HomeCalendarCertificationsColumnsFeaturesForumResourcesVitals
 
Image
 
linkedin_logo.png rss_logo.jpg
twitter_logo.png youtube_logo.jpg
Latest Additions
 
EH-Net Login
Welcome Guest.
Lost Password?
No account yet? Register
Who's Online
We have 29 guests and 2 members online
 
Advertisement

You are here: Home arrow Ethical Hacking Discussions and Related Certificationsarrow Network Pen Testingarrow Help Needed -- How to Takeover LAN IP Address from a Live Host?
EH-Net
May 24, 2013, 05:28:18 AM *
Welcome, Guest. Please login or register.
Did you miss your activation email?

Login with username, password and session length
News: Go back to The Ethical Hacker Network Online Magazine Home Page
 
   Home   Help Calendar Login Register  
Pages: [1]   Go Down
« previous next »
  Print  
Author Topic: Help Needed -- How to Takeover LAN IP Address from a Live Host?  (Read 2938 times)
0 Members and 1 Guest are viewing this topic.
C0de_X
Newbie
*
Offline Offline

Posts: 1


View Profile
« on: May 05, 2012, 11:32:33 AM »
Hey experts out there,

I need some urgent help & advice for my Pentest... here is the situation:

In my security testing lab environment, I have A SIP Gateway Server (let me just name it SRVA) and a SIP Client (CLTA) in the same switched LAN (same subnet). SRVA IP address is 192.168.1.100 and CLTA IP address is 192.168.1.200. All IP addresses are statically configured, no DHCP is involved.

SRVA and CLTA are communicating using SIP Protocol and they are using Digest Authentication between the two hosts. On top of the Digest Authentication, the server is also using IP Address as another security measure to authenticate the client side -- which means, on the Server it is configured to only Allow any SIP connection request originated from CLTA's IP Address (192.168.1.200), even after the Digest Authentication is successfully made -- no other source IP Address is allowed by the Server.

My task is to find a way to compromise the LAN security and successfully make VoIP calls from another computer (not CLTA). So I am almost there... as I have already cracked the SIP username and Digest Authentication Password using the Man-in-the-Middle attack. So now I have the SIP Username and the working SIP Password, as well as a free VoIP Softphone installed on my computer (IP Address 192.168.1.210). I am very close to my final objective!

However, now I am facing a challenge on how to physically takeover the IP Address of CLTA (192.168.1.200)... as the SIP Server (SRVA) will deny my SIP connection from any IP address another than 192.168.1.200 even with the correct username/password. I tried to configure my IP Address manually to 192.168.1.200, but as expected, after I do so, I receive an "IP Address Conflict" error and not able to use the network -- I am sure the CLTA side will also have that error pop up.

-- How shall I go about successfully taking over 192.168.1.200 on the LAN, while I am not allowed to shutdown CLTA or disconnect it from the network.

Need some ideas... thank you!

Regards
Logged
unicityd
Full Member
***
Offline Offline

Posts: 156

Bored IT Manager, Crypto Nerd


View Profile WWW
« Reply #1 on: May 05, 2012, 02:02:17 PM »
"ARP Spoofing" is the technique you need.

The Wikipedia article explains the basics and lists some tools:

http://en.wikipedia.org/wiki/ARP_spoofing

The short explanation is that each computer on the LAN has a MAC address and an IP address.  Each Ethernet frame has to be addressed to the target computer's MAC address.  As you've discovered, you can't just change the IP on your computer since the OS will check to see if anyone else is using the IP and refuse if it is in use.  Instead of completely taking over the IP address (in which case you need to crash/flood/disconnect the client), you can just convince the server that your computer's MAC address is associated with 192.168.1.200.  Using ARP Spoofing software, you can pretend to own the client's IP address knowing full well that it is in use. 

ARP spoofing is a targeted attack so you can convince the server that you own the client IP address without affecting other computers.  For example, the client could still browse the web and the return traffic would reach him and not you.

Good luck with your lab.
Logged
BS in IT, CISSP, MS in IS Management (in progress)
unicityd
Full Member
***
Offline Offline

Posts: 156

Bored IT Manager, Crypto Nerd


View Profile WWW
« Reply #2 on: May 05, 2012, 02:23:30 PM »
BTW: If you're on Windows, try Cain & Abel. 
Logged
BS in IT, CISSP, MS in IS Management (in progress)
impelse
Hero Member
*****
Offline Offline

Posts: 565


View Profile WWW
« Reply #3 on: May 06, 2012, 08:23:20 AM »
Use the same Man-in-the-Middle that you used for getting the username and password to posing the ip address with the MAC.....
Logged
CCNA, Security+, 70-290, 70-291
CCNA Security
Taking Hackingdojo training

Website: http://blog.thehost1.com/
Pages: [1]   Go Up
  Print  
« previous next »
 
Jump to:  

Powered by MySQL Powered by PHP Powered by SMF 1.1.18 | SMF © 2013, Simple Machines
Joomla Bridge by JoomlaHacks.com 		Valid XHTML 1.0! Valid CSS!
Page created in 0.076 seconds with 22 queries.
 
Exclusive Deal

sansfire13_245x90_cw90.jpg
SANSFIRE 2013
June 15 - 22

5% Off w/ Code: EHN_5

SANS Deals 4 EH-Netters
5% OFF Any SANS Course in Any Format!
Coupon Code: EHN_5 Including SANS Rocky Mountain 2013 & SANS Boston 2013
Polls
Compared to this year, 2013 will be:
 
Recent Forum Topics
EH-Net News Feeds
Latest Additions
 
         
Advertisement

© 2013 The Ethical Hacker Network
Joomla! is Free Software released under the GNU/GPL License.