant gettit to work ;))
Cheers,
TX
Ps,
Just another thaught... maybe sniffing SNMP communities, to see if you could enable port repeating/listening through a manegement MIB for that switch. (ethereal will help you here too.. just remember access to snmp can be restricted down to lists of Ip's etc)
-
Its worrying how many people in here want to change SOMETHING, just because their in, files, urls, etc etc. The whole point is getting in, and understanding how you got in, and learning from that understanding.
and yes, you should tell your admin, (although do it anonymously for definate! no matter how well you get on with them!) i got suspended for a number of months, and then wasnt allowed to touch a computer in my college, or even bring an mp3 player / mobile with wifi / bluetooth into the building for the rest of the term (when i was allowed back)
And all this was for gaining access to a few servers, the webserver mainly, and the financials package DB. (Didnt change anything, didnt even install the EXE for looking at the financials DB files.) and yet the admin who i got on v well with took a turn for the evil! No-one at that college understood 'hacker', the only opinion was 'dangerous, trying to do as much evil as they can!'... ahh well.
But yes, be happy you got in, tell someone, search for something else :P
(Oh, and the question about settings the desktop background waaay back in page1... im pretty sure mspaint > file > Det as Desktop BG still works. And from what i remember theres no GPO to disable it :P)
Just my 10p... (wooow, thats 20p already today!)
TX
-
Hey,
Decided to sign up to the forums purley for this thread (tho the shows are great ;P)
First place i have stumbled accross that also realised the wonders of port 53 in this situation.
To expand on what aardwolf said, Port 53 is indeed open, i suppose its kinda needed to allow the first few pages of the captive portal where you can login or pay for minuites to be resolved to IP.
Now there is 'tunneling over DNS' software out there, that allows you to set up a fake DNS server at home, and actually use dns queries to this server to transmit/receive data. However, the software i have found is quite old and seems to be coded around getting approx 64kbs... which is crap.
However (and heres the useful bit boys and girls) all of these captive 'pay-for' wifi portals dont seem to do any level7 checking on port 53 (if at all) (Ie. Nothing checks that what is flowing through port 53 IS actually DNS requests)
so therefore, start ssh or a web proxy or a socks proxy (even through ssh for security + encryption)... on port 53 at home (guessing your not going to be hosting your own DNS server, therefore 53 should be free!) and then simply connect by editing your proxy settings from wherever you are to use your new proxy (be it starbucks, hilton's etc etc)
No logins, no paying, no captureing passwords.. simple!
(And if you need anonimity, you could always ssh through the wifi.. your your home box on 53... and then from there tunnel through TOR.. (Its not as complicated setup as it sounds!))
Anyway, just my 10p, for anyone thats bothered.
Cheers,
TX
arp (adress resolution protocol)
in Questions
Posted
Was just saying, thats a way it could be done, but still... a lot of effort :P