Pyrit says there are 9,000,000 million passwords available (based on the dictionaries I have imported).

Yet, when I test it against the .cap file (with the WPA handshake) it only tests for 6,000,000 passwords.

Any idea why there is a difference?

Thanks.

The VPN provider finally replied.

"I guess without VPN you are on a private IP so you don't see such traffic as it
hits your NAT router. With VPN you are on a public IP so any connection attempt hits your interface."

That just about makes sense to me.

If anyone is interested I've included a small (200 entry) wireshark file.

I am 109.205.169.5.  The wireshark file shows:

ICMP (my VPN IP to many other IPs) - always "destination unreachable - port unreachable".

WHOIS shows my ICMP traffic to:

Oriental Cable Network Co (China)
Charter Communications (USA)
MarocTelecom (Morocco)
Telenor Norge (Norway)
RCS & RDS (Romania)

TCP (their IPs to my VPN IP and my VPN IP then responds to their IPs).

WHOIS shows TCP traffic to and from:

Hetzner Online (Germany)
BVNET (Argentina)

UDP (their IPs to my VPN IP).

WHOIS shows their UDP traffic to me from:

Oriental Cable Network Co (China)
TurkTelekom (Turkey)
Bulgarian Telecommunications Company (Bulgaria)
103.2.208.5 (an IP with no WHOIS record)
Cablevision AR (Argentina)

Hopefully it will be interesting to someone...

What is the technical term for an open wireless network that prevents clients from using arpspoof and SSL Strip?

The Wireshark wlan0 display shows that the fake router is broadcasting ARP packets and that HTTP / TCP traffic is going through the MITM.

However, none of the traffic is stored by SSL Strip.

What are the settings that prevent logging by SSL Strip?

Many thanks.

The Nessus reports says:

"By connecting to the remote host via SSH with the supplied credentials, this plugin enumerates MAC addresses."

Two questions:

First, as this scan is done on the "port" 0 presumably it can only be done when the scanned machine and the scanning machine are on the same LAN?

Second, I don't understand what the "supplied credentials" mean?  I did not supply any such credentials but the SSH tool obtained my internal IP address and MAC addresses.  How?

Thanks as always.

I was looking at my Ipredator VPN traffic in Wireshark using ppp0 and I am confused.

There were many connections to and from my machine using different protocols even when I am not using any Internet-based programs.

Here are some examples:

ICMP (my IP connects to their IPs but their IPs do not connect to my IP) - all "destination unreachable".

Whois shows I am connecting to (for example):

Comcast Cable Communications
Hungarian Telecom
Telefonica de Espana
UCOM Corp (Japan)
TENET (Ukraine)

TCP  (my IP contacts their IPs and their IPs contact my IP).

Whois shows the connections are between (for example).

NC Numericable S.A. (France)
Charter Communications (USA)
Saudi Telecoms

UDP (their IPs connect to my IP but my IP does not connect to their IPs).

Whois shows their connections are from (for example):

Verizion Internet
HINET (Taiwan)
Arrowhead (Denmark)

Do you know what these IPs might represent?  I am not manually (e.g. via HTTP) connecting to any of these networks.

Thanks!

I think this answers my question.

I am running Nessus from the target machine.

Hence, if I understand correctly, your point is that the information collected is "local".

And therefore if I was scanning the same machine remotely I would not be able to obtain such "local" information.

Correct?

I recently ran a Nessus scan against my outward-facing IP. 

Its information gathering tools discovered a lot of pertinent data.

It correctly identified:

my eth0 MAC.
my wlan0 MAC.
my firewall rules (using iptables -L -n -v -t filter).
my operating system (using uname -a).
the name of my computer (but not the user name).
my programs listed as ESTABLISHED or LISTENING (using netstat)

For example:

"By connecting to the remote host via SSH with the supplied credentials, this plugin enumerates network interfaces configured with IPv4 addresses."

- 127.0.0.1 (on interface lo)

- 93.xxx.xxx.xxx (on interface ppp0)
-
- 128.xxx.xxx.xxx (on interface wlan0)

Nessus gathers this information by sending the queries mentioned earlier (like uname -a) to port 0.

I first assumed that this would be an excellent tool to identify a person as it reveals their real IP (if they are 'hiding' behind a VPN) assuming that wlan0 is not a 192.168.x.x address).

However, I then thought that the 'real' IP address can only be gathered as I was scanning myself.

I need to test this but am I correct to think that if one outward-facing IP uses Nessus to scan a different outward-facing IP then they would not get the 'real' IP addresses like I did when I scanned myself. 

I don't see, for example, how commands like uname and iptables can be run on remote machines across the Internet because, if so, the whole idea of VPNs is rendered pointless.

Thanks!

How it is possible (if this is the case) to find all outward-facing IP addresses associated with one organization?

I want to route all my traffic through a VPN (Ipredator).  I plan to use ufw under Ubuntu.

I have e-mailed Ipredator but they have not responded as yet and I understand that their customer service is not the best.

My impression is that IPREDator are served by ViaEuropa Routingregistry (viaeuropa.net).  Their CIDR is 93.182.128.0/18

However, there are IPs in this range which do not resolve to Ipredator.

For example:

1.137.182.93.in-addr.arpa domain name pointer anon-137-1.relakks.com

Is there a professional way of removing such IPs or would it just be easier to just use 93.182.128.0-93.182.191.255 (based on 93.182.128.0/18) as the only IP addresses to which I am permitted to connect?

I guess another way to ask this question is: what are the tools you would use to define the specific IP addresses to target?

Thanks!

Thank you for your advice.

