Note, I have dropped the cross-post to Security basics as I got a ton
of bounces which appear to be related.
On 9/16/07, Vivek P <iamherevivek@gmail.com> wrote:
hi DotZero,
I'll give you a few ideas that may or may not work, depending. You
will still have to do some homework.
Seeing as you say you are on internal network and have permission then
I have less concern than from your original post.
Under the circumstances you describe, the first thing I would do is
see who else (or what else) is on your local network (as in network
mask). Are they using port lockdown on the switches? If not then you
have a chance to do an ARP poisoning attack. Even if they do have
lockdown enabled on the ports you should be able to attack local hosts
(That is, get their outbound traffic). This would be one line of
attack to explore. You might be able to capture some credentials.
Assuming you can do this sort of attack successfully you could
masquerade (or do a MITM) attack that would abuse the other hosts IP
address and MAC address.
I'm going to assume that the network is using DHCP. That doesn't mean
that you can't come up with your own IP address in the subnet you are
on. Find out what is free and see if you can use it. Don't forget to
pick a MAC address other than your real one.
You might craft an attack against the admin network by using DNS. Send
a complaint to abuse@ about a domain that you control. What's the
first thing that most sysadmins do when getting a complaint? Do a
lookup of the domain. You can put all sorts of things in
DNS......including an attack crafted against the host likely to be
used by the sysadmin. Much faster than some of what you are
describing.
How about a website with attacks embedded in the page? Sucker the
admin into hitting it.Use a trick like phishers do.....put an encoded
iframe to inject malware or do driveby downloads using exploits.
Are there live exposed network jacks that you can get access to? How
about printers? Can you get access to wiring closets with patch
panels? How about patch panels that the admins are connected through?
Shove a hub in and sniff their traffic.
You mention FTP.....great way to collect credentials and accounts if
you can sniff the traffic. So, if the people whose credentials you
capture have accounts on UNIX (or Windows) hosts you could try
privilage escalation attacks or do attacks from the hosts they have
access to.
What network protocols are they using for routing (for example BGP)
can you attack there? Can you do VLAN hopping?
Just a few thoughts. Go beyond simple enumeration of services type
approaches. If you have physical access on the inside, some knowledge
of the setup and written permission to engage in attacks you should be
like a kid in a candy store. Again, I emphasize the permission aspect.
Some (many) of the approaches I would look at could get a person a
room with a view (through bars) in many jurisdictions if the person
does not have proper authorization.
You are looking for a straight forward approach to gaining control. As
an attacker, you are not playing by their rules even if you must take
them into account.
Get creative! You have significant advantages over the defenders. How
bad do you want success? Sounds like you wish to prove a point. If you
truly do have authorization then it sounds like the only consequences
are that someone tells you "We caught you".
I could go on but I think you get the point. Again, I'm making
assumptions based on what information you provided us. This is about
as much as I'd care to publicly discuss (and no, I'm not interested in
pursuing the conversation privately either.)
Happy hunting.
Dotzero
------------------------------------------------------------------------
This list is sponsored by: Cenzic
Need to secure your web apps NOW?
Cenzic finds more, "real" vulnerabilities fast.
Click to try it, buy it or download a solution FREE today!
http://www.cenzic.com/downloads
------------------------------------------------------------------------
