Jump to content

Other containers


beakmyn
 Share

Recommended Posts

Well if Renderman can make Teddy Net. No reason I couldn't dress up my picture frame with a corporate logo and leave it at the front desk of some Fortune 500 company.

http://www.flickr.com/photos/9762454@N04/3363046870/

However there is one caveatn that I see. Many corporations are now running software/hardware/IDS that will shut down the port when it sees an "unauthorized" MAC address. So, you may want to take that into consideration. It would be great if you use the LED covertly to indicate when the MAC is cloned. I.E.:

unplug the existing device. Plug it into Interceptor. Interceptor detects connection and runs a script to clone the MAC of the device then turns on LED or say LED is replaced with a small pager motor (kind with the offset weight so it vibrates). Then plug the interceptor into the wall and you're set. The IDS system doesn't see a new device and eveyone is happy.

Link to comment
Share on other sites

I think you might have the theory a bit wrong for the Interceptor. The idea is that it goes inline, between say a printer and a switch not just into a spare network port. It then bridges the traffic and clones it out over the wireless. Because it is bridging the traffic the fon itself never actually sends traffic.

If we wanted to move from passive to active then we may need to clone a MAC address but as we've already sniffed all the traffic going over the bridge we can just use a MAC address of one of the devices we've seen. If we went for the printer attack then we could take down the bridge and become the printer. No worries about duplicate MAC addresses on the network then.

Link to comment
Share on other sites

I think you might have the theory a bit wrong for the Interceptor. The idea is that it goes inline, between say a printer and a switch not just into a spare network port. It then bridges the traffic and clones it out over the wireless. Because it is bridging the traffic the fon itself never actually sends traffic.

If we wanted to move from passive to active then we may need to clone a MAC address but as we've already sniffed all the traffic going over the bridge we can just use a MAC address of one of the devices we've seen. If we went for the printer attack then we could take down the bridge and become the printer. No worries about duplicate MAC addresses on the network then.

I see. I was thinking that it might be seen as a new device on the network. Missed the bridging part. It wasn't the duplicate I was worried about it was the IDS seeing a MAC on the port. One client I've done work for has it set up that if the MAC address changes on the port then it detects it as an intrusion and shuts down the port. I.E. you unplug say a printer and plug in your laptop. Took us an hour to get the port turned back on.

Link to comment
Share on other sites

It is possible to detect pasive devices, but difficult (TDR 'n' stuff). I work on corporate systems a great deal and it is almost never done. Wireless IPS however, is becoming much more common. The ability to detect the presence of a WiFi signal, encoded or not might get sniffed. The drones do sometimes look for this stuff, even find it sometimes.

Some Wireless IPS can triangulate the devices location, even flood the channel with noise. There is always a way.

Link to comment
Share on other sites

I see. I was thinking that it might be seen as a new device on the network. Missed the bridging part. It wasn't the duplicate I was worried about it was the IDS seeing a MAC on the port. One client I've done work for has it set up that if the MAC address changes on the port then it detects it as an intrusion and shuts down the port. I.E. you unplug say a printer and plug in your laptop. Took us an hour to get the port turned back on.

No, it isn't really on the network so it shouldn't get detected.

The bit about cloning the MAC is that if you are between a printer and switch and want to start using the network rather than just sniffing you can get the MAC of the printer and then put it onto the Fon then stop routing traffic through to the printer. That way you don't introduce a new MAC to the network and you don't have the problem with duplicate MACs which you would have if you just cloned a random one you found in some other way. The MAC also don't move switch port which is another way the Fon may be given away if a MAC suddenly jumps from one port to another.

The detection of the wireless is possibly the easiest way to spot something is going on but that will only really be useful to larger companies. Smaller ones aren't going to be able to afford the kit to triangulate a rogue AP so would just know that some wireless traffic is there. In a shared office there is no way to know if it is from your office or from next door.

Link to comment
Share on other sites

So the Interceptor is kind of like a dumb hub that just repeats the signal on a network segment, only its smart enough for you to logon wirelessly to see the traffic?

Link to comment
Share on other sites

kind of.

The current setup just clones traffic off onto the wireless and that is in what we are calling "passive mode" i.e. you aren't interacting with the fon, the network or the traffic. In "active mode" you can ssh to the fon and then you are on the network so you can do whatever you want, add iptables rules, to affect traffic or just act like you would on any network. You can even setup a port relay so you can proxy through it.

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...