Penetration Testing mailing list archives
Re: tunneling through hotspot firewall
From: Paul Melson <pmelson () gmail com>
Date: Sun, 26 Apr 2009 18:16:53 -0400
On Fri, Apr 24, 2009 at 3:01 PM, Daniel Gultsch <daniel () gultsch de> wrote:
I read a paper that the sequence numbers could be checked but usually aren't. I could google it again but it was something with "mac spoofing detection sequence numbers"
I've read the Stony Brook paper, too. But this is about fidelity not stealth. The client and AP will be mid-sequence when you attack. If you don't compensate by adjusting your sequence numbers, you won't reliably pass traffic through the AP because they'll be dropped as out-of-sequence. Or could be, at least - different AP's will handle out-of-sequence packets differently.
However I'm not entirely sure about this. I'm kinda worried about the flow control on Layer 1 and 2. You know which client can start transmitting - it's a shared medium and such. As I said before: my understanding of the above layers 3,4 is good enough that i can tell it's working but I don't know....
Right, you end up with a race condition that you can't reliably win.
But why bother impersonating a whitelisted client address when you can hijack it altogether with ARP poisoning?because I want the original client to be still able to use the hotspot and not knowing there is an attacker.
ARP poisoning, done right, will be undetectable to the user. Their traffic will flow, albeit through you, to the AP and then on to the Internet and back just fine. Unless you want to stop it. Or change it. No race condition. And the AP can't lock it down like a wired switch, so the only way to defeat it - Wireless IDS notwithstanding - is a static ARP entry on the client. And there isn't one. PaulM ------------------------------------------------------------------------ This list is sponsored by: InfoSec Institute Tired of using other people's tools? Why not learn how to write your own exploits? InfoSec Institute's Advanced Ethical Hacking class teaches you how to write stack and heap buffer overflow exploits for Windows and Linux. Gain your Certified Expert Penetration Tester (CEPT) cert as well. http://www.infosecinstitute.com/courses/advanced_ethical_hacking_training.html ------------------------------------------------------------------------
Current thread:
- tunneling through hotspot firewall Daniel Gultsch (Apr 23)
- Re: tunneling through hotspot firewall Paul Melson (Apr 23)
- Re: tunneling through hotspot firewall Daniel Gultsch (Apr 26)
- Re: tunneling through hotspot firewall Paul Melson (Apr 26)
- Re: tunneling through hotspot firewall mason lee (Apr 27)
- Re: tunneling through hotspot firewall Daniel Gultsch (Apr 26)
- Re: tunneling through hotspot firewall Paul Melson (Apr 23)
- Re: tunneling through hotspot firewall Aarón Mizrachi (Apr 26)
- Re: tunneling through hotspot firewall Daniel Gultsch (Apr 26)