Jump to content

For the computer nerds...

flounder

By flounder
in Dumpster

 Share

Recommended Posts

flounder Grand Master

flounder

Posted
Posted

So today, I was doing some pen testing at home may have accidentally poisoned the company ARP table during a man in the middle attack session. I was doing some man in the middle attack, dns spoof and session hijacking testing between some Virtual machines, another laptop, and my router at home and sniffing the traffic at the same time to validate the session, and all of a sudden I noticed company IP's coming across my sniffer. Thats when I realized I was VPN'd into work. <Insert O-Shit scream here> No idea how the arp poisoning attack and dns spoof broke out of my local network. big woops. I called and put in a ticket just to make sure in case it caused problems and they actually think I was doing something. Try explaining that one to tech support. So Note to self for everyone, make sure VPN is not connected when doing pen testing on home network. Better yet.. make damn sure you know exactly where your network traffic can go because murphys law says its going to go all the places you dont want it to.

For the non computer geeks. I was practicing breaking into stuff and intercepting network traffic for in transit changes and may have caused issues with the company network. Big no-no.

Link to comment
Share on other sites
flounder Grand Master

flounder

Posted
  • Author
Posted
lol!

your work doesn't just flat out filter that!

I thought for sure you were going to say you went and downloaded a bunch of porn while vpn'ed

It scared the hell out of me as soon as I saw the company VPN IP's coming through. I killed everything so quick my head was spinning, and then I ran straight to the fridge for a beer. In hindsight, I should have at leased saved the session so I could determine exactly what traversed. After I started thinking about it, I was thinking the same thing of why the hell would that have gone through but then again I was VPN'd as a trusted internal host so who knows. Im hoping now it was just the DNS traffic trying to resolve through the MITM attack. Like I said. I wish I would have saved the traffic for review.

Link to comment
Share on other sites
flounder Grand Master

flounder

Posted
  • Author
Posted

Ok.. so here it is again for the non computer people

So imagine you try to get to your email account. so you type email.com into your browser and your traffic goes out your router and goes to email.com and you log in. The attack I was doing basically means that instead of your traffic going out your router and to your email. It comes to me first and my computer then directs you wherever I want you to go. It has the options of doing it silently and I would just intercept everything you do and everywhere you go. I could also set it up to redirect you to somewhere completely different so you type google.com and instead, I route you to www.shittygixxerisgay.com.

It would also allow me to mirror pages and intercept your usernames and passwords for where your trying to go or automatically trigger your computer to download files even though you type in google.com

Does that make more sense?

Link to comment
Share on other sites
Likwid Grand Master

Likwid

Posted
Posted
It scared the hell out of me as soon as I saw the company VPN IP's coming through. I killed everything so quick my head was spinning, and then I ran straight to the fridge for a beer. In hindsight, I should have at leased saved the session so I could determine exactly what traversed. After I started thinking about it, I was thinking the same thing of why the hell would that have gone through but then again I was VPN'd as a trusted internal host so who knows. Im hoping now it was just the DNS traffic trying to resolve through the MITM attack. Like I said. I wish I would have saved the traffic for review.

So long as you didn't sucessfully poison any internal servers you probably didn't do any damage... now if you happened to deposit anything on the backbone then I'd lawl. When I worked for a LARGE company I inadvertantly found a GIANT security bug that let me edit any file on the production servers with NO restrictions... told security, they said "meh, just don't tell anyone"

Link to comment
Share on other sites
shittygsxr Grand Master

shittygsxr

Posted
Posted
Ok.. so here it is again for the non computer people

So imagine you try to get to your email account. so you type email.com into your browser and your traffic goes out your router and goes to email.com and you log in. The attack I was doing basically means that instead of your traffic going out your router and to your email. It comes to me first and my computer then directs you wherever I want you to go. It has the options of doing it silently and I would just intercept everything you do and everywhere you go. I could also set it up to redirect you to somewhere completely different so you type google.com and instead, I route you to www.shittygixxerisgay.com.

It would also all me to mirror pages and intercept your usernames and passwords for where your trying to go.

Does that make more sense.

