Investigate connection to the internet
On a particular network, I need to test for the presence of a connection to the internet. This connection might consist of just a router that leads to the internet (such as in a home network), or it might be something special like a proxy server with a built-in firewall (such as in a college or university).
At home, my broadband router has an address of 192.168.1.254. To gain access to the internet, all I have to do is set 192.168.1.254 as my default gateway and then I'm ready to go.
Back when I was in college, there was a strict firewall in place. The only traffic that was allowed to the internet had to have a TCP destination port of either 80 or 443. UDP was blocked altogether. Also, port 80 could not be used for SSL, you could only have SSL over port 443. (I tested all of this out myself as part of a project I was doing for college). The college also had a proxy server, and you had to go through the proxy server to gain access to the internet.
So anyway, here's the situation: You're hired to pentest a network. The administrator says to you: "I'm giving you no information whatsoever about this network, just take your laptop, come within range of an access point and see what you can do". This, in my opinion, is the best way of going about pentesting. Later on, if the pentester has no success, you can give him more information to help him along, just to see how much info you need to give him before he can wreak havoc.
OK so you let's say first and foremost you get around the wireless encryption (WEP, WPA, whatever). Next you try to do a DHCP request, but you get no response, so it looks like there's no DHCP server on the network.
Next you open Wireshark to see what kind of packets are bouncing around. You see that many machines have addresses like 192.168.1.*, so you figure the network might be 192.168.1.0/24.
Next thing you do is run up netdiscover and it finds the following hosts:
192.168.1.1
192.168.1.100
192.168.1.102
192.168.1.254
So you give yourself an IP address:
ifconfig wlan0 192.168.1.137 netmask 255.255.255.0
Next you want to see if there's a connection to the internet. Normally, you could just open up Wireshark and see if there's any packets with public IP addresses. If you see any, just take a look at what MAC address they're coming from and you know that that's the router that leads to the internet.
However you might not see public IP packets if:
1) It's a switched network (as opposed to hubbed)
2) You're working outside of hours when there's no internet traffic.
So how do you poke around to see if there's a connection to the internet?
Well here's one method: Given the list of IP addresses we got from netdiscover, we could set each of them as our default gateway and then try to ping google.com. For instance:
route add default gateway 192.168.1.1
ping 64.233.161.104 (see if we get a response...)
route add default gateway 192.168.1.100
ping 64.233.161.104 (see if we get a response...)
route add default gateway 192.168.1.102
ping 64.233.161.104 (see if we get a response...)
route add default gateway 192.168.1.254
ping 64.233.161.104 (see if we get a response...)
If we get a ping response then we know we've got an internet connection.
What I'd like people's advice on, however, is what's the most "firewall friendly" way of checking for a connection to the internet? Here's a few possible methods:
1) Ping google.com and see if you get a response.
2) Do a DNS look-up of google.com using a public DNS server and see if you get a response.
3) Try to load the Google webpage and see if you get a response.
The first option will result in the sending of a ICMP packet, while the second will result in the sending of a UDP packet to port 53. If the network has a very strict firewall, both these packets might not make it to the internet (they would have been blocked by my college firewall). The third option will result in a TCP packet to port 80, which is quite likely to make it through a firewall.
Can anyone think of an even better way of checking for an internet connection, or is a TCP request to port 80 the best bet? (I want advice on this because I'm currently writing a pentesting program and I want to use the best method possible).
If this method fails to find a connection to the internet, then the next step would be to check whether any of the hosts act as a proxy server to the internet, and again I think loading the Google webpage via the suspected proxy server would be a good way of testing.
Has anyone ever encountered a firewall that blocked http access to google.com?
I have a friend of mine who's the administrator of a network of about 40 computers in the local school. There's also a wireless access point so that teachers can bring their own laptops in. There about a week ago, I joked with him about pentesting the school network, and he seemed quite open to the idea, so he permitted me to do so but only after 5pm on weekdays. It works out good for the both of us, I get experience plus he gets to see whether his network security is good enough. Last Friday I dropped by the school to take a quick look but I only had half an hour or so before I had to head off again. I said to my friend that the best way to go about pentesting the network was for him to give me no information whatsoever. So I sat down in the staff area, powered up my laptop and ran Airodump. First and foremost, the wireless access point was protected with WEP instead of WPA. I rang him up straight away and was like "Are you for real? The school network is secured with WEP". He responded saying that they had to use WEP because the teachers were having trouble connecting to WPA. Anyway moving on...
