Home page logo
/

pauldotcom logo PaulDotCom mailing list archives

Re: Rogue AP Placement: evil + 1
From: Rob Fuller <jd.mubix () gmail com>
Date: Wed, 25 Aug 2010 22:43:17 -0400

Or just make it easy: http://theplugbot.com/

--
Rob Fuller | Mubix
Certified Checkbox Unchecker
Room362.com | Hak5.org


On Wed, Aug 25, 2010 at 6:57 PM, Bacon Zombie <baconzombie () gmail com> wrote:

A few good idea:

#Use UTF 8 characters to set the SSID to something that look like the
Company standard one.

#If you are going to leave port 80 open on the AP, put a reverse-binding
trojan on the homepage of the AP's GUI since they will probably want a
screenshot of the web GUI.

#Open a few fake ports open that just replay a Telnet banned with one of
the follow - { "Never Gonna Give You Up" lyrics, ASCII Goatse, shell code
[rm -rf *], SQL injection,etc }

#Hide the AP like this

[image: the image] <http://i.imgur.com/i4Sm9.jpg>

*
BaconZombie

☣ ☣ ☣ ☣ ☠ ☠ ☠ ☠ ☢ ☢ ☢ ☢

….all text in this mail is double-rot13 encrypted. ...*

☣ ☣ ☣ ☣ ☠ ☠ ☠ ☠ ☢ ☢ ☢ ☢

****
On 25 August 2010 22:40, Chris Merkel <cmerkel () gmail com> wrote:

Yeah, that does just about everything I need. I'm still going to drop a
big ugly pix and ghetto AP for the fun of it.

Aside from this all-in-wonderful pwnage device, anyone else have tips for
stealthy AP usage?

- Chris


On Wed, Aug 25, 2010 at 2:19 PM, Andrew Johnson <email () andrewcjohnson com
wrote:

Have you seen this?
http://grep8000.blogspot.com/2010/07/introducing-pwn-plug.html

<http://grep8000.blogspot.com/2010/07/introducing-pwn-plug.html>-A

On Wed, Aug 25, 2010 at 10:54 AM, Chris Merkel <cmerkel () gmail com>wrote:

Question directed to fellow pen-test / red-teaming ninjas:

Have a test coming up, and want to place a rogue AP. I fully expect that
a vanilla AP/router will be detected. I'm thinking about dropping a Cisco
PIX 501 with the rogue AP sitting on the other side of the NAT gateway, and
turning off all remote PIX management as well (if possible, it's been awhile
since I admin'ed these.), maybe even turn off ICMP echo replies.

My guess is that this isn't going to be detected... My question is:
anyone gone to that level of evil to evade detection on a network? If so,
could you share any tips or gotchas you encountered along the way?

(BTW, you can get a PIX 501 on ebay for under 100 bucks... so well
within the reach of an attacker...)

--
- Chris Merkel

_______________________________________________
Pauldotcom mailing list
Pauldotcom () mail pauldotcom com
http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom
Main Web Site: http://pauldotcom.com



_______________________________________________
Pauldotcom mailing list
Pauldotcom () mail pauldotcom com
http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom
Main Web Site: http://pauldotcom.com




--
- Chris Merkel

_______________________________________________
Pauldotcom mailing list
Pauldotcom () mail pauldotcom com
http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom
Main Web Site: http://pauldotcom.com



_______________________________________________
Pauldotcom mailing list
Pauldotcom () mail pauldotcom com
http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom
Main Web Site: http://pauldotcom.com

_______________________________________________
Pauldotcom mailing list
Pauldotcom () mail pauldotcom com
http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom
Main Web Site: http://pauldotcom.com

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
AlienVault