PaulDotCom mailing list archives
Re: Rogue AP Placement: evil + 1
From: Robin Wood <robin () digininja org>
Date: Thu, 26 Aug 2010 14:48:15 +0100
On 26 August 2010 04:17, Chris Merkel <cmerkel () gmail com> wrote:
Had not seen that - looks like fun, I'll definitely check it out. Could something like this be used in conjunction with an ARP cache poison to route all traffic through the device, rather than just getting inline between a device and the switch?
You could do arp poisoning from it but the specific design of this is that traffic is bridged between the two wired interfaces and then copied out to a waiting listener. I see it being used just in front of either a single machine/printer or a very low usage switch. Imagine if you could get it in front of the secretary for the CEOs machine, or that printer. You capture all the traffic during office hours then after hours you break the bridge, change the MAC on the network side to match that of the machine you were intercepting and you are now on the network as a legitimate machine. Robin
- Chris On Wed, Aug 25, 2010 at 5:06 PM, Robin Wood <robin () digininja org> wrote:On 25 August 2010 22:40, Chris Merkel <cmerkel () gmail com> wrote:Yeah, that does just about everything I need. I'm still going to drop a big ugly pix and ghetto AP for the fun of it. Aside from this all-in-wonderful pwnage device, anyone else have tips for stealthy AP usage? - ChrisHave you seen my Interceptor project? http://www.digininja.org/interceptor/ If you build one of these you can drop it on the network and use it to tap all the traffic during the day then take over one of the devices thats been turned off overnight or just become it and don't let legit traffic flow through to it then you can do whatever you want out of hours. RobinOn Wed, Aug 25, 2010 at 2:19 PM, Andrew Johnson <email () andrewcjohnson com> wrote:Have you seen this? http://grep8000.blogspot.com/2010/07/introducing-pwn-plug.html -A On Wed, Aug 25, 2010 at 10:54 AM, Chris Merkel <cmerkel () gmail com> wrote:Question directed to fellow pen-test / red-teaming ninjas: Have a test coming up, and want to place a rogue AP. I fully expect that a vanilla AP/router will be detected. I'm thinking about dropping a Cisco PIX 501 with the rogue AP sitting on the other side of the NAT gateway, and turning off all remote PIX management as well (if possible, it's been awhile since I admin'ed these.), maybe even turn off ICMP echo replies. My guess is that this isn't going to be detected... My question is: anyone gone to that level of evil to evade detection on a network? If so, could you share any tips or gotchas you encountered along the way? (BTW, you can get a PIX 501 on ebay for under 100 bucks... so well within the reach of an attacker...) -- - Chris Merkel _______________________________________________ Pauldotcom mailing list Pauldotcom () mail pauldotcom com http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom Main Web Site: http://pauldotcom.com_______________________________________________ Pauldotcom mailing list Pauldotcom () mail pauldotcom com http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom Main Web Site: http://pauldotcom.com-- - Chris Merkel _______________________________________________ Pauldotcom mailing list Pauldotcom () mail pauldotcom com http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom Main Web Site: http://pauldotcom.com_______________________________________________ Pauldotcom mailing list Pauldotcom () mail pauldotcom com http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom Main Web Site: http://pauldotcom.com-- - Chris Merkel _______________________________________________ Pauldotcom mailing list Pauldotcom () mail pauldotcom com http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom Main Web Site: http://pauldotcom.com
_______________________________________________ Pauldotcom mailing list Pauldotcom () mail pauldotcom com http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom Main Web Site: http://pauldotcom.com
Current thread:
- Rogue AP Placement: evil + 1 Chris Merkel (Aug 25)
- Re: Rogue AP Placement: evil + 1 Andrew Johnson (Aug 25)
- Re: Rogue AP Placement: evil + 1 Chris Merkel (Aug 25)
- Re: Rogue AP Placement: evil + 1 Robin Wood (Aug 25)
- Re: Rogue AP Placement: evil + 1 Chris Merkel (Aug 26)
- Re: Rogue AP Placement: evil + 1 Robin Wood (Aug 26)
- Re: Rogue AP Placement: evil + 1 Chris Merkel (Aug 25)
- Re: Rogue AP Placement: evil + 1 Nick Baronian (Aug 25)
- Re: Rogue AP Placement: evil + 1 Bacon Zombie (Aug 25)
- Re: Rogue AP Placement: evil + 1 Rob Fuller (Aug 26)
- Re: Rogue AP Placement: evil + 1 Vernon Miller (Aug 26)
- Re: Rogue AP Placement: evil + 1 Andrew Johnson (Aug 25)