I use Firefox 13.0 without NoScript or HTTPS-Everywhere or any other blocker to load www.hotmail.com (which redirects to https://login.live.com) and it still has the URL=https://login.live.com/jsDisabled.srf?mkt=EN-US&lc=1033" link.

However, it does not matter because I am able to load the page.

The problem with the SET Credential Harvester (https://www.secmaniac.com/movies/ - scroll down for the video) is that it changes the <base href="https://login.live.com/pp1300/" into <base href="" which prevents the page from loading.

The Credential Harvester requires POSTs which the Hotmail login no longer contains.  Therefore the Harvester is incompatible with Hotmail.

Here is the Pastebin for the 'standard' login screen (from my browser not Credential Harvester) - http://pastebin.com/jEDwYF6E

I don't think it's interesting through.  Like I said: the JS disabled doesn't prevent the page from loading (for me at least).

I wanted to detail an interesting experience (to me at least) I recently had using nmap 6.00.

I was using Nmap through a VPN and so I expected that all traffic would flow through the VPN.

I was using Wireshark to monitor ppp0 (the connection between my VPN IP address and the remote host).

I was using - among other commands - nmap -sL which very quickly resolves IPs into hostnames for remote hosts (should, of course, the remote hosts have been named).

My /etc/resolv.conf file showed my VPN's two DNS servers, then my ISPs three DNS servers.

The command (for example) nmap -sL 150.150.1.1-150.150.5.255 would mean that thousands of scans are done very quickly.

ppp0 showed that the nmap was using all five DNS servers.  This was not necessarily leakage as such because it was my VPN IP which was calling my ISP's DNSes (rather than my 'real' IP calling them) but, even so, this was not behavior I expected.

There are two solutions.  First, specifically with nmap, use its --dns-servers command to allocate specific DNS servers.

The other more general option is to comment out all non-VPN DNS servers in /etc/resolv.conf.  I assume that nmap (and, for that matter, any other program) can call from that file to select their DNSes.

Any comments or questions would be appreciated.

I don't know why the links show http://https:// but in the source that I downloaded they render as normal https://

For example this does work:Https://secure.shared.live.com/~Live.SiteContent.ID/~16.3.16/~/~/~/~/images/favicon.ico

I don't know of the http://https:// was what you meant?

I think that the problem is shown here: https://login.live.com/jsDisabled.srf?mkt=EN-US&lc=1033

The page reads:

JavaScript required to sign in

Windows Live ID requires JavaScript to sign in. This web browser either does not support JavaScript, or scripts are being blocked.

To find out whether your browser supports JavaScript, or to allow scripts, see the browser's online help.

What I do not understand is why it claims this even thought I have JavaScript enabled and have disabled anything that might in any way interfere with JavaScript.

I don't know if this is a problem with the Social Engineer Toolkit or something else.

Hello!

Are any of you guys familiar with the Social Engineer Toolkit?

I am attempting to use its Credential Harvester program but I ran into a slight problem.

The Credential Harvester clones a website which has POST login forms.  All POST information is transmitted to the attacker once the target connects to his IP and enters details.

I am having problems with Hotmail.  The only site seems to be login.live.com.  Everything redirects to this site so I have no alternatives to clone.

I clone the site in the Harvester which seems to work.  This process creates an index.html file.  I then go to my IP address which loads the index.html but all I see is a blank page.  The source reveals that the page has, in fact, loaded but nothing is displayed.

I believed that the problem was the base href="" (empty) so I set it to https://login.live.com/pp1300 which (should you enter this) will take you to login.live.com.  However, this did not change anything as the page still refused to load.

The source of the index.html (from Firefox) claims that JavaScript is disabled.  This is not the case.  And I also unloaded NoScript and HTTPS-Everywhere to simulate a 'normal' browser.

Does any one know why the page will not load?  Thanks!

Initial source below (I can provide more should you wish).

<html dir="ltr" lang="EN-US"><head><meta http-equiv="Content-Type" content="text/html; charset=utf-8"/><meta http-equiv="X-UA-Compatible" content="IE=5"/><script type="text/javascript">var g_dtFirstByte=new Date();</script><base href=""/><noscript><meta http-equiv="Refresh" content="0; URL=https://login.live.com/jsDisabled.srf?mkt=EN-US&lc=1033"/>Windows Live ID requires JavaScript to sign in. This web browser either does not support JavaScript, or scripts are being blocked.<br /><br />To find out whether your browser supports JavaScript, or to allow scripts, see the browser's online help.</noscript><title>Sign In</title><meta name="description" content="Powerful free e-mail with security from Microsoft - Windows Live Hotmail is a best in class e-mail service that helps you organize and manage all your online stuff in one place"/><meta name="PageID" content="i5030"/><meta name="SiteID" content="64855"/><meta name="ReqLC" content="1033"/><meta name="LocLC" content="1033"/><script type="text/javascript"></script><link rel="shortcut icon" href="http://Https://secure.shared.live.com/~Live.SiteContent.ID/~16.3.16/~/~/~/~/images/favicon.ico" />
<link rel="image_src" href="http://Https://secure.shared.live.com/~Live.SiteContent.ID/~16.3.16/~/~/~/~/images/Windows_Live_v_thumb.jpg" / >

Everything is remote.

What (if any) measures do people here take to prevent their IP addresses from being recorded when scanning (using nmap or Nessus or equivalents) or making connections to the target machines (via Metasploit)?

The obvious option is to use a VPN.  My traffic in Wireshark with a PPTP VPN on wlan0 and ppp0 looks secure (there are no connections between my actual IP nd the target machine).

What other suggestions do you have?