\

It must have worked because www.shittygsxrisgay.com is experiencing a surge in traffic :cool:

Link to comment
Share on other sites
Likwid Grand Master

Likwid

Posted
Posted
Ok.. so here it is again for the non computer people

So imagine you try to get to your email account. so you type email.com into your browser and your traffic goes out your router and goes to email.com and you log in. The attack I was doing basically means that instead of your traffic going out your router and to your email. It comes to me first and my computer then directs you wherever I want you to go. It has the options of doing it silently and I would just intercept everything you do and everywhere you go. I could also set it up to redirect you to somewhere completely different so you type google.com and instead, I route you to www.shittygixxerisgay.com.

It would also allow me to mirror pages and intercept your usernames and passwords for where your trying to go.

Does that make more sense?

And even more powerful is you just run the traffic through a parralel proxy and intercept all the unencrypted traffic, easier said then done since you need it to be client side pre-server traffic.

Link to comment
Share on other sites
flounder Grand Master

flounder

Posted
  • Author
Posted
So long as you didn't sucessfully poison any internal servers you probably didn't do any damage... now if you happened to deposit anything on the backbone then I'd lawl. When I worked for a LARGE company I inadvertantly found a GIANT security bug that let me edit any file on the production servers with NO restrictions... told security, they said "meh, just don't tell anyone"

As soon as I killed it, it should have reversed what I did within 5 minutes. (Average refresh time) Either way. big woops and will make sure I dont do that again.

Link to comment
Share on other sites
flounder Grand Master

flounder

Posted
  • Author
Posted
And even more powerful is you just run the traffic through a parralel proxy and intercept all the unencrypted traffic, easier said then done since you need it to be client side pre-server traffic.

Actually what I was doing was just that. I was already man in the middle so all the traffic was coming to me anyway.

Link to comment
Share on other sites
flounder Grand Master

flounder

Posted
  • Author
Posted
interesting... to say the least. How about the traffic list in the router? Wouldn't that still be there? No firewall box logging all traffic?

Not for my home router. Nothing special there. I havent had the linux box running as a router/proxy for quite some time.

Link to comment
Share on other sites
ReconRat Grand Master

ReconRat

Posted
Posted
You would.. I had neighbors that did that for awhile until I renamed my AP "Wireless Thieves" and started re-routing their traffic and flipping all their pages upside down.

nice... or rename it to "click here to reformat your hard drive"

Link to comment
Share on other sites
Likwid Grand Master

Likwid

Posted
Posted
You would.. I had neighbors that did that for awhile until I renamed my AP "Wireless Thieves" and started re-routing their traffic and flipping all their pages upside down.

LOL I used to log into my neighbors' wifi and route all traffic to gay porn. This was at my apartment complex.... 50 unsecured networks to play with.

Link to comment
Share on other sites
ReconRat Grand Master

ReconRat

Posted
Posted

Why even show the SSID? Most people won't be able to deal with that.

Makes it more interesting, seeing who does...

Made me think, just edited hosts file to kill the redirects on my test machine.

Was getting tired of that...

Link to comment
Share on other sites
chrisknight Proficient

chrisknight

Posted
Posted
So today, I was doing some pen testing at home may have accidentally poisoned the company ARP table during a man in the middle attack session. I was doing some man in the middle attack, dns spoof and session hijacking testing between some Virtual machines, another laptop, and my router at home and sniffing the traffic at the same time to validate the session, and all of a sudden I noticed company IP's coming across my sniffer. Thats when I realized I was VPN'd into work. <Insert O-Shit scream here> No idea how the arp poisoning attack and dns spoof broke out of my local network. big woops. I called and put in a ticket just to make sure in case it caused problems and they actually think I was doing something. Try explaining that one to tech support. So Note to self for everyone, make sure VPN is not connected when doing pen testing on home network. Better yet.. make damn sure you know exactly where your network traffic can go because murphys law says its going to go all the places you dont want it to.

For the non computer geeks. I was practicing breaking into stuff and intercepting network traffic for in transit changes and may have caused issues with the company network. Big no-no.

Was your sniffer set to listen on all interfaces? More than likely, you just saw some broadcast traffic from your PPTP (or whatever your using) VPN tunnel you had to work.

If you specifically directed your attacks to a specific subnet, they stayed on that sunbet. Of course, I don't know exactly what your using. (backtrack?)

Your probably cool @ work. If not, flush your arp table, & move on. I wouldn't even tell anyone. Or, just wait. Once the ARP poisoning is over the clients will sort themselves out in time.

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
 Share
Go to topic listing
×
×
  • Create New...