billyblaxsta

AIUI in theory two duplicate MAC addresses on the same network will have cause problems. Imagine, for example, that for a pay wireless service, a user spoofs his MAC address to appear the same as that of a paying user to get free service (with the client MAC information obtained from airodump-ng). What might happen in reality (rather than in theory) considering there are now two IPs that share one MAC? Thanks.

Here is an interesting article from 2005: http://www.wired.com/politics/security/news/2005/07/68370 "It can also let someone read the e-mail of guests who use web mail through the TV, putting business travelers at risk of corporate espionage. And it can allow an intruder to add or delete charges on a hotel guest's bill or watch pornographic films and other premium content on their hotel TV without paying for it." Does anyone still read e-mail though the TV (in hotels)? Does this facility even exit?

Hi, I have a couple of questions about Firesheep. AIUI, it works when - although the logon is HTTPS - the cookie sent by the server immediately after the logon is finished is sent through HTTP. Therefore, Firesheep is defeated by constant HTTPS (as can happen in Gmail and Facebook for example). What I do not understand having read (http://codebutler.com/firesheep) is whether the Firesheep user is operating as a MITM in order to obtain the session cookie. In the episode (http://hak5.org/episodes/episode-906) it looks as if Shannon is using Cain to ARPspoof Darren before using Firesheep. However, there is no mention of ARPspoofing on the coder's site and instead he says "On an open wireless network, cookies are basically shouted through the air, making these attacks extremely easy." Is this really the situation? Why would a cookie be sent to anyone on the wireless network rather than to the actual client who has just logged in? And, therefore, how exactly does Firesheep obtain the session cookie? Thanks.

OK. Thanks. So for point A) you are saying the ARP cache is both spoofed and non-spoofed machines? Because obviously the gateway is not being spoofed but is included in the table. I am not quite sure what you mean in point C. I don't think there is any filtering going on. It's just that some machines in that list are wireless clients while others have very similar MAC addresses to the MAC of the AP to which I was connected. Maybe they are other APs? Would that be a viable interpretation?

It was done on my friend's office network with his permission. So it's not hypothetical in one sense but it's hypothetical inasmuch as it's not an actual attack. I would still like to know the answers.

Is there a rough number of computers one can arpspoof by broadcasting your MAC as the router before the whole network collapses? I realise this depends on the attackers computer so let's just say an average laptop - nothing special. Any personal experiences of arpspoofing multiple computers would be appreciated.

Hello, Let's assume that someone was arpspoofing a network and ran (using Ubuntu) arp -a. The network is a large open wireless and many clients have joined it. An edited version of the results is: ? (192.168.5.206) at 76:ca:34:bb:13:52 [ether] on wlan0 ? (192.168.2.122) at 22:7d:8f:26:c6:9f [ether] on wlan0 ? (192.168.3.239) at <incomplete> on wlan0 ? (192.168.2.242) at 00:1f:24:51:d6:c4 [ether] on wlan0 nameofcompany.com (192.168.4.1) at 00:12:11:44:13:f1 [ether] on wlan0 #this is the gateway ? (192.168.4.29) at 00:14:0d:22:18:ec [ether] on wlan0 ? (192.168.4.25) at 00:14:0d:22:18:01 [ether] on wlan0 ? (192.168.4.39) at 00:14:0d:22:18:c7 [ether] on wlan0 Three questions. a) I assume these are the IPs and MAC addresses of the people going through the arpspoofer (as he is the MITM)? Correct? B) What does <incomplete> signify - why is there no MAC? c) You will notice that 192.168.4.29, 192.168.4.25, and 192.168.4.39 have very similar MAC addresses and all begin 192.168.4.x. The AP the hypothetical arpspoofer was connected to was 00:14:0d:22:18:05. Obviously these three IPs are on the same subnet as the gateway device (192.168.4.1). I assume these are clients that are quite possibly permanently connected. Could they be wired machines? Thanks.

If someone was arpspoofing a network and someone else came along and also started arpspoofing the very same network would both parties be competing for the traffic or would something else weird happen?

Thanks - that worked great. I just had to add an '{' before the $xxx I'm just wondering how to add to the hello.txt file each time a new xxx and yyy variable is entered in the text boxes. At the moment hello.txt overwrites the previous entry with the newer ones.

I am on the sixth floor and I note that clients looking for networks (which are not in my building) sometimes connect to the Fon. Presumably - the reason I am the strongest signal - is because the AP they are looking for is not in the vicinity hence I am the strongest.

This is something I have been confused about for some time. Take a major company. It's employees have john_smith@company.com (for example). But what I don't really understand is where the employees login to access their e-mails. How would a person who doesn't work for the company find out? I know you can try exchange, mail, webmail (etc) .company.com but if they do not work then what? Of course, the company may use a third party service. I am just wondering how you would find out where people login to for example the BBC, or NBC, or CNN, or any major company?

