Jim says : Nothing here as of 1:50pm Fri Feb 26. You told me that you've been setting up a private network, with some advice from one of the John/Jon's (Baker? Hill?) Time to document what you've been doing.

Sorry about the delay in this write-up. Whenever I have a test in another class I usually end up dedicating time to that. Plus, I had a lot of interview calls and potential internship opportunities to negotiate. (I'm excited to fill you in when we meet) All that being said, a lot of work was done over the last two weeks, utilizing a myriad of tools.

EDIT: Dang, the power went out hard tonight. csmarlboro is down, and so is my pen testing network. It may effect how much hands on stuff I get to, either way I'm at the dining hall translating my notes into a write-up.

Setting up a network is a vital part of a security test lab. There was a whole host of things I wasn't able to do in network security last semester due to, well.. security concerns. First, Logan told me there was an extra computer in the gadgets room to use. The plan was to install a router OS on it. However, neither Logan nor I could get it to boot immediately so I moved on. I probably could get it to work, but it didn't seem worth the 8 hours of debugging. There are some old computers, upstairs in sci217 I've used before, but it is kind of painful to work with them. I would like to eventually work on one of the older computers, or get the one Logan has, to run a router OS like DD-WRT X86, zeroshell, or routerOS. The benefit of running one of these operating system is that even the oldest computers are still usually more powerful than the hardware in routers-- plus I want to get experience with everything.

I did get a network set up. I think I mentioned early last week I was negotiating with Jon Baker about how to go about it in a safe way. He gave me an IP to assign to the router I would eventually set up, so we could also have Internet access. So, with none of the do-it-yourself methods working out for me, I ended up buying the cheapest router I could find on amazon.

I got a TP-Link TL-WR841N (the Wireless N300) http://amzn.com/B001FWYGJS

Now, I was actually depressed at how plug-and-play setting up a router can be. It auto-detected dhcp settings, and took about 10 minutes start to finish. I've dealt with the admin panels of routers before, but this time I actually knew what all the options would do. I chose this router because it had the ability to implement WEP, WPA, and WPA2. This is important because I will soon be cracking wifi passwords at different security levels with aircrack. http://www.aircrack-ng.org/

Because of how quick set-up was, I followed Jon's advice of installing DD-WRT on my router. DD-WRT is free Linux-based firmware for routers. A good majority of the school's Cisco routers are flashed with DD-WRT.

A quick google, and I was surprised to find that my $15 router was compatible with DD-WRT. I found some guy's walk through on my exact router here: http://greggborodaty.com/installing-dd-wrt-tp-link-tl-wr841n/ Although, some of the steps he takes are a little outdated.

Basically, you just search DD-WRT's database of routers, which will tell you the specific DD-WRT build to flash with. In the 2014 DD-WRT version, my TP-Link router requires the tl-wr841ndv8 build. I had problems trying to flash with this-- I got warnings that it wasn't the right version for my hardware.

Eventually, I tried the 2015 beta versions and got it to work. Here is where I eventually got to: http://dd-wrt.com/site/support/other-downloads?path=betas%2F2015%2F04-01-2015-r26635%2Ftplink_tl-wr841ndv9%2F

Immeadiately, there isn't a huge difference between the admin panel for the tp-link router and the dd-wrt version, but upon inscpection I found a lot of great features. DD-WRT's main goal is to allow you to unlock your router's "potential" to broadcast a stronger signal, manage network traffic, remotely access all your home computers. It gives me more control over the security suites, and even allows me to no broadcast the SSID!

SSID: Penetration Testing
password: biscuits
admin panel: http://192.168.1.1 admin user: admin
admin password: biscuits

https://github.com/dylanmm/ARPy

We spent last tutorial talking about ARP spoofing, and stepping through some of my code-- also in one of my programming workshop assignments, there is already a step-by-step write up on it. The github repo is a tool I wrote in C to implement ARP spoofing. I'm revisiting this because now I have control over a router and I'm not navigating through a ton of switches (which may or may not be checking ARP packets and MAC addresses for validity).

So in testing ARPy, my control is using Ettercap-- and Ettercap worked like a charm so onto testing my ARPy. First, find hosts with nmap -sn 192.168.1.1/24. The sn flag is for a ping scan. During the ping scan, arp with cache the mac addresses needed. To get the router's IP and MAC, netstat -nr to display the default gateway information. Then arp -a to show the other IP and MAC addresses (which was populated with the ping scan). Then, run arpy!

sudo arpy -d wlan1 -t 192.168.1.110 -T 44:2a:60:f6:7c:1e -r 192.168.1.1 -R f4:f2:6d:a2:5c:ca

I got this to work using: sudo sysctl -w net.ipv4.ip_forward=1 sudo iptables -t nat -F

This enables forwarding. I'm still deciphering how ubuntu's firewall, iptables, handles prerouting. Prerouting would allow us to manipulate packets before they are forwarded. This can also be used to skew the packets data, called fuzzing, to test applications behavior with bad data.

I'm still in research mode here on firewalls, but the basic flow should be, a prerouting rule to a listening process, which outputs to a postrouting port.

This week I also spent some time installing ferret and hamster.

ferret https://github.com/robertdavidgraham/ferret

hamster https://github.com/robertdavidgraham/hamster

Ferret, takes cookies from intercepted traffic, and hamster is a browser capable of using stolen cookies. I haven't gotten farther than installing these tools, and will continue to research session hijacking.

I've learned a ton about linux while coding in C, and installing deprecated/unsupported tools that come installed on Kali linux. Bash scripting appears everywhere, and is a good thing to know. I feel studying anything about it indepth is a lttle below where I am at, but I just wanted to show you a cool use of netcat and piping.

On virtualhacket.net, anything sent to port 9999 will be pasted and a shortened url returned-- like a command line pastebin.

frosty@deathstar:~$ echo this is a test | nc virtualhacker.net 9999 http://virtualhacker.net/code/x22e13gg6s0f frosty@deathstar:~$ fortune | cowsay | nc virtualhacker.net 9999 http://virtualhacker.net/code/4h0x9zdgjz5p

This is me, piping fortune, to cowsay, to virtualhacker.

I will be looking into actual bash scripting and researching netcat more this week.

https://sourceforge.net/projects/metasploitable/files/Metasploitable2/

Talking points.

(I'll go through these with you when we meet)

http://robertheaton.com/2014/03/27/how-does-https-actually-work/

https://blog.heckel.xyz/2013/08/04/use-sslsplit-to-transparently-sniff-tls-ssl-connections/

http://greggborodaty.com/installing-dd-wrt-tp-link-tl-wr841n/

http://www.cyberciti.biz/faq/linux-port-redirection-with-iptables/

http://www.devdungeon.com/content/using-libpcap-c

https://mitmproxy.org/

http://yuba.stanford.edu/~casado/pcap/section1.html

https://exploit-exercises.com/

http://www.counterhack.net/Counter_Hack/Challenges.html

http://cs.marlboro.edu/ courses/ spring2016/jims_tutorials/ dylanm/ Feb_26
last modified Wednesday March 2 2016 11:33 am EST

name last modified size

---

sslhandshake.pcapng Mar 2 2016 4:50 am 7.44kB