Results 1 to 9 of 9

Thread: "Sniff" subnet mask and IP "from outside" when you only got 2 MAC-adresses

Hybrid View

  1. #1
    Just burned his ISO
    Join Date
    Jun 2011
    Posts
    3

    Default "Sniff" subnet mask and IP "from outside" when you only got 2 MAC-adresses

    Hello,

    let me introduce first:
    Even though I always was interested into networking, security, encryption and the like, I never really got to dive too deep into those matters.
    So I downloaded backtrack5 and first used it as a boot disk, shortly after that installed it on a VMWare machine.

    So here is my Problem:
    For starters I wanted to do something easy and decided that WEP cracking sounds fun.
    I built up the following setup:
    Netgear Router with WEP40 and MAC-Filter, my Netbook that is connected to this router.
    I put a USB-WLAN-Stick (able to do promiscuous mode) into my desktop PC and started backtrack.

    After some trial and error I really managed to find out what MAC-Address is allowed (without cheating) and crack my WEP password. Pretty simple when you get the hang of it.

    So I told a friend of mine, who is more or less the same knowledge level like me and he was impressed but had a valid claim:

    What, if there is no DHCP-Mode but a fixed subnet or even fixed IPs bound to a certain MAC-Address?

    I decided to try the easier version first, disabled DHCP and set the subnet mask to 255.255.255.0, the router IP to 10.100.100.6 and my netbooks IP to 10.100.100.12

    But here is where I don't get any further... How can I see what subnet mask is used and what IPs are present on the network from outside, only having the MAC-Addresses and the WEP key?


    Hope somebody can help me with this.

    Regards,
    DesuStrike

  2. #2
    Member
    Join Date
    May 2011
    Location
    Israel
    Posts
    74

    Default Re: "Sniff" subnet mask and IP "from outside" when you only got 2 MAC-adresses

    If you have a valid WEP key you can use wireshark with this key in order to dissect wep-encrypted data packets and by analyzing 802.11 frame's payload (3,4 and 7 layer protocols) you will obtain all the information regarding network cracked by you.
    Scientia ac Labore

  3. #3
    Just burned his ISO
    Join Date
    Jun 2011
    Posts
    3

    Default Re: "Sniff" subnet mask and IP "from outside" when you only got 2 MAC-adresses

    hmmm... I'm not entirely sure I know how to do it. I figured, that wireshark would be useful but not exactly how. But I'll try first before I come back to you.

    Thanks so far!

  4. #4
    Member
    Join Date
    May 2011
    Location
    Israel
    Posts
    74

    Default Re: "Sniff" subnet mask and IP "from outside" when you only got 2 MAC-adresses

    as far as i remember in the protocols drop-down menu choose 802.11 and enter your passphrase.
    Scientia ac Labore

  5. #5
    Junior Member
    Join Date
    Aug 2007
    Location
    Aussie
    Posts
    25

    Default Re: "Sniff" subnet mask and IP "from outside" when you only got 2 MAC-adresses

    This is right capture some traffic, enter the key in wireshark and you will find the info you need with regards the network.

    This will not nessisarily tell you all the clients on the network, I'm sure there is a way to get this info once you are connected as there are windows app's which do this like look@lan however I have never needed this in BT and would like to know how to do it.

    To capture all the clients ip's from the outside would be unreliable at best and will only tell you the wireless clients with airodump-ng.

  6. #6
    Member
    Join Date
    May 2011
    Location
    Israel
    Posts
    74

    Default Re: "Sniff" subnet mask and IP "from outside" when you only got 2 MAC-adresses

    kismet can differentiate between wireless and wired clients.
    Scientia ac Labore

  7. #7
    Junior Member
    Join Date
    Aug 2007
    Location
    Aussie
    Posts
    25

    Default Re: "Sniff" subnet mask and IP "from outside" when you only got 2 MAC-adresses

    Wireless clients send management frames to keep the conection live so with those clients it doesn't take long to capture traffic from all wireless clients.

    Wired clients who are dormant don't put a lot of traffic on the network and onto wireless thus capturing wireless traffic will not nessisarily tell you all the clients on the network, so if DHCP is disabled and you set the ip's and subnet you cannot gaurantee another client does not already have that ip on the wired network.

    I have connected to networks where there does not seem to be any clients and a scan of the network after connection has shown multiple clients.

    The more traffic in general on a network and the longer time taken the more likely you will see wired clients from a passive wireless scan in kismet or other ap.

  8. #8
    Very good friend of the forum maverik35's Avatar
    Join Date
    Sep 2009
    Location
    Debian land
    Posts
    734

    Default Re: "Sniff" subnet mask and IP "from outside" when you only got 2 MAC-adresses

    Ok, first thing, you have to be connected to the router and have a valid IP (using the WEP and mac to get connected). Check if you did get connection:
    iwconfig "my interface"
    You should get :
    IEEE 802.11g ESSID:"AP NAME"
    Mode:Managed Frequency:2.4xx GHz Access Point: "AP Mac"
    Bit Rate:xx Mb/s Tx-Power=20 dBm Sensitivity=8/0
    Retry limit:7 RTS thrff Fragment thrff
    Encryption key:xxxx-xxxx-xx Security modepen
    bla, bla, bla......

    Then:

    Use the nmap:
    xx@xxx:/nmap -sC -sS -sV -T4 -PN -traceroute -O --osscan-guess 10.100.100.0/24
    This way you will get for every machine connected, including gateway off course:
    the ip, mac, id script, the hops to each pc and gateway, Operating System, ports info (services listenning in each port, status i.e. open, close, filtered.)
    With all this info, well, the subnet mask is obvious, just work it out, with ip's ranges, gateway ip, that is pretty easy...
    There are also other tools like Nessus and hping, but I prefer nmap.

    best of luck..

  9. #9
    Just burned his ISO
    Join Date
    Jun 2011
    Posts
    3

    Default Re: "Sniff" subnet mask and IP "from outside" when you only got 2 MAC-adresses

    Wow thanks for all the replies.
    I had exams so I had no time to try it out again, but today I did.

    I actually found my IP via the wireshark method.

    But there are still information that I could not find with this method:
    - SubnetMask
    - Default Gateway

    And something else is strange: I use the WICD Network Manager, select my network, enter the IP and the WEP key. (just to try if I can enter the network at all)
    Then he authenticates and everything but when "Verifying access point association" comes up he takes some time until the message "Connection failed: Could not contact the wireless access point".

    EDIT: GF brought her Notebook. Tried to connect to the network with her WindowsXP standard Wifi Manager. Works like a charm. But same problem: How can I sniff the SubnetMask and Default Gateway of the Network?

    Whats going on?!
    Last edited by DesuStrike; 07-18-2011 at 07:57 PM.

Similar Threads

  1. VPN connection on the same subnet
    By Iplaman in forum OLD General IT Discussion
    Replies: 10
    Last Post: 10-05-2009, 09:08 PM
  2. Packet injection, Mac Adresses... HELP
    By Wilson08 in forum OLD Newbie Area
    Replies: 6
    Last Post: 01-15-2009, 05:50 PM
  3. merging mac adresses from Capture file
    By jesse33 in forum OLD Wireless
    Replies: 19
    Last Post: 03-20-2008, 11:20 AM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •