Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Security-Basics
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Router question 2...

from [Dave] Network Security [Permanent Link]
Subject: Router question 2...
Date: Mon, 23 Jan 2006 17:18:22 -0500 
Thanks for your input...Here is some more info:

The server uses dynamic DNS to update the DNS records. The domain name(s) register provides the DNS services. The servers have one IP address and they use virtual hosting to host multiple sites. We dont like the idea of using the DMZ. We port foward the correct traffic to the intended machines. No, the routers WAN admin. feature is NOT enabled! Also, the router/firewalls' NAT feature is disabled. So spoofing a local IP shouldnt matter...Example:

Using NAT - I from local machine (192.168.3.12) tried to access website via domain name (www.mydomain.com) and as expected I was greeted with the routers login prompt. This will keep local users from accessing the server via it's domain name but opens the router up for spoofed IP attacks. If an attacker sent a request to www.domain.com and spoofed his IP as a local IP he would most likely be greeted with the password prompt 'cause the router thinks a local user is trying to access the site via domain name.

NOT using NAT - I from local machine try to access www.mydomain.com and I am correclty routed to the *local* server. So just spoofing your IP as local wouldnt help the attacker...he still has to access the router via it's local IP.

In order to log into the routers config page...you must be local AND call the router via it's local IP (192.168.3.3). So just spoofing his IP wouldnt help much...I think anyway! We are going to switch to using a linux box as our outer perimeter firewall...but that is then and this is now ;) Smoothwall looks promising...thanks

At anyrate...the router has been reset and all firmware updated. But the fact remains...The routers WAN admin feature is OFF. it is set up so local IP spoofing attacks shouldnt work. But nonetheless...when I (from WAN or LAN) tried to access one of the sites on the server I was greeted with routers password prompt! As far as I can tell not all of the hosted sites domain names, when requested, would serve up the login prompt. This was temporary so we could only test the situation from when we learned of it until it stopped (roughly 30 minutes)...but hey, when all is said and done, it's not supposed to do that! And since it never has before and hasnt since I believe there is a way to exploit this router to force this behaviour.


Any help / comments / flames appreciated...


---------------------------------------------------------------------------
EARN A MASTER OF SCIENCE IN INFORMATION ASSURANCE - ONLINE
The Norwich University program offers unparalleled Infosec management education and the case study affords you unmatched consulting experience. Tailor your education to your own professional goals with degree customizations including Emergency Management, Business Continuity Planning, Computer Emergency Response Teams, and Digital Investigations. 

http://www.msia.norwich.edu/secfocus
---------------------------------------------------------------------------

[More with this subject...]




<Prev in Thread] Current Thread [Next in Thread>
  • Router question 2..., Dave <=
Previous by Date:  Re: vnc server, Albert Gonzalez
Next by Date:  Re: SPAN Port, hytham . a
Previous by Thread:  vnc server, Jared Lyvers
Next by Thread:  SSH server under attack..., Dave
Indexes:  [Date] [Thread] [Top] [All Lists]