Thursday, April 24, 2014 Login · Register
    Login
Username

Password


Remember Me

Not a member yet?
Click here to register.

Forgotten your password?
Request a new one here.

 

    Users Online
  • · Members on IRC: 53   
  • · Total Members: 14,562
  • · Newest Member: hardstylos
  •  

     

        Related Ads
     

     

     

        Top 10 Forum Posters
    UserPosts
    bluechill1411   
    madf0x1277   
    cruizrisner1057   
    Qwexotic1034   
    Null Set869   
    auditorsec603   
    Override602   
    godofcereal599   
    TurboBorland585   
    Teddy469   
     

        Affiliates




  • iExploit


  • iExploit


  • WeChall





  • Thisislegal.com

  •  

        Related Ads
     

    View Thread
         
    Security Override Hacking Challenges Forensics Hacking Challenges
    forensics 8
    Register FAQ Members List Today's Posts Search

    Print Thread
    10-09-2010 11:57 AM forensics 8
    Alrighty, this is perhaps mainly just a (in)sanity check but I would like if someone clarified for me:

    When an attacker commits arp cache poisoning it's goal is to redirect traffic from the victim to the listener. So it sends out arp reply packets to the gateway IP saying it's mac address is the designated IP address(ergo duplicate assignments showing up is a no no!). I'm right so far(sanity check)?

    If so then the TARGET mac would be the victim's MAC address, while the TARGET ip would be the rouder that the replies are being sent to. That or the TARGET ip would, like the mac, be the victim?

    I'm pretty sure I've identified the players in this lil challenge and just having trouble plugging in exactly what it's asking for. That or the phantom slew of bugs assaulting me relentlessly lately is striking again(which honestly at this point I hope I have just flawed reasoning)
     
    Offline
    10-09-2010 12:55 PM RE: forensics 8 | Edited by auditorsec 10-09-2010 12:55 PM
    madf0x wrote:
    Alrighty, this is perhaps mainly just a (in)sanity check but I would like if someone clarified for me:

    When an attacker commits arp cache poisoning it's goal is to redirect traffic from the victim to the listener. So it sends out arp reply packets to the gateway IP saying it's mac address is the designated IP address(ergo duplicate assignments showing up is a no no!). I'm right so far(sanity check)?

    If so then the TARGET mac would be the victim's MAC address, while the TARGET ip would be the rouder that the replies are being sent to. That or the TARGET ip would, like the mac, be the victim?

    I'm pretty sure I've identified the players in this lil challenge and just having trouble plugging in exactly what it's asking for. That or the phantom slew of bugs assaulting me relentlessly lately is striking again(which honestly at this point I hope I have just flawed reasoning)

    Hi MadF0x,
    the objective of this challenge is to have a build to real time forensics where analyzing the packets we can do audit trails and tell what exactly happened for a specific incident.

    Regarding the arp poisoning the objective of attacker is to sniff the packets (communication between 2 machines) which normally is not possible on a switched network.

    The poisoning is both ways rather than just poisoning gateway. The extra arp poison is there to make things complex a bit in the challenge........
    Smile....Even IMPOSSIBLE says I m possible.... Smile

    And with knowledge comes responsibility.
     
    Offline
    10-09-2010 01:21 PM RE: forensics 8
    Well theres still the question about the vagueness of what the challenge is asking for. Cause Target Ip and Target Mac are both fields of data wireshark can provide for a give arp reply, so is it like asking for details of a specific packet or is it asking about the victim?
     
    Offline
    10-09-2010 01:39 PM RE: forensics 8 | Edited by TurboBorland 10-09-2010 01:39 PM
    You've got to look at multiple targets to find the attacker who's spoofing his mac. One packet will not be enough as you won't know if it's before or after the attack. Not sure if that helps, hope so.
     
    Offline
    11-06-2010 02:37 PM RE: forensics 8
    I'm lost in this as well, I can preform an attack like this no problem, but reading the traffic I'm not following, I've tried every combination I can think of... and nothing...
     
    Offline
    11-06-2010 05:31 PM RE: forensics 8
    the traffic is confusing because a script kiddie is blindly doing an arp spoof rather than a person who really understands.....

    therefore u need to understand which part actually is successful arp spoof and post it......

    Hope this helps...........
    Smile....Even IMPOSSIBLE says I m possible.... Smile

    And with knowledge comes responsibility.
     
    Offline
    11-07-2010 12:07 PM RE: forensics 8
    madf0x wrote:
    Alrighty, this is perhaps mainly just a (in)sanity check but I would like if someone clarified for me:

    When an attacker commits arp cache poisoning it's goal is to redirect traffic from the victim to the listener. So it sends out arp reply packets to the gateway IP saying it's mac address is the designated IP address(ergo duplicate assignments showing up is a no no!). I'm right so far(sanity check)?


    When an attacker poisons the arp cache hes basically trying to clear out the victims arp cache and replace it with arbitrary values(like spoofing the gateway) so the attacker can redirect traffic. He or She would do this by sending arp replies to both the gateway and the victim, fooling each the gateway into thinking he/shes the victim and fooling the victim into thinking he/shes the gateway.


    If so then the TARGET mac would be the victim's MAC address, while the TARGET ip would be the rouder that the replies are being sent to. That or the TARGET ip would, like the mac, be the victim?

    I'm pretty sure I've identified the players in this lil challenge and just having trouble plugging in exactly what it's asking for. That or the phantom slew of bugs assaulting me relentlessly lately is striking again(which honestly at this point I hope I have just flawed reasoning)


    An arp request is basically going to look like this: who has xx:xx:xx:xx:xx:xx
    An arp repy will look like this: ipaddress has xx:xx:xx:xx:xx

    Basically arp just associates an IP address for the Mac address so it can communicate. For forensics 8 you need to trace the traffic of each IP to find out who the culprit is. Just follow the TCP streams and read the reassembled packets and the answer shouldn't be hard to find.
     
    Offline
    11-07-2010 05:03 PM RE: forensics 8
    Your right it shouldn't be hard.... are they looking for the originating attackers mac or the spoofed mac? I've tried both... no dice!
     
    Offline
    12-06-2010 12:40 PM RE: forensics 8
    my question is what format should the answers be submitted? I have the values, but I need to know what format will complete the challenge.
     
    Offline
    12-06-2010 01:10 PM RE: forensics 8 | Edited by prophet32j 12-06-2010 01:18 PM
    nevermind, I answered the question right. For reference
    MAC address must be submitted with colons between the hexadecimal values
    ex 00:11:22:33:44:55
    IP addresses must be submitted as normal octet values with decimal points
    ex 111.222.333.444
     
    Offline
    02-08-2014 03:36 PM RE: forensics 8
    And as a kriptskiddie i completed the challenge Smile i was borned with talent
     
    Offline
    Jump to Forum:
    Forum powered by fusionBoard