Results 1 to 9 of 9

Thread: MITM PPP , tapping into broadband connections

  1. #1
    Good friend of the forums
    Join Date
    Jun 2008
    Posts
    425

    Default MITM PPP , tapping into broadband connections

    Hi , I've been thinking for awhile of a situation were you are trying to access a network, and you connect a device to the telephone lines and act as a mitm.
    In my area most people have adsl2 and use pppoa,or pppoe, ad you can get broadband pci cards, which you should beable to bridge. If i rember correctly wireshark has the abilty to read the packets.

    Q1) Has anyone got a pci broadband card, and what does it allow you to do.

    Q2) What type of attack vectors will it open up(same as lan or more)

    Q3) with the authcation of ppp does that allow you to decode packets(looked on google but about from the make up, it does tell much about type of packets on the wire)

    Q4) Would it allow injection, would you need it to authcate with you, and then you with the isp.

    Q5) Can you use a network card rj45 if you connect the two phone wires(2 middle in this counrty(default) to 2 and 5 on a rj45 socket.



    If its possable, some three clamps connected to the two wires should allow quick connect of data out of the network minus encryption traffic.

    Would this be a powerfull attack, you don't need to guess DNS numbers , web traffic in clean. Down sides would proable be vpns.


    Anyone thought or ideas
    Cheers

  2. #2
    Senior Member streaker69's Avatar
    Join Date
    Jan 2010
    Location
    Virginville, BlueBall, Bird In Hand, Intercourse, Paradise, PA
    Posts
    3,535

    Default

    Quote Originally Posted by compaq View Post

    Q5) Can you use a network card rj45 if you connect the two phone wires(2 middle in this counrty(default) to 2 and 5 on a rj45 socket.

    You most certainly can do this, if you don't like your network card very much. Since it is ADSL, it would be assumed that the line could still possibly be used as a phone line. So when the phone would ring, it would smoke your card.

    Not only that, but you also wouldn't capture anything by this method. There are devices out there that are able to read the DSL data stream, but I believe they're rather expensive.
    A third party security audit is the IT equivalent of a colonoscopy. It's long, intrusive, very uncomfortable, and when it's done, you'll have seen things you really didn't want to see, and you'll never forget that you've had one.

  3. #3
    Very good friend of the forum Gitsnik's Avatar
    Join Date
    Jan 2010
    Location
    The Crystal Wind
    Posts
    851

    Default

    Alcatel sell PCI based DSL modems (PPPoA but not PPPoE IIRC).

    Basically anything you can do with MiTM tools you could do here. More because it would look even more legitimate for the DSL line as you don't need to activly inject things like ARP.

    One would set up a PPP server that was patched to just permit anything, I'd be forwarding the packets up the wire immediately (effectivly bridging the PPP connection). To be honest I haven't thought about this aspect all that much, it might be a hell of a lot easier (and testing would be... fun).

    See the above.

    Like the streaker said.
    Still not underestimating the power...

    There is no such thing as bad information - There is truth in the data, so you sift it all, even the crap stuff.

  4. #4
    Super Moderator lupin's Avatar
    Join Date
    Jan 2010
    Posts
    2,943

    Default

    I dont believe PPP performs any encryption and I cant find any reference at all in the RFC about checksums or integrity checks so I would think that if you can get direct access to the data stream (after solving the obvious technical challenges there) it should be possible to MITM to your hearts content.

    The authentication used for PPP is usually CHAP, which is a fairly simple protocol, which involves the server sending a challenge and the client responding by hashing the password and the challenge together using something like MD5. After authentication is performed initially I think the server requests re authentication at random intervals, using a different challenge. This means replaying wont work, but if you pass these authentication requests through your MITM connection unchanged, you should be fine.

    The RFC on PPP is here if you want to read more:
    RFC 1661 (rfc1661) - The Point-to-Point Protocol (PPP)
    Capitalisation is important. It's the difference between "Helping your brother Jack off a horse" and "Helping your brother jack off a horse".

    The Forum Rules, Forum FAQ and the BackTrack Wiki... learn them, love them, live them.

