Learning Phase on Pentest – De-ICE

Viewing 22 reply threads
  • Author
    Posts
    • #6600
      vp75
      Participant

      Hi Guys,

      Hope you can help me,

      I got lab setup with BT5 & Installed De-Ice.net 192.168.1.100 (first series).

      It seems by default it is set up with 192.168.100.1, my router asusual has 192.168.0.x. I’m not able to ping to De-Ice distro….

      My question is without logging into De-Ice i cannot change the ipaddress….Similarly I tried changing ipaddress in my router for 192.168.1.x series to enable to connect accordingly…..Seems I’m missing something & not sure how to overcome the situation….
      Your help is much appreciated…

      Cheers
      Vp

    • #40886
      hayabusa
      Participant

      Perhaps boot it in a vm with a network configured for that subnet.  For that matter, if you’re on a hub (your router,) just put your workstation on the same subnet.  They can hit each other that way, so long as both are on same side of your router.  (ie – you’re not trying to go PAST the router)

    • #40887
      lorddicranius
      Participant

      I would think that changing the subnet on your router to 192.168.1.x would work, that’s exactly what I had to do…hmm.  Make sure your not testing connectivity to the .1.100 De-ICE disc via ping – it won’t reply.  You can test by trying to FTP or SSH to it (should get a login prompt).

    • #40888
      hayabusa
      Participant

      Heh…  Been so long since I played with De-ice, forgot he won’t be able to ping it.  Didn’t it even mention that in one of the readme’s?

    • #40889
      vp75
      Participant

      Hi Hayabusa

      I got my Lab setup in Mac…..I believe Mac version of VM (vm fusion) available only in trial version….(else got to buy it)….

      Any other option…..?

      Cheers
      Vp

    • #40890
      hayabusa
      Participant

      Yeah…  See lorddicranius’ post, above.  You WON’T be able to ping.  Apologies, as I’d forgotten about that with DE-Ice.  It won’t respond to icmp.  Try ssh, or ftp, or run nmap with common ports, and see if it replies.

      But again, make sure your attack machine is setup with an ip on same subnet as de-ice.

    • #40891
      nicklauscombs
      Participant

      @hayabusa wrote:

      Heh…  Been so long since I played with De-ice, forgot he won’t be able to ping it.  Didn’t it even mention that in one of the readme’s?

      ha this just happened to me the other day as well… probably a good year since i’ve played with it (forgetting of course it can’t be pinged)…. 5 minutes later…. OH YEAH CRAP

    • #40892
      lorddicranius
      Participant

      @hayabusa wrote:

      Heh…  Been so long since I played with De-ice, forgot he won’t be able to ping it.  Didn’t it even mention that in one of the readme’s?

      I’m not sure honestly.  I don’t think I’ve ever seen a readme for the de-ice discs.  The discs I got were .iso’s (not tarballed or anything).  I know the heorot.net forums contains downloads and scenario info, but there isn’t anything there about the discs other than the disc IP.  I remember seeing a wiki with all the info too, but I’m having a helluva time finding it haha.  I don’t recall the wiki saying too much more about them either though.

    • #40893
      nicklauscombs
      Participant

      @lorddicranius wrote:

      I remember seeing a wiki with all the info too, but I’m having a helluva time finding it haha.  I don’t recall the wiki saying too much more about them either though.

      I remember there being a wiki or forum entry about it not being pingable though you are right in saying that it is extremely difficult to find.

    • #40894
      vp75
      Participant

      Hi Lord/Nick/hayabusa,

      I will try it again as per your suggestions….

      It was around early morning 2am (GMT) i went to bed after banging my head on it. I remember i did tried the nmap with the De-Ice ipaddress(i was getting as host down), but not sure as i have been playing around the network adapter with NAT/Bridged/Host etc….

      I will give a try again with bridged which is  how i have setup all my other distros & let you know….

      Thanks guys, though we havent met each other…..thru forum sharing knowledge is brilliant….
      Cheers
      Vp

    • #40895
      Grendel
      Participant

      I designed the De-ICE disks to imitate the real world, and one thing I always did as a sysadmin was turn off things like ping… So, I did the same with the 1.100 disk. The educational purpose behind turning it off was to teach people to use multiple tools to validate everything they do. As my students hear me say (too frequently), “always be cynical and use more than one tool for each task.”

    • #40896
      vp75
      Participant

      Hi Grendel,

      good to see your reply (The Designer of De-Ice).

      I checked again, In BT5, I’m able to see the IPAddress 192.168.1.100 while using netdiscover, but nmap says @Host is down. My network setup is Bridged….is that were I’m making a mistake….? (i believe for nmap it should show the open ports / services….)

      Cheers
      VP

    • #40897
      lorddicranius
      Participant

      Just to make sure we’re all on the same page:

      • The router is configured to use the 192.168.1.x subnet
      • The BackTrack VM is configured for bridged networking
      • The BackTrack VM has an IP address in the 192.168.1.x subnet (a DHCP addresses leased from the router?)
      • The De-ICE 1.100 disc is configured for bridged networking
      • You can see the De-ICE .1.100 disc from the BackTrack VM using netdiscover
      • You can’t get a list of open ports when you scan the De-ICE .1.100 disc using nmap

      What’s the nmap command you are using?

