From: Andy Dockerty (andy.techo@paradise.net.nz)
Date: Wed Sep 03 2003 - 05:05:49 EDT
My five cents,
I have been considering such an attack for a while, it requires good social
engineering skills, and a bit of nerve to carry out the insertion of the
device, but thence a lot can be achieved, in both passive and active mode.
First, my arguments precluding certain options
Understandable that you would want to power the device without utilizing
target environment power, however, running an 802.11x device from a PDA size
Machine does not really make sense, purely because of the battery life,
storage capacity and the difficulty of having both a wireless and Ethernet
connection on such a device.
I like the idea of using a device that can take advantage of PoE, but again,
considerable time and effort needs to be taken to customize a standard WAP
to fit the requirements - then of course you need to be able to store your
take and retrieve it. It would be most inconvenient to have to remain
connected via wireless whilst collecting traffic. Not to mention being
questionable from the perspective that you would be relying on WEP to
protect the traffic being received and collected at your laptop. Not a
desirable side effect if a passing war-driver should pick up raw internal
network traffic with plaintext passwords, smb traffic etc.
My preferred method would be approximately thus
Consider your average environment; there is nearly always a comms cupboard,
riser or under-floor access for cabling. A small form factor device such as
the Cappuccino series from Thinkgeek.com. This has storage space aplenty and
can be installed with a full OS or Linux distribution. Add a USB wireless
adapter and you have a wireless snooping device. By using, say freeswan or
ssh you can afford a degree of protection to the data you capture from the
client's network. You can choose your OS and toolset as long as it is
compatible with a standard X86 architecture. Given the circumstances you
have described, I would be looking at figuring out how to conceal a
marginally larger sniffing platform, within the target environment.
-----Original Message-----
From: Bryan [mailto:slack3r@boy-genius.net]
Sent: 31 August 2003 13:16
To: pen-test@securityfocus.com
Hello all.
I saw something today that got the wheels turning as a potential
vulnerability in network deployment. Let's say a client company has some
sort of proprietary device out in the open for anybody to use, and is
connected to the internal network through a regular 100BaseT connection.
But that cable is easily unplugged... and plugged into whatever you
want. Should one want to connect to the network through that connection,
wouldn't it be possible to attach a wired/wireless converter to the
line, and connect to the network via wireless adapter on your machine
from some distance away without anyone being any the wiser?
I did some googling for such a device, and found a few products, but
none that would suit the needs for this application. It should be small
enough to hide, needing only one rj45 port, and maybe a wireless
antenna. And it should also be battery powered as you most likely
wouldn't have a power outlet nearby, much less one that could be
stealthily utilized. Then just a little wireless sniffing should help
you out from there, right?
Any ideas? Thanks
Bryan
---------------------------------------------------------------------------
FREE Trial!
New for security consultants and in-house pros: FOUNDSTONE PROFESSIONAL
and PROFESSIONAL TL software. Fast, reliable vulnerability assessment
technology powered by the award-winning FoundScan engine. Try it free for
21 days at: http://www.securityfocus.com/sponsor/Foundstone_pen-test_030825
----------------------------------------------------------------------------
---------------------------------------------------------------------------
FREE Trial!
New for security consultants and in-house pros: FOUNDSTONE PROFESSIONAL
and PROFESSIONAL TL software. Fast, reliable vulnerability assessment
technology powered by the award-winning FoundScan engine. Try it free for 21 days at: http://www.securityfocus.com/sponsor/Foundstone_pen-test_030825
----------------------------------------------------------------------------
This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:53:39 EDT