flounder Posted October 5, 2009 Report Share Posted October 5, 2009 So today, I was doing some pen testing at home may have accidentally poisoned the company ARP table during a man in the middle attack session. I was doing some man in the middle attack, dns spoof and session hijacking testing between some Virtual machines, another laptop, and my router at home and sniffing the traffic at the same time to validate the session, and all of a sudden I noticed company IP's coming across my sniffer. Thats when I realized I was VPN'd into work. <Insert O-Shit scream here> No idea how the arp poisoning attack and dns spoof broke out of my local network. big woops. I called and put in a ticket just to make sure in case it caused problems and they actually think I was doing something. Try explaining that one to tech support. So Note to self for everyone, make sure VPN is not connected when doing pen testing on home network. Better yet.. make damn sure you know exactly where your network traffic can go because murphys law says its going to go all the places you dont want it to. For the non computer geeks. I was practicing breaking into stuff and intercepting network traffic for in transit changes and may have caused issues with the company network. Big no-no. Quote Link to comment Share on other sites More sharing options...
Likwid Posted October 5, 2009 Report Share Posted October 5, 2009 lol!your work doesn't just flat out filter that!I thought for sure you were going to say you went and downloaded a bunch of porn while vpn'ed Quote Link to comment Share on other sites More sharing options...
that dude Posted October 5, 2009 Report Share Posted October 5, 2009 huh Quote Link to comment Share on other sites More sharing options...
shittygsxr Posted October 5, 2009 Report Share Posted October 5, 2009 ohhhhh No wait still don't get it. Quote Link to comment Share on other sites More sharing options...
flounder Posted October 5, 2009 Author Report Share Posted October 5, 2009 lol!your work doesn't just flat out filter that!I thought for sure you were going to say you went and downloaded a bunch of porn while vpn'edIt scared the hell out of me as soon as I saw the company VPN IP's coming through. I killed everything so quick my head was spinning, and then I ran straight to the fridge for a beer. In hindsight, I should have at leased saved the session so I could determine exactly what traversed. After I started thinking about it, I was thinking the same thing of why the hell would that have gone through but then again I was VPN'd as a trusted internal host so who knows. Im hoping now it was just the DNS traffic trying to resolve through the MITM attack. Like I said. I wish I would have saved the traffic for review. Quote Link to comment Share on other sites More sharing options...
flounder Posted October 5, 2009 Author Report Share Posted October 5, 2009 Ok.. so here it is again for the non computer peopleSo imagine you try to get to your email account. so you type email.com into your browser and your traffic goes out your router and goes to email.com and you log in. The attack I was doing basically means that instead of your traffic going out your router and to your email. It comes to me first and my computer then directs you wherever I want you to go. It has the options of doing it silently and I would just intercept everything you do and everywhere you go. I could also set it up to redirect you to somewhere completely different so you type google.com and instead, I route you to www.shittygixxerisgay.com.It would also allow me to mirror pages and intercept your usernames and passwords for where your trying to go or automatically trigger your computer to download files even though you type in google.comDoes that make more sense? Quote Link to comment Share on other sites More sharing options...
Likwid Posted October 5, 2009 Report Share Posted October 5, 2009 It scared the hell out of me as soon as I saw the company VPN IP's coming through. I killed everything so quick my head was spinning, and then I ran straight to the fridge for a beer. In hindsight, I should have at leased saved the session so I could determine exactly what traversed. After I started thinking about it, I was thinking the same thing of why the hell would that have gone through but then again I was VPN'd as a trusted internal host so who knows. Im hoping now it was just the DNS traffic trying to resolve through the MITM attack. Like I said. I wish I would have saved the traffic for review.So long as you didn't sucessfully poison any internal servers you probably didn't do any damage... now if you happened to deposit anything on the backbone then I'd lawl. When I worked for a LARGE company I inadvertantly found a GIANT security bug that let me edit any file on the production servers with NO restrictions... told security, they said "meh, just don't tell anyone" Quote Link to comment Share on other sites More sharing options...
shittygsxr Posted October 5, 2009 Report Share Posted October 5, 2009 Ok.. so here it is again for the non computer peopleSo imagine you try to get to your email account. so you type email.com into your browser and your traffic goes out your router and goes to email.com and you log in. The attack I was doing basically means that instead of your traffic going out your router and to your email. It comes to me first and my computer then directs you wherever I want you to go. It has the options of doing it silently and I would just intercept everything you do and everywhere you go. I could also set it up to redirect you to somewhere completely different so you type google.com and instead, I route you to www.shittygixxerisgay.com.It would also all me to mirror pages and intercept your usernames and passwords for where your trying to go. Does that make more sense.\It must have worked because www.shittygsxrisgay.com is experiencing a surge in traffic Quote Link to comment Share on other sites More sharing options...
