Serious Offshore Attacks from China

**streaker69** · 01-18-2008, 09:07 PM

Originally Posted by The_Denv

Im coming across to be a bit of a nusscence I think lol. This is what I got when I clicked on the link:

Code:

You are not authorized to view this page
The Web server you are attempting to reach has a list of IP addresses that are not allowed to access the Web site, and the IP address of your browsing computer is on this list.

Please try the following:

    * Contact the Web site administrator if you believe you should be able to view this directory or page.

HTTP Error 403.6 - Forbidden: IP address of the client has been rejected.
Internet Information Services (IIS)

Technical Information (for support personnel)

    * Go to Microsoft Product Support Services and perform a title search for the words HTTP and 403.
    * Open IIS Help, which is accessible in IIS Manager (inetmgr), and search for topics titled About Security, Limiting Access by IP Address, IP Address Access Restrictions, and About Custom Error Messages.

Ahh, you're in the forbidden zone.

PM me an email address.

**imported_wyze** · 01-18-2008, 09:41 PM

Originally Posted by The_Denv

That sounds like an excellent setup streaker69! I would highly appreciate if you could throw together a quick diagram. I have an old Pentium II 500MHz 128MB Ram.

I had a passive tap box running with similar specs (with old and new 3Com nics) and it proved to be inefficient. I would strongly urge you to run @ least 512MB of RAM, otherwise you run the risk of having a machine that is not able to capture all of the traffic. Streaker had pointed that out to me when I originally set it up on the lower end machine, and in the end a RAM upgrade got it up to speed (literally).

Also the cool thing about the setup in Streaker's diagram is that you can put the tap part on any part of your LAN (doesn't necessarily have to be outside the red nic @ all times. For example, if you suspect your router / firewall / primary IDS is letting some rogue traffic through to a machine, you can isolate it by placing the tap 1 hop away from the subnet or suspected machine to analyze the traffic.

**The_Denv** · 01-18-2008, 11:34 PM

Originally Posted by swc666

I had a passive tap box running with similar specs (with old and new 3Com nics) and it proved to be inefficient. I would strongly urge you to run @ least 512MB of RAM, otherwise you run the risk of having a machine that is not able to capture all of the traffic. Streaker had pointed that out to me when I originally set it up on the lower end machine, and in the end a RAM upgrade got it up to speed (literally).

Also the cool thing about the setup in Streaker's diagram is that you can put the tap part on any part of your LAN (doesn't necessarily have to be outside the red nic @ all times. For example, if you suspect your router / firewall / primary IDS is letting some rogue traffic through to a machine, you can isolate it by placing the tap 1 hop away from the subnet or suspected machine to analyze the traffic.

Will do, infact at my old workplace I think they sell old ram [256MB_sd] for as little as £3.00 each as they are in the dust bundle and have been for ages! lol I have received the diagram via email from streaker, looks like a sleek and tidy setup and I 'will' accomplish this. I even got my brother searching in his attic for the Cisco 800series///Cisco FastHub 400 series cables as I have the boxes here but no leads at all...so Ive been just reading the users manual until I get the cables. Aswell as that, this USB install is next on my list.

Yeh, isolation and nulling are the key points [apart from obvious customization that Cisco allows you] of my goal. The packets from 121.18.13.107 are still flying into my network.

**imported_anubis2k7** · 01-19-2008, 12:01 AM

You can also setup snort on windows, however, it looses some of its functionality. This website has a windows snort/apache/mysql/BASE package plus tutorial on setup and configuration:

http://www.winids.com/

It's good start if you have never worked with snort before, and are not fluent in linux, but I definitely recommend using snort on a linux box in the long run.

Here as a tutorial on how to setup snort/.../BASE on fedora box:

http://www.infosecwriters.com/text_r...t_base_fc3.pdf

It is a bit out of date, but it should point you in the right direction.

In regards to your packet dropping/firewall issue, I have two recomendations. One is snort inline, which basically drops all packets that are suspect. The best way I can explain it is this: an intrusion dection system logs and alerts you to potential scans and attacks, snort inline is more of an intrusion prevention system, not allowing the packets to pass. So in essence, it functions as a firewall. The down side to this is you will have to do a lot of rule modification to prevent false positives.

