From: Vivek P (iamherevivek@gmail.com)
Date: Mon Sep 17 2007 - 23:40:21 EDT
Thanks!
I wil give it a go!
By the way, by setting up Tor i was able to bruteforce the admin
passwords for the session mgmt servers (they give each user on the
intranet session {dunno y :-( }) I was able to pull out some social
engineering stuff on admins! {they downloaded my troj.} now i am in
their machine, so i m able to get admin credentials! i have changed my
IP adress but due to some weird reasons i am not able to pull it out!!
I m working out on these lines! Thank you for the support &
assistance! by th way hw much can DNS spoofing help for rerouting
traffic through my machine !!
Vivek
On 9/17/07, Dotzero <dotzero@gmail.com> wrote:
> Note, I have dropped the cross-post to Security basics as I got a ton
> of bounces which appear to be related.
>
> On 9/16/07, Vivek P <iamherevivek@gmail.com> wrote:
> > hi DotZero,
>
> I'll give you a few ideas that may or may not work, depending. You
> will still have to do some homework.
>
> Seeing as you say you are on internal network and have permission then
> I have less concern than from your original post.
>
> Under the circumstances you describe, the first thing I would do is
> see who else (or what else) is on your local network (as in network
> mask). Are they using port lockdown on the switches? If not then you
> have a chance to do an ARP poisoning attack. Even if they do have
> lockdown enabled on the ports you should be able to attack local hosts
> (That is, get their outbound traffic). This would be one line of
> attack to explore. You might be able to capture some credentials.
> Assuming you can do this sort of attack successfully you could
> masquerade (or do a MITM) attack that would abuse the other hosts IP
> address and MAC address.
>
> I'm going to assume that the network is using DHCP. That doesn't mean
> that you can't come up with your own IP address in the subnet you are
> on. Find out what is free and see if you can use it. Don't forget to
> pick a MAC address other than your real one.
>
> You might craft an attack against the admin network by using DNS. Send
> a complaint to abuse@ about a domain that you control. What's the
> first thing that most sysadmins do when getting a complaint? Do a
> lookup of the domain. You can put all sorts of things in
> DNS......including an attack crafted against the host likely to be
> used by the sysadmin. Much faster than some of what you are
> describing.
>
> How about a website with attacks embedded in the page? Sucker the
> admin into hitting it.Use a trick like phishers do.....put an encoded
> iframe to inject malware or do driveby downloads using exploits.
>
> Are there live exposed network jacks that you can get access to? How
> about printers? Can you get access to wiring closets with patch
> panels? How about patch panels that the admins are connected through?
> Shove a hub in and sniff their traffic.
>
> You mention FTP.....great way to collect credentials and accounts if
> you can sniff the traffic. So, if the people whose credentials you
> capture have accounts on UNIX (or Windows) hosts you could try
> privilage escalation attacks or do attacks from the hosts they have
> access to.
>
> What network protocols are they using for routing (for example BGP)
> can you attack there? Can you do VLAN hopping?
>
> Just a few thoughts. Go beyond simple enumeration of services type
> approaches. If you have physical access on the inside, some knowledge
> of the setup and written permission to engage in attacks you should be
> like a kid in a candy store. Again, I emphasize the permission aspect.
> Some (many) of the approaches I would look at could get a person a
> room with a view (through bars) in many jurisdictions if the person
> does not have proper authorization.
>
> You are looking for a straight forward approach to gaining control. As
> an attacker, you are not playing by their rules even if you must take
> them into account.
>
> Get creative! You have significant advantages over the defenders. How
> bad do you want success? Sounds like you wish to prove a point. If you
> truly do have authorization then it sounds like the only consequences
> are that someone tells you "We caught you".
>
> I could go on but I think you get the point. Again, I'm making
> assumptions based on what information you provided us. This is about
> as much as I'd care to publicly discuss (and no, I'm not interested in
> pursuing the conversation privately either.)
>
> Happy hunting.
>
> Dotzero
>
> ------------------------------------------------------------------------
> This list is sponsored by: Cenzic
>
> Need to secure your web apps NOW?
> Cenzic finds more, "real" vulnerabilities fast.
> Click to try it, buy it or download a solution FREE today!
>
> http://www.cenzic.com/downloads
> ------------------------------------------------------------------------
>
>
-- ------------------------------------------- Vivek P Nair Vice President Technology Appin Group Of Companies Appin Security Group Module III TBIU IIT DELHI Hauz Khaus New delhi India www.appinlabs.com vivek.p@appinlabs.com +919910924675 We explore... and you call us criminals. We seek after knowledge... and you call us criminals. We exist without skin color, without nationality, without religious bias... and you call us criminals. You build atomic bombs, you wage wars, you murder, cheat, and lie to us and try to make us believe it's for our own good, yet we're the criminals. Yes, I am a criminal. My crime is that of curiosity. My crime is that of judging people by what they say and think, not what they look like. I am a hacker, and this is my manifesto. You may stop this individual, but you can't stop us all! ------------------------------------------------------------------------ This list is sponsored by: Cenzic Need to secure your web apps NOW? Cenzic finds more, "real" vulnerabilities fast. Click to try it, buy it or download a solution FREE today! http://www.cenzic.com/downloads ------------------------------------------------------------------------
This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:58:08 EDT