Likwid Posted October 5, 2009 Report Share Posted October 5, 2009 Ok.. so here it is again for the non computer peopleSo imagine you try to get to your email account. so you type email.com into your browser and your traffic goes out your router and goes to email.com and you log in. The attack I was doing basically means that instead of your traffic going out your router and to your email. It comes to me first and my computer then directs you wherever I want you to go. It has the options of doing it silently and I would just intercept everything you do and everywhere you go. I could also set it up to redirect you to somewhere completely different so you type google.com and instead, I route you to www.shittygixxerisgay.com.It would also allow me to mirror pages and intercept your usernames and passwords for where your trying to go. Does that make more sense?And even more powerful is you just run the traffic through a parralel proxy and intercept all the unencrypted traffic, easier said then done since you need it to be client side pre-server traffic. Quote Link to comment Share on other sites More sharing options...
shittygsxr Posted October 5, 2009 Report Share Posted October 5, 2009 I steal my neighbors internet Quote Link to comment Share on other sites More sharing options...
flounder Posted October 5, 2009 Author Report Share Posted October 5, 2009 So long as you didn't sucessfully poison any internal servers you probably didn't do any damage... now if you happened to deposit anything on the backbone then I'd lawl. When I worked for a LARGE company I inadvertantly found a GIANT security bug that let me edit any file on the production servers with NO restrictions... told security, they said "meh, just don't tell anyone"As soon as I killed it, it should have reversed what I did within 5 minutes. (Average refresh time) Either way. big woops and will make sure I dont do that again. Quote Link to comment Share on other sites More sharing options...
ReconRat Posted October 5, 2009 Report Share Posted October 5, 2009 interesting... to say the least. How about the traffic list in the router? Wouldn't that still be there? No firewall box logging all traffic? Quote Link to comment Share on other sites More sharing options...
flounder Posted October 5, 2009 Author Report Share Posted October 5, 2009 And even more powerful is you just run the traffic through a parralel proxy and intercept all the unencrypted traffic, easier said then done since you need it to be client side pre-server traffic.Actually what I was doing was just that. I was already man in the middle so all the traffic was coming to me anyway. Quote Link to comment Share on other sites More sharing options...
flounder Posted October 5, 2009 Author Report Share Posted October 5, 2009 interesting... to say the least. How about the traffic list in the router? Wouldn't that still be there? No firewall box logging all traffic?Not for my home router. Nothing special there. I havent had the linux box running as a router/proxy for quite some time. Quote Link to comment Share on other sites More sharing options...
flounder Posted October 5, 2009 Author Report Share Posted October 5, 2009 I steal my neighbors internetYou would.. I had neighbors that did that for awhile until I renamed my AP "Wireless Thieves" and started re-routing their traffic and flipping all their pages upside down. Quote Link to comment Share on other sites More sharing options...
ReconRat Posted October 5, 2009 Report Share Posted October 5, 2009 You would.. I had neighbors that did that for awhile until I renamed my AP "Wireless Thieves" and started re-routing their traffic and flipping all their pages upside down.nice... or rename it to "click here to reformat your hard drive" Quote Link to comment Share on other sites More sharing options...
flounder Posted October 5, 2009 Author Report Share Posted October 5, 2009 nice... or rename it to "click here to reformat your hard drive"I used to leave it wide open just to see what kind of traffic I would get come across. It still has the same name but is secured now. Quote Link to comment Share on other sites More sharing options...
Likwid Posted October 5, 2009 Report Share Posted October 5, 2009 You would.. I had neighbors that did that for awhile until I renamed my AP "Wireless Thieves" and started re-routing their traffic and flipping all their pages upside down.LOL I used to log into my neighbors' wifi and route all traffic to gay porn. This was at my apartment complex.... 50 unsecured networks to play with. Quote Link to comment Share on other sites More sharing options...
SWing'R Posted October 5, 2009 Report Share Posted October 5, 2009 You guys are all a bunch of nerds! ( says the guy with the star trek ringtone ) Quote Link to comment Share on other sites More sharing options...
EagleCock Posted October 5, 2009 Report Share Posted October 5, 2009 my mom walked in one time when i was jerking off...is it kinda like that? Quote Link to comment Share on other sites More sharing options...
Kosmo Posted October 5, 2009 Report Share Posted October 5, 2009 fellas....that means......keep your credit card transactions limited to only when flounder is.....drinkingtrackridingor shooting in a range............ Quote Link to comment Share on other sites More sharing options...
ReconRat Posted October 5, 2009 Report Share Posted October 5, 2009 Why even show the SSID? Most people won't be able to deal with that.Makes it more interesting, seeing who does...Made me think, just edited hosts file to kill the redirects on my test machine.Was getting tired of that... Quote Link to comment Share on other sites More sharing options...
chrisknight Posted October 5, 2009 Report Share Posted October 5, 2009 So today, I was doing some pen testing at home may have accidentally poisoned the company ARP table during a man in the middle attack session. I was doing some man in the middle attack, dns spoof and session hijacking testing between some Virtual machines, another laptop, and my router at home and sniffing the traffic at the same time to validate the session, and all of a sudden I noticed company IP's coming across my sniffer. Thats when I realized I was VPN'd into work. <Insert O-Shit scream here> No idea how the arp poisoning attack and dns spoof broke out of my local network. big woops. I called and put in a ticket just to make sure in case it caused problems and they actually think I was doing something. Try explaining that one to tech support. So Note to self for everyone, make sure VPN is not connected when doing pen testing on home network. Better yet.. make damn sure you know exactly where your network traffic can go because murphys law says its going to go all the places you dont want it to. For the non computer geeks. I was practicing breaking into stuff and intercepting network traffic for in transit changes and may have caused issues with the company network. Big no-no.Was your sniffer set to listen on all interfaces? More than likely, you just saw some broadcast traffic from your PPTP (or whatever your using) VPN tunnel you had to work.If you specifically directed your attacks to a specific subnet, they stayed on that sunbet. Of course, I don't know exactly what your using. (backtrack?)Your probably cool @ work. If not, flush your arp table, & move on. I wouldn't even tell anyone. Or, just wait. Once the ARP poisoning is over the clients will sort themselves out in time. Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.