Penetration Testing mailing list archives
Re: Anonymizing Packets yet ensuring 0 % packet loss
From: Dotzero <dotzero () gmail com>
Date: Mon, 17 Sep 2007 14:14:04 -0400
Note, I have dropped the cross-post to Security basics as I got a ton of bounces which appear to be related. On 9/16/07, Vivek P <iamherevivek () gmail com> wrote:
hi DotZero,
I'll give you a few ideas that may or may not work, depending. You will still have to do some homework. Seeing as you say you are on internal network and have permission then I have less concern than from your original post. Under the circumstances you describe, the first thing I would do is see who else (or what else) is on your local network (as in network mask). Are they using port lockdown on the switches? If not then you have a chance to do an ARP poisoning attack. Even if they do have lockdown enabled on the ports you should be able to attack local hosts (That is, get their outbound traffic). This would be one line of attack to explore. You might be able to capture some credentials. Assuming you can do this sort of attack successfully you could masquerade (or do a MITM) attack that would abuse the other hosts IP address and MAC address. I'm going to assume that the network is using DHCP. That doesn't mean that you can't come up with your own IP address in the subnet you are on. Find out what is free and see if you can use it. Don't forget to pick a MAC address other than your real one. You might craft an attack against the admin network by using DNS. Send a complaint to abuse@ about a domain that you control. What's the first thing that most sysadmins do when getting a complaint? Do a lookup of the domain. You can put all sorts of things in DNS......including an attack crafted against the host likely to be used by the sysadmin. Much faster than some of what you are describing. How about a website with attacks embedded in the page? Sucker the admin into hitting it.Use a trick like phishers do.....put an encoded iframe to inject malware or do driveby downloads using exploits. Are there live exposed network jacks that you can get access to? How about printers? Can you get access to wiring closets with patch panels? How about patch panels that the admins are connected through? Shove a hub in and sniff their traffic. You mention FTP.....great way to collect credentials and accounts if you can sniff the traffic. So, if the people whose credentials you capture have accounts on UNIX (or Windows) hosts you could try privilage escalation attacks or do attacks from the hosts they have access to. What network protocols are they using for routing (for example BGP) can you attack there? Can you do VLAN hopping? Just a few thoughts. Go beyond simple enumeration of services type approaches. If you have physical access on the inside, some knowledge of the setup and written permission to engage in attacks you should be like a kid in a candy store. Again, I emphasize the permission aspect. Some (many) of the approaches I would look at could get a person a room with a view (through bars) in many jurisdictions if the person does not have proper authorization. You are looking for a straight forward approach to gaining control. As an attacker, you are not playing by their rules even if you must take them into account. Get creative! You have significant advantages over the defenders. How bad do you want success? Sounds like you wish to prove a point. If you truly do have authorization then it sounds like the only consequences are that someone tells you "We caught you". I could go on but I think you get the point. Again, I'm making assumptions based on what information you provided us. This is about as much as I'd care to publicly discuss (and no, I'm not interested in pursuing the conversation privately either.) Happy hunting. Dotzero ------------------------------------------------------------------------ This list is sponsored by: Cenzic Need to secure your web apps NOW? Cenzic finds more, "real" vulnerabilities fast. Click to try it, buy it or download a solution FREE today! http://www.cenzic.com/downloads ------------------------------------------------------------------------
Current thread:
- Re: Anonymizing Packets yet ensuring 0 % packet loss, (continued)
- Re: Anonymizing Packets yet ensuring 0 % packet loss Vivek P (Sep 13)
- Re: Anonymizing Packets yet ensuring 0 % packet loss Utmost Bastard (Sep 13)
- Re: Anonymizing Packets yet ensuring 0 % packet loss Vivek P (Sep 13)
- Re: Anonymizing Packets yet ensuring 0 % packet loss Brett Cunningham (Sep 14)
- Re: Anonymizing Packets yet ensuring 0 % packet loss Vivek P (Sep 13)
- Re: Anonymizing Packets yet ensuring 0 % packet loss Dotzero (Sep 14)
- Re: Anonymizing Packets yet ensuring 0 % packet loss Vivek P (Sep 16)
- RE: Anonymizing Packets yet ensuring 0 % packet loss Strykar (Sep 16)
- Re: Anonymizing Packets yet ensuring 0 % packet loss Vivek P (Sep 16)
- Re: Anonymizing Packets yet ensuring 0 % packet loss Brett Cunningham (Sep 17)
- RE: Anonymizing Packets yet ensuring 0 % packet loss Strykar (Sep 17)
- Re: Anonymizing Packets yet ensuring 0 % packet loss Dotzero (Sep 17)
- Re: Anonymizing Packets yet ensuring 0 % packet loss Vivek P (Sep 17)