beakmyn Posted March 19, 2009 Share Posted March 19, 2009 Well if Renderman can make Teddy Net. No reason I couldn't dress up my picture frame with a corporate logo and leave it at the front desk of some Fortune 500 company. http://www.flickr.com/photos/9762454@N04/3363046870/ However there is one caveatn that I see. Many corporations are now running software/hardware/IDS that will shut down the port when it sees an "unauthorized" MAC address. So, you may want to take that into consideration. It would be great if you use the LED covertly to indicate when the MAC is cloned. I.E.: unplug the existing device. Plug it into Interceptor. Interceptor detects connection and runs a script to clone the MAC of the device then turns on LED or say LED is replaced with a small pager motor (kind with the offset weight so it vibrates). Then plug the interceptor into the wall and you're set. The IDS system doesn't see a new device and eveyone is happy. Quote Link to comment Share on other sites More sharing options...
digininja Posted March 19, 2009 Share Posted March 19, 2009 I think you might have the theory a bit wrong for the Interceptor. The idea is that it goes inline, between say a printer and a switch not just into a spare network port. It then bridges the traffic and clones it out over the wireless. Because it is bridging the traffic the fon itself never actually sends traffic. If we wanted to move from passive to active then we may need to clone a MAC address but as we've already sniffed all the traffic going over the bridge we can just use a MAC address of one of the devices we've seen. If we went for the printer attack then we could take down the bridge and become the printer. No worries about duplicate MAC addresses on the network then. Quote Link to comment Share on other sites More sharing options...
beakmyn Posted March 19, 2009 Author Share Posted March 19, 2009 I think you might have the theory a bit wrong for the Interceptor. The idea is that it goes inline, between say a printer and a switch not just into a spare network port. It then bridges the traffic and clones it out over the wireless. Because it is bridging the traffic the fon itself never actually sends traffic. If we wanted to move from passive to active then we may need to clone a MAC address but as we've already sniffed all the traffic going over the bridge we can just use a MAC address of one of the devices we've seen. If we went for the printer attack then we could take down the bridge and become the printer. No worries about duplicate MAC addresses on the network then. I see. I was thinking that it might be seen as a new device on the network. Missed the bridging part. It wasn't the duplicate I was worried about it was the IDS seeing a MAC on the port. One client I've done work for has it set up that if the MAC address changes on the port then it detects it as an intrusion and shuts down the port. I.E. you unplug say a printer and plug in your laptop. Took us an hour to get the port turned back on. Quote Link to comment Share on other sites More sharing options...
lawn dart Posted March 19, 2009 Share Posted March 19, 2009 It is possible to detect pasive devices, but difficult (TDR 'n' stuff). I work on corporate systems a great deal and it is almost never done. Wireless IPS however, is becoming much more common. The ability to detect the presence of a WiFi signal, encoded or not might get sniffed. The drones do sometimes look for this stuff, even find it sometimes. Some Wireless IPS can triangulate the devices location, even flood the channel with noise. There is always a way. Quote Link to comment Share on other sites More sharing options...
Seshan Posted March 19, 2009 Share Posted March 19, 2009 It's a monkey in the middle attack! :D Quote Link to comment Share on other sites More sharing options...
digininja Posted March 19, 2009 Share Posted March 19, 2009 I see. I was thinking that it might be seen as a new device on the network. Missed the bridging part. It wasn't the duplicate I was worried about it was the IDS seeing a MAC on the port. One client I've done work for has it set up that if the MAC address changes on the port then it detects it as an intrusion and shuts down the port. I.E. you unplug say a printer and plug in your laptop. Took us an hour to get the port turned back on. No, it isn't really on the network so it shouldn't get detected. The bit about cloning the MAC is that if you are between a printer and switch and want to start using the network rather than just sniffing you can get the MAC of the printer and then put it onto the Fon then stop routing traffic through to the printer. That way you don't introduce a new MAC to the network and you don't have the problem with duplicate MACs which you would have if you just cloned a random one you found in some other way. The MAC also don't move switch port which is another way the Fon may be given away if a MAC suddenly jumps from one port to another. The detection of the wireless is possibly the easiest way to spot something is going on but that will only really be useful to larger companies. Smaller ones aren't going to be able to afford the kit to triangulate a rogue AP so would just know that some wireless traffic is there. In a shared office there is no way to know if it is from your office or from next door. Quote Link to comment Share on other sites More sharing options...
digip Posted March 19, 2009 Share Posted March 19, 2009 So the Interceptor is kind of like a dumb hub that just repeats the signal on a network segment, only its smart enough for you to logon wirelessly to see the traffic? Quote Link to comment Share on other sites More sharing options...
digininja Posted March 19, 2009 Share Posted March 19, 2009 kind of. The current setup just clones traffic off onto the wireless and that is in what we are calling "passive mode" i.e. you aren't interacting with the fon, the network or the traffic. In "active mode" you can ssh to the fon and then you are on the network so you can do whatever you want, add iptables rules, to affect traffic or just act like you would on any network. You can even setup a port relay so you can proxy through it. Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.