iNFERNoN Posted September 15, 2008 Share Posted September 15, 2008 I recently went through an awesome artcile in hakin9 magazine that uses a MITM attack to sniff SSL traffic... At any rate, it got me thinking about how you would go about ID'ing your victim. Assuming that you don't have access to the DHCP server and the host names on the network don't resolve to anything worthwhile, how would you figure out which machine belonged to your target? I'm assuming that you can poison the ARP cache so that all traffic on the network is routed through your machine and use deductive reasoning to ID the box, but I'm thinking that there are less detectable and easier ways to accomplish this. Any ideas? Quote Link to comment Share on other sites More sharing options...
Sparda Posted September 15, 2008 Share Posted September 15, 2008 I recently went through an awesome artcile in hakin9 magazine that uses a MITM attack to sniff SSL traffic... At any rate, it got me thinking about how you would go about ID'ing your victim. Assuming that you don't have access to the DHCP server and the host names on the network don't resolve to anything worthwhile, how would you figure out which machine belonged to your target? I'm assuming that you can poison the ARP cache so that all traffic on the network is routed through your machine and use deductive reasoning to ID the box, but I'm thinking that there are less detectable and easier ways to accomplish this. Any ideas? Depends. In the context of (say) a class room, computers are often named in a numerically and a laid out physically in order. Quote Link to comment Share on other sites More sharing options...
iNFERNoN Posted September 15, 2008 Author Share Posted September 15, 2008 Gotcha. I was thinking more from a pentesting perspective. If you didn't know anything about your target's network, but were looking for a specific host, how would you go about identifying that box? Quote Link to comment Share on other sites More sharing options...
Swathe Posted September 15, 2008 Share Posted September 15, 2008 I recently went through an awesome artcile in hakin9 magazine that uses a MITM attack to sniff SSL traffic... At any rate, it got me thinking about how you would go about ID'ing your victim. Assuming that you don't have access to the DHCP server and the host names on the network don't resolve to anything worthwhile, how would you figure out which machine belonged to your target? I'm assuming that you can poison the ARP cache so that all traffic on the network is routed through your machine and use deductive reasoning to ID the box, but I'm thinking that there are less detectable and easier ways to accomplish this. Any ideas? I got the issue yesterday, looking forward to reading that article. If you are pen testing a network you are "unfamiliar" with location of the machines may be irellevant but during your pen testing you may "discover" more information that will help you deduce the machines location. Quote Link to comment Share on other sites More sharing options...
digip Posted September 15, 2008 Share Posted September 15, 2008 Gotcha. I was thinking more from a pentesting perspective. If you didn't know anything about your target's network, but were looking for a specific host, how would you go about identifying that box? Wired or Wireless? Because there are different tools for each that will get you different results. Wireless is the easiest of the two when trying to finger a target systems info. Wired may be harder if they are on a switched network, you shouldn't be able to see any other devices unless they were broadcasting their info across the lan. Routers will jsut forward the packets to each node on the lan checking to see if you are the endpoint the sender is looking for, making it easier to see what is on the wire. If you already did a MITM attack on someone, and that is the target you want to continue going after again and again at a later date, IP address of the machine will change most likely next time they get an address from the DHCP server or router on the lan, but unless they are actively spoofing their MAC address on a regular basis, the MAC address for the target will always be the same. So I woudl say the MAC address is the first easy thing to identify and record for later use. Logical and Physical topology play a roll in identification as well as the type of lan you are on(switched, bridged, routed, wifi, token ring, etc) Watching packets with wireshark you will also be able to see things most people do not think about your computer broadcasting to the world. If the system is a windows machine and they left Netbios and ICS/Firewall services on(which are by default on windows xp machines) then when they connect to the network, they will often broadcast their name of their machine or netbios share name over the lan. (Block the netbios ports with your firewall and turn off both Netbios and ICS to stop this from happeing). You can also try things like nmap or any of the tools on the BT3 disc for further network testing. If you are in a room of machines, being able to tell the one on the lef tof you from the one on the right of you is about impossible without physical access or some way to identify the machine in some logical manner, like each machine numbered with an assett tag or identifier that set them up around the room and you can verify it against your findings on the network. If you know the person sitting at a machine, and say, intercept an email or IM that can identify the user then you can obviously identify the target machine. Quote Link to comment Share on other sites More sharing options...
Swathe Posted September 15, 2008 Share Posted September 15, 2008 The hackin9 articles use BT3 for most of these sorts of operations so yeah, use the tools on the disc. Quote Link to comment Share on other sites More sharing options...
dr0p Posted September 15, 2008 Share Posted September 15, 2008 Generally, you can do a port scan to figure out what services and OS the machine is running, and from that you can (usually) derive its purpose, but for actually being able to ID exactly which machine belongs to which IP/MAC, you don't know. Quote Link to comment Share on other sites More sharing options...
Swathe Posted September 16, 2008 Share Posted September 16, 2008 The name of the PC might give some hint but I don't like your chances. ie:Front counter etc. poor choice I know except I've seen it done. Possibly named after employees too. Give them a call ask for"x" ask what department they are in and where in the building you can find them for a "meeting". I <3 social engineering. Quote Link to comment Share on other sites More sharing options...
RogueHart Posted September 16, 2008 Share Posted September 16, 2008 The name of the PC might give some hint but I don't like your chances. ie:Front counter etc. poor choice I know except I've seen it done. Possibly named after employees too. Give them a call ask for"x" ask what department they are in and where in the building you can find them for a "meeting". I <3 social engineering. someday im going to run a massive company. just so i can fk with my employees by social engineering the company to the ground lol Quote Link to comment Share on other sites More sharing options...
Swathe Posted September 16, 2008 Share Posted September 16, 2008 You can bet most employees will be easily fooled. The locals here are incredibly susceptible. I often have to social engineer to get information I am entitled to have but the person of the other end is dumb as dog shit so I have to lie as to who I am to get it. Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.