Penetration Testing mailing list archives

Previous By Date Next
Previous By Thread Next

Re: tunneling through hotspot firewall

From: Paul Melson <pmelson () gmail com>
Date: Sun, 26 Apr 2009 18:16:53 -0400
On Fri, Apr 24, 2009 at 3:01 PM, Daniel Gultsch <daniel () gultsch de> wrote:

I read a paper that the sequence numbers could be checked but usually
aren't. I could google it again but it was something with "mac spoofing
detection sequence numbers"


I've read the Stony Brook paper, too.  But this is about fidelity not
stealth.  The client and AP will be mid-sequence when you attack.  If
you don't compensate by adjusting your sequence numbers, you won't
reliably pass traffic through the AP because they'll be dropped as
out-of-sequence.  Or could be, at least - different AP's will handle
out-of-sequence packets differently.



However I'm not entirely sure about this. I'm kinda worried about the
flow control on Layer 1 and 2. You know which client can start
transmitting - it's a shared medium and such. As I said before: my
understanding of the above layers 3,4 is good enough that i can tell
it's working but I don't know....


Right, you end up with a race condition that you can't reliably win.



But why bother impersonating a whitelisted client address when you can
hijack it altogether with ARP poisoning?


because I want the original client to be still able to use the hotspot
and not knowing there is an attacker.


ARP poisoning, done right, will be undetectable to the user.  Their
traffic will flow, albeit through you, to the AP and then on to the
Internet and back just fine.  Unless you want to stop it.  Or change
it. No race condition.  And the AP can't lock it down like a wired
switch, so the only way to defeat it - Wireless IDS notwithstanding -
is a static ARP entry on the client.  And there isn't one.

PaulM

------------------------------------------------------------------------
This list is sponsored by: InfoSec Institute

Tired of using other people's tools? Why not learn how to write your own exploits? 
InfoSec Institute's Advanced Ethical Hacking class teaches you how to write stack and heap buffer overflow exploits for 
Windows and Linux. Gain your Certified Expert Penetration Tester (CEPT) cert as well. 

http://www.infosecinstitute.com/courses/advanced_ethical_hacking_training.html
------------------------------------------------------------------------
Previous By Date Next
Previous By Thread Next

Current thread: