Re: Wired captive portal pen-test

[Roman Medina-Heigl Hernandez <roman () rs-labs com>]

Sergio Castro escribió:
> I've done similar voipsec audits at hotels. The hotel is very likely using a
> switch-router (and very likely VLANs) so you will not be able to see any
> other IPs on the network. What is your sniffer showing?

I saw ARP requests coming from the router and asking for the MAC of several 
other IPs of the same segment where my laptop was connected (in my case, 
192.168.9.x). I didn't catch any ARP responses...

Another probe I did was walking to a "public computer" in the hotel (some 
kind of internet-kiosk) and get the IP. The IP was in the same 192.168.9.x 
range. I didn't have time to get its MAC and try to configure my laptop's 
NIC with that MAC (although the switch should probably stop that... 
shouldn't it?).

> Another possible attack vector you may use is their IP phones. If the room
> has an IP phone, try connecting your laptop to the phone's RJ45 and do a
> packet sniff. I've been able to access entire corporate LANs doing this.

I didn't have a look at this... although I'd guess it was rj-11... Next 
time I'll check it! :)

--

Saludos,
-Roman

PGP Fingerprint:
09BB EFCD 21ED 4E79 25FB  29E1 E47F 8A7D EAD5 6742
[Key ID: 0xEAD56742. Available at KeyServ]

------------------------------------------------------------------------
This list is sponsored by: Cenzic

Top 5 Common Mistakes in 
Securing Web Applications
Get 45 Min Video and PPT Slides

www.cenzic.com/landing/securityfocus/hackinar
------------------------------------------------------------------------