  5. #5
    Junior Member
    Join Date
    Jan 2010
    Location
    Canada
    Posts
    84

    Default

    Ive actually been working on this, well not this exactly, but close enough, its a tool I call LProxy and what it does is grab anything on one interface and inject out out the next after applying filtering and/or any other modifying, however im not ready to release it as it still has a few bugs to work out.

    Its currently loaded onto a hacked fonera router and logs it all to an internal flash drive, awesome if you can get physical access.

    Anyway, point is, once you can get physical access, you can do whatever you want.

  6. #6
    Good friend of the forums
    Join Date
    Jun 2008
    Posts
    425

    Default

    Its currently loaded onto a hacked fonera router and logs it all to an internal flash drive, awesome if you can get physical access.
    Nice , hope you release the firmware , how did you mange to to write it?

    I,m trying to get all the infomation be for i try to test it, thanks lupin for the link, going to see if oA or oE apllies encrytion.
    Will try and see if i can pick up two cheap dsl modems.

    cheers

    Just want to run somehing passed you, i've got a broadband router that allows bridgeing, if i take the ethernet port output from it, and connect wires 2 and 5 to another broadband router after that(rj45 to rj11(i think), so you have internet-----BBR1-------BBR2----switch, and use the second router to do the connection etc. will that work?
    Just working out a tap device between ----BBR1------^-BBR2-- that plugs into my laptop.

    thanks

  7. #7
    Junior Member
    Join Date
    Jan 2010
    Location
    Canada
    Posts
    84

    Default

    Quote Originally Posted by compaq View Post
    Nice , hope you release the firmware , how did you mange to to write it?
    I wrote it in C and ported the parts of libnet / libpcap that I needed into the code. (Ethernet Sniffing + Injection) Its not actually a firmware upgrade really Actually a stand alone progrma which I happened to have made called from a kernel module

    It basicly follows this:

    parse args() // Parses the arguments from a conf file on the only exterior flash drive
    set interfaces() // Sets the Interfaces in Promiscuous
    split() // becomes a dual threaded operation here btw
    ---First thread---
    read(interface 1) // self explainitory
    filter() // Apply user set filters if needbe (like dont pass on certain packets or w/e )
    write(interface 2) // and the pcap file, but that goes without saying
    ---Second Thread---
    vice versa of thread 1

  8. #8
    My life is this forum Barry's Avatar
    Join Date
    Jan 2010
    Posts
    3,817

    Default

    Quote Originally Posted by compaq View Post
    Hi , I've been thinking for awhile of a situation were you are trying to access a network, and you connect a device to the telephone lines and act as a mitm.
    In my area most people have adsl2 and use pppoa,or pppoe, ad you can get broadband pci cards, which you should beable to bridge. If i rember correctly wireshark has the abilty to read the packets.

    Q1) Has anyone got a pci broadband card, and what does it allow you to do.

    Q2) What type of attack vectors will it open up(same as lan or more)

    Q3) with the authcation of ppp does that allow you to decode packets(looked on google but about from the make up, it does tell much about type of packets on the wire)

    Q4) Would it allow injection, would you need it to authcate with you, and then you with the isp.

    Q5) Can you use a network card rj45 if you connect the two phone wires(2 middle in this counrty(default) to 2 and 5 on a rj45 socket.



    If its possable, some three clamps connected to the two wires should allow quick connect of data out of the network minus encryption traffic.

    Would this be a powerfull attack, you don't need to guess DNS numbers , web traffic in clean. Down sides would proable be vpns.


    Anyone thought or ideas
    Cheers
    One other down side is you're now breaking wiretapping laws.
    Of course, if you really wanted to have some fun, go to Wal-Mart late at night and ask the greeter if they could help you find trashbags, roll of carpet, rope, quicklime, clorox and a shovel. See if they give you any strange looks. --Streaker69

  9. #9
    Good friend of the forums
    Join Date
    Jun 2008
    Posts
    425

    Default

    One other down side is you're now breaking wiretapping laws.
    Would be along the same lines as any other pentest(documents), if tapped into the building wireing not the lines out side.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •