Re: Anonymizing Packets yet ensuring 0 % packet loss

["Vivek P" <iamherevivek () gmail com>]

Thanks!

I wil give it a go!
By the way, by setting up Tor i was able to bruteforce the admin
passwords for the session mgmt servers (they give each user on the
intranet session {dunno y :-( }) I was able to pull out some social
engineering stuff on admins! {they downloaded my troj.} now i am in
their machine, so i m able to get admin credentials! i have changed my
IP adress but due to some weird reasons i am not able to pull it out!!

I m working out on these lines! Thank you for the support &
assistance! by th way hw much can DNS spoofing help for rerouting
traffic through my machine !!

Vivek

On 9/17/07, Dotzero <dotzero () gmail com> wrote:
> Note, I have dropped the cross-post to Security basics as I got a ton
> of bounces which appear to be related.
>
> On 9/16/07, Vivek P <iamherevivek () gmail com> wrote:
> > hi DotZero,
>
> I'll give you a few ideas that may or may not work, depending. You
> will still have to do some homework.
>
> Seeing as you say you are on internal network and have permission then
> I have less concern than from your original post.
>
> Under the circumstances you describe, the first thing I would do is
> see who else (or what else) is on your local network (as in network
> mask). Are they using port lockdown on the switches? If not then you
> have a chance to do an ARP poisoning attack. Even if they do have
> lockdown enabled on the ports you should be able to attack local hosts
> (That is, get their outbound traffic). This would be one line of
> attack to explore. You might be able to capture some credentials.
> Assuming you can do this sort of attack successfully you could
> masquerade (or do a MITM) attack that would abuse the other hosts IP
> address and MAC address.
>
> I'm going to assume that the network is using DHCP. That doesn't mean
> that you can't come up with your own IP address in the subnet you are
> on. Find out what is free and see if you can use it. Don't forget to
> pick a MAC address other than your real one.
>
> You might craft an attack against the admin network by using DNS. Send
> a complaint to abuse@ about a domain that you control. What's the
> first thing that most sysadmins do when getting a complaint? Do a
> lookup of the domain. You can put all sorts of things in
> DNS......including an attack crafted against the host likely to be
> used by the sysadmin. Much faster than some of what you are
> describing.
>
> How about a website with attacks embedded in the page? Sucker the
> admin into hitting it.Use a trick like phishers do.....put an encoded
> iframe to inject malware or do driveby downloads using exploits.
>
> Are there live exposed network jacks that you can get access to? How
> about printers? Can you get access to wiring closets with patch
> panels? How about patch panels that the admins are connected through?
> Shove a hub in and sniff their traffic.
>
> You mention FTP.....great way to collect credentials and accounts if
> you can sniff the traffic. So, if the people whose credentials you
> capture have accounts on UNIX (or Windows) hosts you could try
> privilage escalation attacks or do attacks from the hosts they have
> access to.
>
> What network protocols are they using for routing (for example BGP)
> can you attack there? Can you do VLAN hopping?
>
> Just a few thoughts. Go beyond simple enumeration of services type
> approaches. If you have physical access on the inside, some knowledge
> of the setup and written permission to engage in attacks you should be
> like a kid in a candy store. Again, I emphasize the permission aspect.
> Some (many) of the approaches I would look at could get a person a
> room with a view (through bars) in many jurisdictions if the person
> does not have proper authorization.
>
> You are looking for a straight forward approach to gaining control. As
> an attacker, you are not playing by their rules even if you must take
> them into account.
>
> Get creative! You have significant advantages over the defenders. How
> bad do you want success? Sounds like you wish to prove a point. If you
> truly do have authorization then it sounds like the only consequences
> are that someone tells you "We caught you".
>
> I could go on but I think you get the point. Again, I'm making
> assumptions based on what information you provided us. This is about
> as much as I'd care to publicly discuss (and no, I'm not interested in
> pursuing the conversation privately either.)
>
> Happy hunting.
>
> Dotzero
>
> ------------------------------------------------------------------------
> This list is sponsored by: Cenzic
>
> Need to secure your web apps NOW?
> Cenzic finds more, "real" vulnerabilities fast.
> Click to try it, buy it or download a solution FREE today!
>
> http://www.cenzic.com/downloads
> ------------------------------------------------------------------------


-- 
-------------------------------------------
Vivek P Nair
Vice President Technology
Appin Group Of Companies
Appin Security Group
Module III TBIU
IIT DELHI
Hauz Khaus
New delhi
India
www.appinlabs.com
vivek.p () appinlabs com
+919910924675

We explore... and you call us criminals.
We seek after knowledge... and you call us criminals.
We exist without skin color, without nationality, without religious
bias... and you call us criminals.
You build atomic bombs, you wage wars, you murder, cheat, and lie to
us and try to make us believe it's for our own good, yet we're the
criminals.

Yes, I am a criminal. My crime is that of curiosity.
My crime is that of judging people by what they say and think, not
what they look like.
I am a hacker, and this is my manifesto.
You may stop this individual, but you can't stop us all!

------------------------------------------------------------------------
This list is sponsored by: Cenzic

Need to secure your web apps NOW?
Cenzic finds more, "real" vulnerabilities fast.
Click to try it, buy it or download a solution FREE today!

http://www.cenzic.com/downloads
------------------------------------------------------------------------