RE: Lan access via wifi

["John Forristel (SunGard-Chico)" <John.Forristel () sungardbi-tech com>]

I would do a few things:

I would fire up a good sniffer (tcpdump, etc) and see what kind of
traffic is coming across.  Is it Windows only?  Novell?

I would run NMAP against the whole subnet and see what is really open.
There must be something to talk to, otherwise there is no point of
having the DMZ.  

Depending on the machines I found, I would enumerate them and see if
they were routers, PC's, etc.  I would check for null or same-as-login
passwords.

Using just \\ipaddress\ probably wouldn't work very well, I'd be trying
to create a null session with "net use \\ipaddress\ipc$ " and see if
that gets you a response.  If I got there, I would use a variety of
tools to discover other information about the machines.  I'd make sure I
documented all of these tests, that is a major issue.

John

-----Original Message-----
From: Sherwyn Williams [mailto:sherwill22 () tmail com] 
Sent: Monday, June 06, 2005 3:47 AM
To: pen-test () securityfocus com
Subject: Lan access via wifi

Senerio:

Doing a pentest, the client has a wifi router that is not encrypted and 
is gaving out dhcp address to any wifi client with a compatible card. 
Now my question is once I received a ip address, and I pinged a few 
internal clients , how would be a good way for me to gain access to 
these internal network.

I tried  //ipaddress/ because there is no machine name in the dhcp 
routing table. Could not connect that way, I even tried to open up 
certain ports via putting the machine on the router dmz and did a scan 
with the secuirty features disable, but still there is no open ports.

Thanks in advance.



Sherwyn Williams
Technical Consultant
(917) 650-5139
Sherwill22 () tmail com