So I got by the WEP in a couple of minutes and the next thing I wanted to do was check for a connection to the internet (because his greatest concern was that students would hack in to download movies and the like). To test for the presence of an internet connection, I used the method described above, I set each and every machine as my default gateway and then I used the following three methods to check for an internet connection:
1) Ping google.com
2) Do a DNS-lookup of google.com using a known public DNS server
3) Try to load the google.com webpage
For each and every machine on the network, all of these tests failed to show a connection to the internet. So next I had a hunch. On all the firewalled networks I've ever worked on, even with the most strict of firewalls, there's always been a private DNS server. So I opened up my "resolv.conf" file and set the DNS server to 192.168.1.1, then I did a DNS look-up of google.com... and it succeeded! So I thought to myself hmm, just to make sure this isn't a cached hit, I'm going to try a more exotic website, so I tried "nslookup monkeydog.com". That too succeeded with the correct IP address. So now I was confident that 192.168.1.1 had a connection to the internet.
So I sat back for a second. I knew there was a connection to the internet, and I knew that 192.168.1.1 was probably some sort of gateway to the internet. My next hunch was that 192.168.1.1 might be a proxy server, so I went into Mozilla, set 192.168.1.1:8080 as my proxy server, but then when I tried to load the Google webpage it said the proxy server was refusing connections.
Hmm, so I sat back again. I decided to do a port scan on 192.168.1.1, and I found that it had three ports open: TCP 80, TCP 23, and UDP 53. Of course the next thing I did was try to load 192.168.1.1 as a webpage in my browser, and immediately a dialog box popped up asking me for the password for "Room 3c Router". I tried "User: admin, Password: password" and stuff like that but no dice. Next I tried to telnet the router, but that too asked for a password.
So at this point I was fairly certain that 192.168.1.1 was a router that had a DNS daemon that forwarded DNS requests on to the internet. I wanted to snoop around a bit more but I had somewhere to be so I'll have to go back one of the days next week.
Has anyone got a hunch about how 192.168.1.1 might provide a connection to the internet? I've tried setting it as my default gateway and I've also tried setting it as my proxy server, but both methods fail. I'm certain it has an internet connection though because it succeeds on every DNS request I give it.
But anyway back to the main question: What's the most non-invasive way of testing for an internet connection, a method that will make it through any firewall? Should I go with a TCP to port 80 of google.com?
Wow thats quite a story!
I would say that TCP to google would be the least invasive and least noticable for network protection suites.
I think something that might help is if you did a MAC address look up, get the MAC of the 192.168.1.1 and then http://www.coffer.com/mac_find/ and that could help as far as identifying what kind of hardware it is.
This is a hackers forum :P
root ~# aircrack-ng pwnd-01.cap
Lenovo Thinkpad R500, OS: Ubuntu 8.10, BackTrack3, Windows XP (VirtualBox), Windows Vista, Windows 7 beta
Can people help me out in constructing a list of things which indicate that a particular machine might provide a way to the internet, and also ways of testing that machine to see if it provides a way to the internet. (I'm trying to use the word "way" instead of "route" because I'm referring to proxy servers as well as routers, also also other technology I don't know about!). Firstly, here's the most obvious method:
1) Set the machine as your default gateway and see if you can load the Google webpage.
Next thing I'd try would be:
2) Set the machine as your proxy server and see if you can load the Google webpage.
Next:
3) Set the machine as your DNS server, and see if you can perform a DNS look-up.
Of course, you can jump the gun and just port scan the machine in question and that will reveal if ports TCP 80, TCP 8080 or UDP 53 are open, but you'd be just as quick actually sending out these requests, and you'd also find out definitively whether you'll get a reply from the internet. What other things are there to test for? What dead giveaways are there that a particular machine provides a way to the internet?
So far, the program I'm writing does the following:
- Passively listens to traffic and makes a list of what IP addresses are associated with what MAC addresses (sort of like netdiscover). Where it differs from netdiscover though, is that instead of having several listings for one MAC address, all IP addresses are lumped together under the MAC address they originated from. Also, it will tell you whether any of the machines has ever sent or received a "public" packet.
- Optionally, you can send out ARP requests to a network range of your liking (e.g. 192.168.1.0/24)
- Next, you can send a "public" packet to each of the machines to see if any of the machines will forward it on to the internet.
Future functionality planned is:
- Send a proxy server packet to each of the machines to see if any of them are a proxy to the internet.
- Send a DNS look-up to each of the local machines to see if any of them can retrieve an IP address.