Another suggestion I have is microsoft internet security and acceleration server (ISA). You'll have to do some research on this one...but I have read articles on how a box running MS ISA can be used as a NAT, firewall, proxy server, etc.

With both of these products, you would need a pretty powerful CPU configured as a bastion host, which would sit between your network and the internet (basically, all network traffic would pass through this machine). This may or may not be in your budget range....

**imported_spankdidly** · 01-19-2008, 12:05 AM

Here's one for slackware 12

http://www.cochiselinux.org/files/sl...-snort-0.2.txt

not sure how good it is.

**imported_wyze** · 01-19-2008, 12:18 AM

Originally Posted by spankdidly

Here's one for slackware 12

http://www.cochiselinux.org/files/sl...-snort-0.2.txt

not sure how good it is.

I had attempted that extremely long and in depth tut, but in the end couldn't get it set up properly in BT3 (Barnyard and Acid didn't want to play).

**imported_spankdidly** · 01-19-2008, 12:31 AM

Originally Posted by swc666

(Barnyard and Acid didn't want to play).

Are those some of your friends? Lol.

**The_Denv** · 01-19-2008, 12:47 AM

Originally Posted by anubis2k7

You can also setup snort on windows, however, it looses some of its functionality. This website has a windows snort/apache/mysql/BASE package plus tutorial on setup and configuration:

http://www.winids.com/

It's good start if you have never worked with snort before, and are not fluent in linux, but I definitely recommend using snort on a linux box in the long run.

Here as a tutorial on how to setup snort/.../BASE on fedora box:

http://www.infosecwriters.com/text_r...t_base_fc3.pdf

It is a bit out of date, but it should point you in the right direction.

In regards to your packet dropping/firewall issue, I have two recomendations. One is snort inline, which basically drops all packets that are suspect. The best way I can explain it is this: an intrusion dection system logs and alerts you to potential scans and attacks, snort inline is more of an intrusion prevention system, not allowing the packets to pass. So in essence, it functions as a firewall. The down side to this is you will have to do a lot of rule modification to prevent false positives.

Another suggestion I have is microsoft internet security and acceleration server (ISA). You'll have to do some research on this one...but I have read articles on how a box running MS ISA can be used as a NAT, firewall, proxy server, etc.

With both of these products, you would need a pretty powerful CPU configured as a bastion host, which would sit between your network and the internet (basically, all network traffic would pass through this machine). This may or may not be in your budget range....

Thank you very much anubis2k7, your post is highly appreciated. I downloaded the PDF file and the above TXT file [Cheers spankdidly]. I cant find my bloody serial leads and power lead for both the Cisco router and switch, going to head to Maplin Electronics to see if they have something, even something I can brew up myself. Alternatively I can wait on my brother to see if he can find the leads in his attic.

Now onto my USB install, lol..still havent started!

**imported_BaconZombie** · 01-19-2008, 04:15 PM

Originally Posted by streaker69

I threw that together in Visio, only took about 10 minutes.

Streaker69:
Thanks for posting the layout, I've been meaning to do something like in setting up my lab.

Also for other, using Visio or SmartDraw 2008 to map out your own network or a network you are pentesting is great to get a visual layout where you may see possible vulnerability or bad design. It also great it give the client a better and more detailed map of their network that they understand then their own IT Dept can.

**streaker69** · 01-19-2008, 04:44 PM

Originally Posted by BOFH139

Streaker69:
Thanks for posting the layout, I've been meaning to do something like in setting up my lab.

Also for other, using Visio or SmartDraw 2008 to map out your own network or a network you are pentesting is great to get a visual layout where you may see possible vulnerability or bad design. It also great it give the client a better and more detailed map of their network that they understand then their own IT Dept can.

I have a 42"x42" plot of my entire network hanging in my office. Instead of using the standard Visio Icons for the objects, I took pictures of each device, edited out the background and turned them into Visio Icons. That way, someone else looking at the map and seeing the devices knows exactly what they're looking at. I have it detailed to the point that the lines connecting equipment actually show exactly which port they're connected to on the switches.

BackTrack Linux - Penetration Testing Distribution

Thread: Serious Offshore Attacks from China

Thread Tools

Search Thread

Display

Posting Permissions