11 replies to this topic

[Powermaniac7]

Hi all,

Take this as a theoretical situation.

Okay well you are connected to a network that is connected to the internet, this is a wired connection. You can get the ip address of the gateway/modem that you are connected to. You do not know the modem username and password, and you need that to be able to get the networks connection password so other computers can be connected. That you need to connect to the network.

You can also work out what brand the modem (but not model) is by going to its gateway page which then prompts you with the username password to mess around with the settings.

You don't have access to the modem, so there is no prospect of resetting it. You can not install software on the computer you have network access with, but you can onto a usb or hdd or cd etc. You can also run a live distro of any form off a usb or cd. You also can't download anything to use. You can only bring programs installed on your usb/hdd/cd the next day if needed.

Now how do you get the modem username and password?

Recently came across a problem like this and wasn't able to get in via the defaults so was wondering if there is password cracker of some sort that would actually work...

Thanks for any replies, Powermaniac.

Edited by Powermaniac7, 28 March 2012 - 01:34 AM.

[wwwd40]

You have a couple of options - sniff traffic either straight if its a "flat" lan or via MITM to flow the traffic via your own PC as if you are associated and authenticated with the network, then you can capture the traffic when an admin is connecting to the web gui of the router. Or secondly you could use something like THC Hydra (http://www.thc.org/thc-hydra/) to attempt a (noisy) brute force. Depends on how stealthy you need to be

/wd

[nyphonejacks]

Hi all,

Take this as a theoretical situation.

Okay well you are connected to a network that is connected to the internet, this is a wired connection. You can get the ip address of the gateway/modem that you are connected to. You do not know the modem username and password, and you need that to be able to get the networks connection password so other computers can be connected. That you need to connect to the network.

You can also work out what brand the modem (but not model) is by going to its gateway page which then prompts you with the username password to mess around with the settings.

You don't have access to the modem, so there is no prospect of resetting it. You can not install software on the computer you have network access with, but you can onto a usb or hdd or cd etc. You can also run a live distro of any form off a usb or cd. You also can't download anything to use. You can only bring programs installed on your usb/hdd/cd the next day if needed.

Now how do you get the modem username and password?

Recently came across a problem like this and wasn't able to get in via the defaults so was wondering if there is password cracker of some sort that would actually work...

Thanks for any replies, Powermaniac.

if the router/modem has no other DHCP addresses to assign, and your purpose is to just to increase the amount of DHCP addresses that it provides why not just static IP the additional PCs? you can ping around to figure out where the DHCP addresses are located, then go from there... if DHCP provides IP addresses in the 192.168.1.100 range, then you can try to start adding static IPs after 192.168.1.200 just ping the IP addresses you want to use first to make sure they are not in use on the network...

[serrath]

Hi all,

Take this as a theoretical situation.

Okay well you are connected to a network that is connected to the internet, this is a wired connection. You can get the ip address of the gateway/modem that you are connected to. You do not know the modem username and password, and you need that to be able to get the networks connection password so other computers can be connected. That you need to connect to the network.

You can also work out what brand the modem (but not model) is by going to its gateway page which then prompts you with the username password to mess around with the settings.

You don't have access to the modem, so there is no prospect of resetting it. You can not install software on the computer you have network access with, but you can onto a usb or hdd or cd etc. You can also run a live distro of any form off a usb or cd. You also can't download anything to use. You can only bring programs installed on your usb/hdd/cd the next day if needed.

Now how do you get the modem username and password?

Recently came across a problem like this and wasn't able to get in via the defaults so was wondering if there is password cracker of some sort that would actually work...

Thanks for any replies, Powermaniac.

if the router/modem has no other DHCP addresses to assign, and your purpose is to just to increase the amount of DHCP addresses that it provides why not just static IP the additional PCs? you can ping around to figure out where the DHCP addresses are located, then go from there... if DHCP provides IP addresses in the 192.168.1.100 range, then you can try to start adding static IPs after 192.168.1.200 just ping the IP addresses you want to use first to make sure they are not in use on the network...

I'm just going to assume you're attempting to get internet access on a network where you're only allowed limited or local access. They might have it subnetted so that only a certain list of IP addresses are allowed online. You'll want to do a quick scan of nearby hosts and note their IP and MAC addresses. By whatever means you choose, knock one off. Apply its MAC address (if you don't have the priviliges in the native OS you'll need to use your LiveCD for this), and static yourself to its IP (if you don't automatically grab the same one).

This makes several assumptions as to how their network is set up, but since a DoS to crash whatever machine or disable it is much easier to pull off than actually breaking into the router, this should be what you go for. If you wind up having to clone the MAC address as well, you'll need to crash the machine since other DoS attacks won't be a viable option. (And in either case you're limited with your options there.)

I'm assuming you're doing this in a lab environment where you're not going to disrupt any services you do not provide, and that you own all machines involved or otherwise have explicit written permission to perform the described actions. (Or that this actually is a theoretical situation, but it sounds all too familiar.)

If they're using some Cisco equipment and have port security enabled, it'll stop taking traffic from the physical port on the router connected to your computer's ethernet as soon as it notices two devices with the same MAC address on the network. So really: crash the machine you want to impersonate.