There are lots of public hotspots which charge a fee. One UK example is BT Openzone (http://www.btopenzone.com/) They must cover most of the country. What I would be interested to know is how can these hotspots prevent ARPspoofing? They must surely be an attractive target especially at places like airports and train stations. Or do the owners of such commercial companies not care? Perhaps nothing can be done?

Thank you - that was a most illuminating response.

My knowledge of PHP is basically nonexistent (yes I am embarrassed about this) which is why this script does not work. I want to take two variables (variable1 and variable2) submitted by a client and then have the file (hello.txt) saved on the host. But nothing saves. If I add some HTML redirect script then it will redirect to that page - but, as mentioned, nothing saves onto the host. <?php $xxx = ($_POST['variable1']); $yyy = ($_POST['variable2']); $stuff = $xxx . " -- " . $yyy; $filed = @fopen("hello.txt", "a+"); @fwrite($filed, "$stuff"); @fclose($filed); } ?> [some HTML redirect code here]

I need to be more clear. I didn't mean an internet cafe just a regular cafe or resturant where you can pay with a credit or debit card via a terminal. I'm just wondering what else a WPA2 could be for if not the point of sale terminal.

We know that the Jasager pretends to be the unencrypted SSID that the client is trying to connect to. But - what I am wondering - is why would the client connect to the Jasager when the client will no doubt receive a response from the genuine AP. In other words: what factors are important in ensuring that the client connects to the Jasager rather than its real AP? (I am assuming we have an unencrypted network). Would not the power of the Jasager be less than a (perhaps nearer) real AP for example?

Quite often when I am in a cafe or restaurant and I look the the available wireless networks on my BlackBerry there will be something like: NAME_OF_CAFE which will be a WPA(2) Personal. Since I doubt this is for the cafe staff to have fun with am I correct to assume that it will be the Point Of Sale credit-card system? Thanks.

Hello, I am wondering how computer security is different to say 10 or 5 years ago. I am not talking about the days of X.25 networks but a bit more recently. Obviously the popularity of wifi is new. But - for the people who have been around for a few years - what are the big differences to say 2000 or 2005? Thanks.

Thanks for the information. So let's say that the sysadmin says: "I see that 192.168.1.100 at MAC address 00:21:34:8C:7A:DD is pretending to be the router. I know he is somewhere in the building but I can see 50 people using their laptops." How could the sysadmin find the person?

Anyone who has ever used Kismet will know that there are a lot of "cloaked" or <ssid 0> networks out there. Some are open, some have WEP, and some WPA. Using a tool like Kismon (http://www.salecker.org/software/kismon/en) one can put the MACs in order so it becomes obvious that <ssid 0> is actually affiliated with nameofcompany_guest since the MACs are so similar. Is it possible to find out what the name of the <ssid 0> is since (I assume) it is impossible to even think about connecting without the name? Thanks.

Thanks for the links - the searchsecurity looks most interesting. However, it seems to be referring to "rogue APs". If you were using Jasager or similar then indeed you would be a rogue AP. But what if you were a client just sending out arpspoofing packets and not trying to be an AP?

Imagine that Alex is sitting in a cafe or library or train and is ARPspoofing or transmitting any kind of "negative" packets (such as deauthentication packets). If the network administrator noticed that the MAC of the router has changed or that clients were being deauthenticated from the AP then could he successfully trace the source of the packets? And, if so, how? Thanks - I have been curious about this for a while!

Hello, It is clear there are a number of limitations to Jasager (such as clients that require encryption will never receive an IP from the Pineapple). Even with clients that are searching for "open" networks it seems that a number of factors need to work in order to have any success. I have a very simple question: Is the Jasager a Proof Of Concept or is it something that people reading this have actually had real-world success with? For example: clients connect to the Jasager (assuming they are connected to their desired network) and people enter their webmail login details? Thanks.

Thanks guys - I understand a bit more now. I see the point about how distance is not relevant since - as long as you are on the LAN - you are broadcasting the message that you are the router to all clients. Let's take a "hypothetical". Alex is the ARPspoofer and is in a cafe where he can see Bob and Carly surfing the Net. He has already Arpspoofed and is using SSL Strip. He can see both logging in to various webmails and suchlike but for some reason he only is getting the SSL login details for Bob. He knows there is only one router IP in that building so it cannot be that Carly is on a different subnet. What could be happening? The only thing that I can think of is that this is not an ARPspoofing issue but a SSL Strip issue and for some reason SSL Strip does not properly work (perhaps because too much traffic is going through Alex's machine considering he is broadcasting the ARPspoof). Might there be other causes why Carly's logins are not recorded?

http://forums.hak5.org/index.php?showtopic=20750&pid=183290&st=0entry183290 Check the second post for a good link.