It would be a pentesting tool aimed at administrators whose main concern is to stop people from hacking in to download from the internet.
You sound a bit like a professional Vichanza, so excuse me if this idea is useless :b. But what about as step 4> performing an ARP poisoning if there are any hosts on the network, sniffing with wireshark to gather some information about whether or not there actually is an internet connection? It is a bit of an offensive approach but what do you think about that (: ?
- Poul Wittig
Vichanza i think 192.168.1.1 is the AP, try to send a request for its routing table, and look for a router or server its connected to or another subnet. I think it just forwards it , so try sending packets to another subnet like nemesis tcp -x80 -y 80 -D 192.168.2.1 -S 192.168.1.137 -H mac of 192.168.1.1 -M your mac, just keep adding +1 to 192.168.*.1 and see if you get a repley packet. I don't think the AP is connected straight to a BB router, if you can get it to foward traffic proable by spoof your mac of a teacher at 5:01pm then it should forward it. try useing nmap to only scan port 80 with the -O option, if it reports a router, look for another subnet, if its a server that will proable be the internet connection
Not at all Deathray, I'm not that well up on pentesting at all. I only started learning about Ethernet and networking in general about two years ago, and any knowledge I have of pentesting is pretty much based on my knowledge of Ethernet.Originally Posted by Deathray
So anyway feel free to throw suggestions out there. I'll look up ARP poisoning coz I don't know much about it.
Do you mean something like the RIP protocol? I'll have to look that up.
[quote]I think it just forwards it , so try sending packets to another subnet like nemesis tcp -x80 -y 80 -D 192.168.2.1 -S 192.168.1.137 -H mac of 192.168.1.1 -M your mac, just keep adding +1 to 192.168.*.1 and see if you get a repley packet. I don't think the AP is connected straight to a BB router, if you can get it to foward traffic proable by spoof your mac of a teacher at 5:01pm then it should forward it.[quote]OK so let's say I create an Ethernet frame like as follows:
Dest MAC = MAC of 192.168.1.1
Src MAC = My MAC
Src IP = My IP (i.e. 192.168.1.137)
Dst IP = 192.168.2.1
If I send this out and get a reply, then that means that 192.168.1.1 acts as a router into the network 192.168.2.0/24. But still 192.168.1.1 doesn't provide a route to the internet.
Are you suggesting that maybe 192.168.2.0/24 will contain a proxy server that will lead to the internet? (because I can't think of any other way). Your port suggests that if I use a teacher's MAC address, that the packet might get forwarded on, but I've never heard of a router that had MAC filtering.
First things first I'll try look for that other network.try useing nmap to only scan port 80 with the -O option, if it reports a router, look for another subnet, if its a server that will proable be the internet connection
Wow, you have some serious reading to do my friend! Am I to assume you know what MAC filtering is but aren't keen on it's application?
I can see that you are trying to help yourself, which is more than a lot of our visitors can say for themselves (see Idiot's Corner) so I'm going to give you a freebieMind you, this is just one of several directions you can take, but you may want to look up Hydra and what that can do for you as it applies to your 192.168.1.1 authentication issue. Also, have you tried running a traceroute on the traffic running accross the network? The hops should point you towards whatever box is providing intertube-webz access....
"The goal of every man should be to continue living even after he can no longer draw breath."
~ShadowKill
I believe a traceroute also bypasses most proxy servers does it not? Since most proxy servers don't deal with ICMP traffic. Of course, if you have a true BoFH for an admin, they might just have all ICMP traffic turned off on all devices, so a traceroute might be a little more difficult.
I can see that you are trying to help yourself, which is more than a lot of our visitors can say for themselves (see Idiot's Corner) so I'm going to give you a freebie
A third party security audit is the IT equivalent of a colonoscopy. It's long, intrusive, very uncomfortable, and when it's done, you'll have seen things you really didn't want to see, and you'll never forget that you've had one.
Yes my brother it does. And yeah, ICMP denial would be a bit of a pain but in my experience with educational institutions admins are notorious for slack security. I remember back in the day hiding my code in printer spools at USC so that the professor couldn't spy on my work (security labs). He loooved meI believe a traceroute also bypasses most proxy servers does it not? Since most proxy servers don't deal with ICMP traffic. Of course, if you have a true BoFH for an admin, they might just have all ICMP traffic turned off on all devices, so a traceroute might be a little more difficult.
"The goal of every man should be to continue living even after he can no longer draw breath."
~ShadowKill
Posting Permissions
