Re: Rogue AP Placement: evil + 1

[Rob Fuller <jd.mubix () gmail com>]

Or just make it easy: http://theplugbot.com/

--
Rob Fuller | Mubix
Certified Checkbox Unchecker
Room362.com | Hak5.org


On Wed, Aug 25, 2010 at 6:57 PM, Bacon Zombie <baconzombie () gmail com> wrote:

> A few good idea:
>
> #Use UTF 8 characters to set the SSID to something that look like the
> Company standard one.
>
> #If you are going to leave port 80 open on the AP, put a reverse-binding
> trojan on the homepage of the AP's GUI since they will probably want a
> screenshot of the web GUI.
>
> #Open a few fake ports open that just replay a Telnet banned with one of
> the follow - { "Never Gonna Give You Up" lyrics, ASCII Goatse, shell code
> [rm -rf *], SQL injection,etc }
>
> #Hide the AP like this
>
> [image: the image] <http://i.imgur.com/i4Sm9.jpg>
>
> *
> BaconZombie
>
> ☣ ☣ ☣ ☣ ☠ ☠ ☠ ☠ ☢ ☢ ☢ ☢
>
> ….all text in this mail is double-rot13 encrypted. ...*
>
> ☣ ☣ ☣ ☣ ☠ ☠ ☠ ☠ ☢ ☢ ☢ ☢
>
> ****
> On 25 August 2010 22:40, Chris Merkel <cmerkel () gmail com> wrote:
>
> > Yeah, that does just about everything I need. I'm still going to drop a
> > big ugly pix and ghetto AP for the fun of it.
> >
> > Aside from this all-in-wonderful pwnage device, anyone else have tips for
> > stealthy AP usage?
> >
> > - Chris
> >
> >
> > On Wed, Aug 25, 2010 at 2:19 PM, Andrew Johnson <email () andrewcjohnson com
> > > wrote:
> >
> > > Have you seen this?
> > > http://grep8000.blogspot.com/2010/07/introducing-pwn-plug.html
> > >
> > > <http://grep8000.blogspot.com/2010/07/introducing-pwn-plug.html>-A
> > >
> > > On Wed, Aug 25, 2010 at 10:54 AM, Chris Merkel <cmerkel () gmail com>wrote:
> > >
> > > > Question directed to fellow pen-test / red-teaming ninjas:
> > > >
> > > > Have a test coming up, and want to place a rogue AP. I fully expect that
> > > > a vanilla AP/router will be detected. I'm thinking about dropping a Cisco
> > > > PIX 501 with the rogue AP sitting on the other side of the NAT gateway, and
> > > > turning off all remote PIX management as well (if possible, it's been awhile
> > > > since I admin'ed these.), maybe even turn off ICMP echo replies.
> > > >
> > > > My guess is that this isn't going to be detected... My question is:
> > > > anyone gone to that level of evil to evade detection on a network? If so,
> > > > could you share any tips or gotchas you encountered along the way?
> > > >
> > > > (BTW, you can get a PIX 501 on ebay for under 100 bucks... so well
> > > > within the reach of an attacker...)
> > > >
> > > > --
> > > > - Chris Merkel
> > > >
> > > > _______________________________________________
> > > > Pauldotcom mailing list
> > > > Pauldotcom () mail pauldotcom com
> > > > http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom
> > > > Main Web Site: http://pauldotcom.com
> > >
> > >
> > > _______________________________________________
> > > Pauldotcom mailing list
> > > Pauldotcom () mail pauldotcom com
> > > http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom
> > > Main Web Site: http://pauldotcom.com
> >
> >
> >
> > --
> > - Chris Merkel
> >
> > _______________________________________________
> > Pauldotcom mailing list
> > Pauldotcom () mail pauldotcom com
> > http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom
> > Main Web Site: http://pauldotcom.com
>
>
> _______________________________________________
> Pauldotcom mailing list
> Pauldotcom () mail pauldotcom com
> http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom
> Main Web Site: http://pauldotcom.com
_______________________________________________
Pauldotcom mailing list
Pauldotcom () mail pauldotcom com
http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom
Main Web Site: http://pauldotcom.com