.

Pentesting question: Disabled DHCP

<<

mantraisms

Newbie
Newbie

Posts: 1

Joined: Sun Jul 19, 2009 8:26 pm

Post Mon Jul 20, 2009 10:45 pm

Pentesting question: Disabled DHCP

I have 2 computers in my room and for about 3 months I used my router without encryption, then this past few weeks i noticed my internet connection became slower even if i'm just surfing the net. I presumed that somebody is leeching from my connection so i put on WEP encryption (i know its weak), enabled mac filtering, disabled dhcp put only 2 static ips from my 2 computers. changed my gateway from 192.168.0.1 to 192.168.5.100 and changed the ip range to 192.168.5.104-105. My connection became normal again.

I tried to crack my connection from my 2nd computer, i used aircrack from backtrack 3 and cracked the password for just about 25k ivs :o . But i can't connect to the internet because there is no dhcp to give me an ip address.
Now my question is: how can i sniff for the ip range i put on my D-link router? i tried using wireshark, netstumbler, can & abel but none of these sniffers gave me the ip address. Maybe because i'm not really connected to the network, it says limited or no connectivity.  ???

Does this mean i am now secured just by disabling the dhcp? i'm doing this because if i want my network to be safe, i should think like a hacker. Anybody here knows how to "really" connect to the network on this circumstances? What programs should i use and what do i need to do? Thanks in advance  :D
<<

Laz3r

Post Mon Jul 20, 2009 11:54 pm

Re: Pentesting question: Disabled DHCP

I'm no expert, far from it.  So I could be very very wrong.  If so, I'm sure somebody will correct me.  But, I don't believe disabling DHCP makes you to much more secure.  It probably just adds a couple more steps for an intruder to get a full connection.  The IP range, I think, only relates to the DHCP.  You could apply a static address outside of that range, as long as it is with in the proper subnet.  Again, just a reminder, I'm probably wrong here.  But I think you should be able to sniff some broadcast packets that would give an attacker a hint at the subnet, which would give them a green light to set their own IP.  As long as I'm not blindingly wrong here, Wireshark should be able to do that for you.  You won't get the IP range, because it's not being used.

I would "connect" like you have been then start sniffing, and leave it sniffing for a while.  Disconnect and reconnect your other machine, then go play around on the net for a little bit.  I think you should be able to sniff a broadcast ARP request packet, even if you don't have an IP.

I hope I gave enough warning that this could all be completely wrong.  It's not something I've tried or tested.  Just a theoretical, semi-educated guess.

If I find some extra time in the next day or two, I'll try to test it out on my lab and see if anything I said was true.
Last edited by Laz3r on Mon Jul 20, 2009 11:58 pm, edited 1 time in total.
<<

Ketchup

User avatar

Hero Member
Hero Member

Posts: 1021

Joined: Fri Jul 04, 2008 7:44 pm

Location: Philadelphia, PA

Post Tue Jul 21, 2009 7:32 am

Re: Pentesting question: Disabled DHCP

I am with Laz3r here.  It's very easy to sniff packets on a wireless LAN and determine what hosts are connected to the AP.  As a matter of fact, I am pretty sure that airodump-ng gives you the connected clients as you are going through the cracking exercise, so does Kismet.  When you were going through the exercise of cracking the WEP key, you could have just assigned the IP, routing, subnet, DNS information manually.  You would have needed to fake a MAC address that's in the allowed list as well.

I would go with WPA on your AP.  Is there a reason you chose WEP?

Did you also change the subnet mask on the LAN side of the router?
~~~~~~~~~~~~~~
Ketchup
<<

don

User avatar

Administrator
Administrator

Posts: 4226

Joined: Sun Aug 28, 2005 10:47 pm

Location: Chicago

Post Tue Jul 21, 2009 7:37 am

Re: Pentesting question: Disabled DHCP

Use Kismet. With no IP address (and guessing could take a while), you're not on the same subnet, so sniffing with Wireshark won't work. You need to pick it out of the air. Put your wireless card into monitor mode, open Kismet, lock in on the channel and start sniffing. It's built into BackTrack, so that should help.

Search Google for "kismet sniff ip address"

Hope this helps,
Don
CISSP, MCSE, CSTA, Security+ SME
<<

UNIX

User avatar

Hero Member
Hero Member

Posts: 1244

Joined: Mon Apr 28, 2008 9:20 am

Post Tue Jul 21, 2009 7:43 am

Re: Pentesting question: Disabled DHCP

I would say too, that disabling DHCP service can not be considered as a security measure. If you want to have a secure wlan use WPA2 if it's supported by your hardware.

As said by the others, it shouldn't be too hard to get into your current setup with the mentioned tools.
<<

don

User avatar

Administrator
Administrator

Posts: 4226

Joined: Sun Aug 28, 2005 10:47 pm

Location: Chicago

Post Tue Jul 21, 2009 7:48 am

Re: Pentesting question: Disabled DHCP

Since Ketchup was a little faster than me, I'll also offer up this tidbit. Since this is passive, it will only report on IPs it hears. Therefore, it will NOT give you the range of possible IP addresses. It will only give you the IP addresses it was successfully able to pick out of the air.

Don
CISSP, MCSE, CSTA, Security+ SME

Return to Network Pen Testing

Who is online

Users browsing this forum: No registered users and 1 guest

.
Powered by phpBB® Forum Software © phpBB Group.
Designed by ST Software