Thread subject: Security Override :: forensics 8

Posted by madf0x on 10/09/2010 11:57:38
#1

Alrighty, this is perhaps mainly just a (in)sanity check but I would like if someone clarified for me:

When an attacker commits arp cache poisoning it's goal is to redirect traffic from the victim to the listener. So it sends out arp reply packets to the gateway IP saying it's mac address is the designated IP address(ergo duplicate assignments showing up is a no no!). I'm right so far(sanity check)?

If so then the TARGET mac would be the victim's MAC address, while the TARGET ip would be the rouder that the replies are being sent to. That or the TARGET ip would, like the mac, be the victim?

I'm pretty sure I've identified the players in this lil challenge and just having trouble plugging in exactly what it's asking for. That or the phantom slew of bugs assaulting me relentlessly lately is striking again(which honestly at this point I hope I have just flawed reasoning)

Posted by auditorsec on 10/09/2010 12:55:06
#2

madf0x wrote:
Alrighty, this is perhaps mainly just a (in)sanity check but I would like if someone clarified for me:

When an attacker commits arp cache poisoning it's goal is to redirect traffic from the victim to the listener. So it sends out arp reply packets to the gateway IP saying it's mac address is the designated IP address(ergo duplicate assignments showing up is a no no!). I'm right so far(sanity check)?

If so then the TARGET mac would be the victim's MAC address, while the TARGET ip would be the rouder that the replies are being sent to. That or the TARGET ip would, like the mac, be the victim?

I'm pretty sure I've identified the players in this lil challenge and just having trouble plugging in exactly what it's asking for. That or the phantom slew of bugs assaulting me relentlessly lately is striking again(which honestly at this point I hope I have just flawed reasoning)

Hi MadF0x,
the objective of this challenge is to have a build to real time forensics where analyzing the packets we can do audit trails and tell what exactly happened for a specific incident.

Regarding the arp poisoning the objective of attacker is to sniff the packets (communication between 2 machines) which normally is not possible on a switched network.

The poisoning is both ways rather than just poisoning gateway. The extra arp poison is there to make things complex a bit in the challenge........

Edited by auditorsec on 10/09/2010 12:55:52

Posted by madf0x on 10/09/2010 13:21:28
#3

Well theres still the question about the vagueness of what the challenge is asking for. Cause Target Ip and Target Mac are both fields of data wireshark can provide for a give arp reply, so is it like asking for details of a specific packet or is it asking about the victim?

Posted by TurboBorland on 10/09/2010 13:39:17
#4

You've got to look at multiple targets to find the attacker who's spoofing his mac. One packet will not be enough as you won't know if it's before or after the attack. Not sure if that helps, hope so.

Edited by TurboBorland on 10/09/2010 13:39:29

Posted by sLiPpErYh4x0r on 11/06/2010 14:37:59
#5

I'm lost in this as well, I can preform an attack like this no problem, but reading the traffic I'm not following, I've tried every combination I can think of... and nothing...

Posted by auditorsec on 11/06/2010 17:31:24
#6

the traffic is confusing because a script kiddie is blindly doing an arp spoof rather than a person who really understands.....

therefore u need to understand which part actually is successful arp spoof and post it......

Hope this helps...........

Posted by nullbyt3 on 11/07/2010 12:07:05
#7

madf0x wrote:
Alrighty, this is perhaps mainly just a (in)sanity check but I would like if someone clarified for me:

When an attacker commits arp cache poisoning it's goal is to redirect traffic from the victim to the listener. So it sends out arp reply packets to the gateway IP saying it's mac address is the designated IP address(ergo duplicate assignments showing up is a no no!). I'm right so far(sanity check)?


When an attacker poisons the arp cache hes basically trying to clear out the victims arp cache and replace it with arbitrary values(like spoofing the gateway) so the attacker can redirect traffic. He or She would do this by sending arp replies to both the gateway and the victim, fooling each the gateway into thinking he/shes the victim and fooling the victim into thinking he/shes the gateway.


If so then the TARGET mac would be the victim's MAC address, while the TARGET ip would be the rouder that the replies are being sent to. That or the TARGET ip would, like the mac, be the victim?

I'm pretty sure I've identified the players in this lil challenge and just having trouble plugging in exactly what it's asking for. That or the phantom slew of bugs assaulting me relentlessly lately is striking again(which honestly at this point I hope I have just flawed reasoning)


An arp request is basically going to look like this: who has xx:xx:xx:xx:xx:xx
An arp repy will look like this: ipaddress has xx:xx:xx:xx:xx

Basically arp just associates an IP address for the Mac address so it can communicate. For forensics 8 you need to trace the traffic of each IP to find out who the culprit is. Just follow the TCP streams and read the reassembled packets and the answer shouldn't be hard to find.

Posted by sLiPpErYh4x0r on 11/07/2010 17:03:09
#8

Your right it shouldn't be hard.... are they looking for the originating attackers mac or the spoofed mac? I've tried both... no dice!

Posted by prophet32j on 12/06/2010 12:40:17
#9

my question is what format should the answers be submitted? I have the values, but I need to know what format will complete the challenge.

Posted by prophet32j on 12/06/2010 13:10:18
#10

nevermind, I answered the question right. For reference
MAC address must be submitted with colons between the hexadecimal values
ex 00:11:22:33:44:55
IP addresses must be submitted as normal octet values with decimal points
ex 111.222.333.444

Edited by prophet32j on 12/06/2010 13:18:19

Posted by MnX1337 on 02/08/2014 15:36:39
#11

And as a kriptskiddie i completed the challenge :) i was borned with talent