Wow! (not suprisingly) Another great giveaway! 

Your only other options would be if you somehow accessed any configured remote management on the router, or found some sort of exploit for said router, that gave you the ability to reconfigure it, etc.  But otherwise, that'd be correct.

OK, again, if your router ports aren't being forwarded through (as I'd mentioned in my previous response) you won't be able to 'see into the internal network, behind the router,' via an nmap scan or the like.  All you can do is work with ports that DO get through (aren't being filtered) or you're going to have to try to be manipulative and accomplish some sort of client-side exploit, via webpage / email / whatever, and gain reverse shell access to a machine that IS behind the firewall.

Basically, if NO ports and services are being allowed past the router / firewall, then there ARE no exploits that'll gain you access (which seems to be the direction you're WANTING to go,) further than the public interface of the router or firewall, unless you gain access via a client-side exploit.  You could TRY to firewalk past the firewall / router (manipulate packets' time-to-live to try to enumerate hosts behind it,) but if all of the ports are being filtered AT the router, than you won't get any further via that method, either.

Depends... if you're coming from the outside (public internet) to your internal network, then you'll need to find a port or service forwarded through the router, to an internal machine, to attack, or find some way to get access through a host on the inside.  Malicious email / website to push code down, or deceive user into running some shellcode or something with a reverse shell, etc.  ARP redirection will only be applicable on the same network / subnet, not to fully bypass a router from the outside, in.

It depends on what the data is, that you sniff.  You can read the ascii text in packets, so if you happen to be sniffing, for example, traffic going to an html login page that isn't ssl encrypted, you might see plaintext passwords, and the like.  You might also see, as Ketchup noted, a relevant filename, xss vulnerabilities, or exploitable php script being accessed, etc.  Consequently, you might see other ports and services show up in the trace, that you weren't aware of, that are open on the server being queried, so you can then banner grab or research and target attacks that are relevant to the services running on those ports.  This is all a learning process, and there are often times, when I'm scanning in this fashion, that I spot new services and ports that I wasn't previously aware of (new stuff, yay!) and I can learn what those services are, and how to exploit them.

It's a process, but one worth learning, as, even if you DON'T pursue security, in the end, you will have a much better knowledge of what goes on within the network in question.

In a rather generic nutshell -

ARP poisoning basically tricks devices on the network into associating an IP address from a valid host (or router) to another host or router, by propagating the secondary device's MAC address into the ARP tables.

Congrats!  Good luck with your studies moving forward.  I have the ECSA/LPT training materials, but haven't had full time to explore them.  (I've been busy with projects, family and study for other things.)  Hope you have continued success.

Thanks Armando.  Will register for the demo.  Appreciate the fact that your company is working to keep it real / affordable for everyone.  I won't be able to register for the class at this time (budgetary issues), and won't, until I'm done with PWB, so I'll miss out on this discount, but I appreciate the concern and mention of expiration date.   

Hey Jason. 

Great review!  I'm pumped to look at this one now, too!  Question for you.  Dunno if you've done PWB yet, from Offensive...  If you HAVE, how does this compare to what muts and company have there?

Obviously, PWB is pretty intensive (I'm preparing to start taking v3, in a couple of weeks), and I know from reading, the eLearnSecurity stuff is all online (no downloadable courseware, etc - assumably to keep it from being distributed, etc)  But wondering, as a comparison, how the two stack up. 

Like I said, this looks promising, so I'll likely go for this, when I am done with PWB.  Just looking for a feel on it, so I can guage my time AFTER PWB, for what and how I want to be doing.

Thanks.

Tim

UNGH!  Oh well...  Hopefully they won't 'totally' screw up PGP...

Congrats to all!  Great job guys!  Let us know what you take, and how you fare. 

Ketchup beat me to it...  (today's been crazy busy!!!)

TOR or any other anonymous proxy would be where you'd want to start looking, to accomplish this.

Good luck.

OK, geek time for the scholars -

And, as Lincoln was quite the scholar, himself I personally think he spoke with reference to the Bible, specifically Ecclesiastes 10:9-10, where it says:

"Whoso removeth stones shall be hurt therewith; and he that cleaveth wood shall be endangered thereby.  If the iron be blunt, and he do not whet the edge, then must he put to more strength: but wisdom is profitable to direct."

Welcome aboard!

Ditto! (Congrats!)