Edited by serrath, 28 March 2012 - 11:23 PM.

[serrath]

The above isn't exactly a stealthy approach, since you're crashing a machine. If you can make the crash look innocuous I guess it'd beat APR. Just keep in mind it addresses a very limited situation whereas APR is a pretty good approach in general to beat the situation you described.

You might try using a tool like NMap to do a more thorough scan of the device you're trying to connect to, and attempt connections on any open ports; sometimes a device will helpfully identify itself when you attempt to connect (especially if you attempt to connect improperly.)

Assuming you can't just grab the router's password and connect (i.e. SecureID card needed to access the router), you might try scanning the router or devices with full network access using Nessus to find a security hole.

Generally it's easier to find a security flaw with the way a network's been set up than with software/devices. (i.e. it's easier to pull the subnetting workaround trick I mentioned in the previous post than to find an exploit to get root on the router) Try to figure out how the network is managed and work from there. Breaking in is more about finding design flaws than bugs.

Edited by serrath, 28 March 2012 - 11:31 PM.

[digitalchameleon]

Wireshark, arpspoof might be a good combo here, with the possible need for sslstrip. You can find all three on BT5rc2 (probably all backtrack distros). Another approach might be to go for XSS or the likes. Saw this not too long ago, might be good to read.

www.ngssecure.com/Libraries/White_Papers/ExploitingSecurityGatewaysViaWebInterfacesWhitepaper.sflb.ashx

Another tool to look into is routerpwn, but it's pretty basic. Generally, if all you want is access to the internet, there may be an easier way.

[Powermaniac7]

I do not wish to be a pain but could you guys explain the steps in more detail...Some of what is being said is going over my head and I would appreciate it if they were explained a bit more...

Say with the software you can download to do it what are the steps to setup and perform to do this particular task.

Just curious is all, although this is something I could test. Wouldn't really achieve anything exactly seeing as it says it is connected to the network but the browser doesn't connect to the internet for whatever reason -.-...Something odd though it didn't prompt me for a username and password to log onto the network...Hmm.

Thanks guys for the replies so far.

[serrath]

You might not want to try what you're thinking about trying until this makes more sense to you. Try some research on wikipedia about networking, ARP, MITM attacks, and whatnot.

[Powermaniac7]

You might not want to try what you're thinking about trying until this makes more sense to you. Try some research on wikipedia about networking, ARP, MITM attacks, and whatnot.

True...I tried setting up NMap recently and I swear it looks different compared to what it once looked like and I had it setup and open...Now I have no idea how to set it up...

And I don't really have the time to be reading through the entire setup =\

[SynFinAck]

You might not want to try what you're thinking about trying until this makes more sense to you. Try some research on wikipedia about networking, ARP, MITM attacks, and whatnot.

True...I tried setting up NMap recently and I swear it looks different compared to what it once looked like and I had it setup and open...Now I have no idea how to set it up...

And I don't really have the time to be reading through the entire setup =\

I would first of all try zenmap which is just a gui for nmap.
insecure.org will help you out.

[Powermaniac7]

You might not want to try what you're thinking about trying until this makes more sense to you. Try some research on wikipedia about networking, ARP, MITM attacks, and whatnot.

True...I tried setting up NMap recently and I swear it looks different compared to what it once looked like and I had it setup and open...Now I have no idea how to set it up...

And I don't really have the time to be reading through the entire setup =\

I would first of all try zenmap which is just a gui for nmap.
insecure.org will help you out.

Interesting maybe that was what I downloaded the first time...

Although I remember the site where I downloaded this program it had a mention to movies that actually used there program, usually involving hacking of some sort.

...People seem to like down repping me without supplying a reason why. Should add a tag line asking to be down repped so it reverses and gets me up reps hahahaa. I like explanations as to why so I can then explain myself...

[TheFunk]

I do not wish to be a pain but could you guys explain the steps in more detail...Some of what is being said is going over my head and I would appreciate it if they were explained a bit more...

Say with the software you can download to do it what are the steps to setup and perform to do this particular task.

I'm going to go out on a limb and say that the reason this was down-repped is because you were asking for a tool to use, and a set of step by step instructions, rather than just a point in the right direction. It's cool though, I've done the same thing before. People tend to freak out about it. Of course I could be dead wrong

What I would do, personally, is impersonate one of the hosts (as was said earlier this would involve crashing the host, and then changing your MAC and IP addresses to match the crashed hosts), and then run hydra for a bit.

Another option that was mentioned as well is a MITM (Man In The Middle) attack. ARP poisoning is a simple and effective way to perform such an attack.

ARP Poisoning

The concept of ARP Poisoning is simple. Your router keeps a table of IP addresses and their corresponding MAC addresses. ARP is the protocol that is used to resolve the two to one another. When you perform a MITM attack, specifically ARP poisoning, you are convincing the router that you are Computer A and you are convincing Computer A that you are the router, thereby poisoning the two, and placing yourself in the middle, thanks to your friend the Address Resolution Protocol.

Hopefully this was helpful!