    • #40898
      vp75
      Participant

      Hi Lord

      (The router is configured to use the 192.168.1.x subnet , I hope you are referring the  ipaddress on router, as subnet slightly confused me)
      1. Router is configured on defualt 192.168.0.1
      2. BT VM is configured on Bridged Net
      3. BT VM has IP address 192.168.0.x (a DHCP addresses leased from the router?) not sure of this part), I can see there is a option for DHCP Client if required with no value in my mac laptop (i didnt provide any value)
      4. The De-ICE 1.100 disc is configured for bridged net
      5. I can see the De-ICE .1.100 disc from the BackTrack VM using netdiscover
      NetDiscover shows IP, Mac Addr, Count, Len, Mac vendor as some xxxxxxx

      I used nmap -sS -O 192.168.1.100
      Host seems down is the message i received

      Cheers
      Vp

    • #40899
      lorddicranius
      Participant

      I’m slightly confused as to the router configuration.  What kind of router is it – wireless router?  A DHCP server is functionality found on most consumer routers now days.  The service will lease IP addresses to other devices that connect to it.  Usually the IP address you configure for the router will reside on the same subnet that it leases IP addresses for.  For example, if you configure the router to have an IP address of 192.168.1.1, the DHCP service will lease addresses on the 192.168.1.x subnet (e.g. 192.168.1.10, 192.168.1.11, etc).  Here’s a screenshot of the configuration page for my router (Linksys WRT54G2) where I define the local router IP.  You can see that it auto-filled the 3rd octet with “1” so that the IP addresses it leases are on the same network as the router itself.

      It looks like your router is still configured for the default 192.168.0.x subnet and the BT VM is getting a DHCP IP addresses from the router for that same 192.168.0.x subnet.  Since the De-ICE disc has a static IP address of 192.168.1.100 while the BT VM and router are on the 192.168.0.x subnet, there’s no route from the BT VM to the router to the De-ICE VM.  I think as soon as you get the router configured for the 192.168.1.x subnet and make it so that the DHCP server on the router leases IP’s on the same 192.168.1.x subnet, you should be good to go.

      As for why your BT VM is finding the De-ICE disc using netdiscover…since netdiscover uses ARP to discover devices, my guess is that the BT VM is picking up the ARP traffic that’s being broadcast by the De-ICE disc.

    • #40900
      vp75
      Participant

      hi lorddicranius

      I remember checking this dhcp in router (Its wireless and virgin media product uses netgear as far as i know), but i dont remember i can change or provide dhcp settings in router admin page (i may be wrong). But I did tried changing it from MAC network preference to use DHCP and it totally disconnected from router. (could be crazy thought  ;D)

      So I will try it again at router end and give a shout…By the way some of my other queries has been answered by itself on your reply…( :)). thanks mate…..

      Cheers
      Vp

    • #40901
      Grendel
      Participant

      Another option is to put both the BT VM and the De-ICE VM images on NAT, and manually change the BT IP address to something like 192.168.1.10… They will talk to each other, assuming both VMs are on the same computer.

    • #40902
      Grendel
      Participant

      Oh, an you can leave the router alone.

    • #40903
      vp75
      Participant

      @Lord, based on your suggesstion, i checked up and seems only last octet i can enter it…..seems Virgin has done it in purpose…..(some forums does show by clearing dhcp cache i can change it, after all effort it didnt work on my router). By the way, when i changed lan ipaddress, i get error message as @Status: Invalid Lan IP address. The same as Wireless guest ip range@
      its strange….

      I will try with Grendel suggesstion, by the way, grendel, did you mean both BT & De-Ice on same Virtual rather separate?

      Cheers
      Vp

    • #40904
      hayabusa
      Participant

      Grendel means that, in your VM solution (VMWare or whatever) you can put both VM’s on the same Virtual network, which will route between them, independently of your physical router.  (Like NAT or HOST ONLY configurations.  You’ll just have to configure the VM network to be on the 192.168.1.x subnet

    • #40905
      vp75
      Participant

      What on the earth is holding them (BT & De-Ice) atleast to wink eachother when put on NAT. ??? ??? ???

      both images or in Virtual Box , changed their network config to NAT,  changed BT ipaddress to 192.168.1.10….it doesnt even wink …(I hope that i havent missed anything)…

      I spoke to my network provider, so pathetic that i cant change my ipaddress as i wanted…… :'(

    • #40906
      hayabusa
      Participant

      So you ARE doing this on your internal network, right?  You provider won’t let you choose your internal scheme???  That’s messed up…  Either way, though, if your machines are local to each other, this shouldn’t be giving you so much grief.

    • #40907
      vp75
      Participant

      hi guys,
      Thanks for all your suggesstion, got more useful information in this process…
      though the option i have chosen to overcome may / maynot not sound good ;), i have sorted the issue. 😀

      I came across one of a blog , which gave information about the De-Ice pentesting practice…and thought of using it for my lab advantage , used it to login root & changed the ipaddress of de-ice to my range 192.168.0.20 and since my BT is also in 192.168.0.x range, now i’m able to work thru it.
      But main objective of finding root password has been used already, i’m learning to find other vulnerability in it ….
      I will keep updating about my progress & findings (hope it will be ok with you guys & grendel), if not will just provide  my understanding as hints…..

      [Currently running the medusa to find passwd for the couple of user in De-Ice] Password list is too big, seems i have to wait for 20mins/user….I believe using information thru (blog) Social Eng is also part of Pentest right…… 8)

      Cheers
      Vp

Viewing 22 reply threads
  • You must be logged in to reply to this topic.

Copyright ©2020 Caendra, Inc.

Contact Us

Thoughts, suggestions, issues? Send us an email, and we'll get back to you.

Sending

Sign in with Caendra

Forgot password?Sign up

Forgot your details?