Great.
According to the wiki I'll have a lot of fun

in 

Hi Grendel,

Why is the price for the shodan course for google wallet users $850 and for paypal users $425?

Hello,

I wonder if someone here did the hack.me "Hackme Launch" (https://hack.me/101052/vulnerable-webapp.html) too and managed to gain root access or revealed the administrator password.
Per sql injection I could read out the database with all it's user entries.
I haven't seen an admin account and i was not able to load the ".htaccess" file.
Has anyone of you found a way and may give me a hint?

Thanks

Thanks for your input.

Hi,

thanks for your answers.
My lab consists of 3 PCs and 1 Router. 1 Running an ssh and http server, 1 client and 1 attacker. The goal was to redirect the client to the attackers server, when he tried to connect to the real server. While experimenting I could answer the osi layer questions for myself.  

I poisoned ARP for the server and for the client, so i was in the middle. Enabling ip forwarding and writing an iptables nat prerouting redirect chain, the client would join my server if he tried to connect with the real server on a specific port.

Now I will run a DNS on the attackers machine, arpspoofing the router and the victim and  redirect all outgoing traffic on the attackers dns, which resolves every domain to the attackers ip.

My question is: How could the client prevent such attacks at home and in public networks, how could the admin prevent such attacks at home and in public networks and how could the server prevent such attacks? (in case of ssh i think the server is doing it by signatures, so the client should be wondering, if the signatures doesn't match)
My goal is: Harden the lab, step by step, trying to find a workaround for every step for the attacker than harden it again.
The important thing is, that I go step by step.

I think the key for preventing those attacks is to make arp spoofing as hard as possible, as for redirecting you have to be in the middle, if you haven't access to other machines in the network (like the dns). So an admin could make static ip addresses and static arptables. At least the clientpcs should have one static entry for the gateway. If the attacker is changing his MAC to the gateways MAC there could be a vulnerability though (havn't tried this one yet). But thats not a solution for a public network for everyone.
The step for public networks could be a firewall, checking for arp flooding and blacklisting the spamer, so the attacker would have to find a more quiet solution.

Hello,

I read http://www.ethicalhacker.net/content/view/66/24/ article and wanted to experiment with this as a recognized that i might have a lack in understanding the osi layer concept.

Experiment: Arppoison my machine and redirect it to a simple testpage.
I used arpspoof for the arppoisoning, enabled ip forwarding and everything worked, as traceroute, ping, arp -a and wireshark told me.
Because i didn't want to sniff, i disabled ip_forwarding on the attackers vm.

Now the questions:
With ip forwarding the ethernet frame, with the ip packet containing the icmp message, was send to the attacker and than redirected/forwarded to the gateway. Wireshark also gave a message, like ICMP redirect, between the two machines.
Without ip forwarding, the ethernet frame arrives the attacker, but as the ip packet is not for him, he doesn't answer and the victim gets an icmp unreachable.
Same with DNS, HTTP and other traffic going over the gateway.
First question: Why doesn't wireshark recognize, that a ethernet frame was send to the attacker (does it only show layer3+ protocols)?
Second question: The ethernet frames are arriving the attacker, so if he wanted to stay unrecognized or redirect the victim to his own site/server he would write a program which reads the ip-packages and redirect them to himself plus he would ip-spoof the answer remaining the victim unaware.
E.g.: An ICMP is send from the victim to the gateway. The ethernet frame arrives at the attacker, the attacker reads the ip packet of the frame, recognizes that it's an ICMP and answers?

Which means with a bit if iptables NAT, ip forwarding and maybe a bit of extra coding it would be able not to only sniff, but "to become the gateway" without actually being the gateway, or am I totally wrong?
So if one uses a more quiet route of arp poisoning, like arp tabling or something else, it would be hard to detect intrusion of a MITM.
How would you protect your network from that?