Penetration Testing mailing list archives

Re: tunneling through hotspot firewall

From: Paul Melson <pmelson () gmail com>
Date: Fri, 24 Apr 2009 00:17:13 -0400

On Wed, Apr 22, 2009 at 7:35 AM, Daniel Gultsch <daniel () gultsch de> wrote:

Ok, lets further suppose I'd have on succesfully logged in (and
whitelisted) client). An evil attackers joins the notework as well -
not beeing able to connect to the outside world (because of the
firewall) but beeing able to sniff all the traffic (it's an unencrypted
wlan which means hub, basicly). Suppose the attacker would sniff the
mac address and the ip address of the whitelisted, logged in client and
give hiself the very same mac address and ip address (both easily can
be assigned with a simple ifconfig). Suppose the attacker would go on
and set up a firewall on his computer preventing all packages TCP, IP,
UDP and everything else from being both recieved or send. (Simple
iptables rules). He then opens a very tiny whole in his own firewall
(some strange udp port, which is definitly not used by the other (real)
client) and uses this udp port to tunnel to an external server

Would this work? Or if not on which layer would it fail. This is
basicly about Layer 1 and 2. What happens if two clients with the same
MAC address share a shared medium like wireless lan. The rest starting
of Layer 4 should definitly work (I'm familar enough with these layers
to say this. I'm just not sure about the underlaying layers.


You will run into issues with sequence numbers in the 802.11 frames.
But why bother impersonating a whitelisted client address when you can
hijack it altogether with ARP poisoning?

http://ettercap.sourceforge.net/forum/viewforum.php?f=8

PaulM

------------------------------------------------------------------------
This list is sponsored by: InfoSec Institute

Tired of using other people's tools? Why not learn how to write your own exploits? 
InfoSec Institute's Advanced Ethical Hacking class teaches you how to write stack and heap buffer overflow exploits for 
Windows and Linux. Gain your Certified Expert Penetration Tester (CEPT) cert as well. 

http://www.infosecinstitute.com/courses/advanced_ethical_hacking_training.html
------------------------------------------------------------------------

Current thread:

tunneling through hotspot firewall Daniel Gultsch (Apr 23)
- Re: tunneling through hotspot firewall Paul Melson (Apr 23)
  - Re: tunneling through hotspot firewall Daniel Gultsch (Apr 26)
    - Re: tunneling through hotspot firewall Paul Melson (Apr 26)
    - Re: tunneling through hotspot firewall mason lee (Apr 27)
- Re: tunneling through hotspot firewall Aarón Mizrachi (Apr 26)
  - Re: tunneling through hotspot firewall Daniel Gultsch (Apr 26)