Re: Lan access via wifi

["DokFLeed" <dokfleed () dokfleed net>]

Just a quick thought
if you can't hack any of the boxes, sniff them
try winARP if you are on windows, it will list all the clients logged in the 
network
check if you can poison them and sniff the data.
on linux you can try ettercap , poison them , DNS poison again, direct them 
to a page you control , make them download a keylogger (its better to code 
your own logger so it won't get detected) , finally 0wn the network :)
or search for a domain controller and grab is Admin password.

i am not sure , if you are authorized to do so , but its always fun to try.
is it a simple star network of workstations connected to a single wireless 
router?

good luck
DokFLeed

----- Original Message ----- 
From: "Sherwyn Williams" <sherwill22 () tmail com>
To: "Brian W Baker" <panadero () gmail com>
Cc: <pen-test () securityfocus com>
Sent: Monday, June 06, 2005 10:05 PM
Subject: Re: Lan access via wifi


> The thing is that is did that already, I stated that in my first post. I 
> did a nmap and noticed that all the internal host are filtered by some 
> firewall. I have access to the wireless router and I open up the internal 
> host by pointing them to the dmz side of the router. I did a nessus scan 
> and also and got no usefull info. So
> Is why my next step was to try a unc shared access by doing \\.\x:\ but 
> that did not gave me any useful info.
>
> That is why I email the list.
>
>
>
> On Mon, 6 Jun 2005 13:37, Brian W Baker wrote:
> > Not that I'm against learning, as we've all been there, and learned from
> > some of the best.  What gets me, is that you're on a
> > "pentest"...enumeration should be your next step, nmap at least, then
> > nessus, at least...once you get in the network via wireless, it would be
> > the same as what I presume you've already done on the rest of the
> > pentest (wired side).  Are you working with someone else on this pentest?
> >
> > I'm not trying to be "ugly", I'm just saying what I'm sure a lot of the
> > rest of the list didn't say...
> >
> >
> >
> > Sherwyn Williams wrote:
> > >  Kidding with what my question, what is this the
> > >  Professional corner of the list, ok professors if you are tired of
> > >  teaching you can go back to solving world peace I totally get it. I
> > >  should try www.google right thanks a lot to everyone who did took timr
> > >  to answer  my quetion
> > >
> > >  On Mon, 6 Jun 2005 12:49, Brian W Baker wrote:
> > >
> > > >  You're kiddin, right?
> > > >
> > > >
> > > >
> > > >  Sherwyn Williams wrote:
> > > >
> > > > >   Senerio:
> > > > >
> > > > >   Doing a pentest, the client has a wifi router that is not encrypted 
> > > > > and
> > > > >   is gaving out dhcp address to any wifi client with a compatible 
> > > > > card.
> > > > >   Now my question is once I received a ip address, and I pinged a few
> > > > >   internal clients , how would be a good way for me to gain access to
> > > > >   these internal network.
> > > > >
> > > > >   I tried  //ipaddress/ because there is no machine name in the dhcp
> > > > >   routing table. Could not connect that way, I even tried to open up
> > > > >   certain ports via putting the machine on the router dmz and did a 
> > > > > scan
> > > > >   with the secuirty features disable, but still there is no open 
> > > > > ports.
> > > > >
> > > > >   Thanks in advance.
> > > > >
> > > > >
> > > > >
> > > > >   Sherwyn Williams
> > > > >   Technical Consultant
> > > > >   (917) 650-5139
> > > > >   Sherwill22 () tmail com
> > >  Sherwyn Williams
> > >  Technical Consultant
> > >  (917) 650-5139
> > >  Sherwill22 () tmail com
> Sherwyn Williams
> Technical Consultant
> (917) 650-5139
> Sherwill22 () tmail com