.########...######..########..######## .##.....##.##....##.##.....##.##...... .##.....##.##.......##.....##.##...... .########...######..########..######.. .##.....##.......##.##...##...##...... .##.....##.##....##.##....##..##...... .########...######..

##.....##.##...... http://blac sun.box.s Lecturer: Mi estevens Email: mi e@unixclan.box.s Lecture: Cable Modem Hac ing

<Mi eee> , mi estevens u want to begin second lecture? <mi estevens> 3min <Y0Yo> COME ON WITH 2ND LECTURE *** Joins: Shad0wWa1 <Y0Yo> ::) <mi estevens> o o <mi estevens> I got my snac ies *** mi estevens sets mode: +m <Sup|ED-209|Craft> grin <Matt> I've not finish my Weatabix :)( *** Quits: freerider (Quit: Leaving) *** Quits: Serial_Killer (Quit: off) * DigitalFallout has his coochie <mi estevens> Hac ing @home cable for educational purposes only <Guy_SJS> has anyone sewen ript0n <DigitalFallout> Edit that out by the way :) <Guy_SJS> the REAL one <mi estevens> lecture notes at http://blac sun.box.s /test/cablem.txt *** Joins: Guest6971990 <Sup|ED-209|Craft> ofcourze :D <Matt> Hey mi estevens, I've decided you guys over there are a little out of it: you've got Diet Weatabix in the US! *** Guest6971990 is now nown as freeque_ <mi estevens> all these things were tried out on copperd and perfectly legal rev enge for all those crac ers <Matt> heh <DigitalFallout> Only in america would you get a SuperSized Big Mac Extra Value Mean but still Get a diet co e <Sup|ED-209|Craft> gimme food for my brain! <mi estevens> anyways we all now cable is insecure <mi estevens> we all hear it <mi estevens> Is it true? <Matt> all broadband is insecure <mi estevens> Well at first I didn't thin so. <Sup|ED-209|Craft> yes mr.mi estevens :) <mi estevens> When I got my cable modem I tried running a sniffer and got no one else's traffic <mi estevens> secure eh? <Mi eee> nope <mi estevens> well maybe a little <mi estevens> but there are several problems <Matt> infact, the only thing secure is my Casio WX500... and I can loc that to o <mi estevens> lol * Matt shuts up <mi estevens> First we can steal unused IPs

 

 

 

   

 

   

 

 

 

 

 

 

 

 

 

   

 

 

 

 

 

                                       

 

*** Quits: bracaman (Killed (Nic Serv (GHOST command used by fedasdas))) <mi estevens> this is on BSRF already, I thin <mi estevens> you can do this by really normal means <mi estevens> even in windows <Edrin> well, my loc er in my case is quite save, too... <mi estevens> you can just set your IP to some unused one and get online most of the time <mi estevens> sometimes you may have to reboot you CM because it can only hold b ut X many computers *** Quits: Shad0wWa1 (Quit: Leaving) <mi estevens> my cablemodem the SurfBoard 3100 (external) can only hold 6MACs <mi estevens> and is limited to 5IPs with DOCSIS <mi estevens> so, there are limits <mi estevens> the cable companies could secure this up more <mi estevens> so that theft would be impossible, but they seem to be lazy <mi estevens> li e what else is new <mi estevens> anyone have the lin for the BSRF doc on simple IP theft? <mi estevens> anyways onto IP hijac ing <mi estevens> This is when some bastard you don't li e has alot of crac ers and you want to impersonate them <mi estevens> for you to hijac their IP they need to be on the same router, pos sibly the same port <Edrin> btw: * Edrin wonders if there is a way to ta eover a satelite... <mi estevens> first you need to be on the same subnet <mi estevens> brb *** Quits: Obsidian (Quit: Leaving) <Guy_SJS> geez <Guy_SJS> he isnt suppsot to leave in the mddle of a lecture <Sup|ED-209|Craft> Edrin: still didn't found your answer? *** Joins: K1llabee *** Joins: Marx-AWA <Edrin> Sup|ED-209|Craft: have we met befor? *** Quits: freeque_ (Quit: i had it all logged as well, before my computer crash ed. :/ nite nite all. will loo out f) <mi estevens> sorry <mi estevens> doggie emergency <Sup|ED-209|Craft> Edrin: no , but i saw your questions <mi estevens> had to go out <mi estevens> anyways <mi estevens> first you need a host on the same subnet <Edrin> mi estevens: heheh :) <mi estevens> so you can get their MAC address <mi estevens> very important <mi estevens> so if you aren't on their subnet do this <mi estevens> ifconfig eth0:1 24.x.x.65 broadcast 24.x.x.255 netmas 255.255.255 .0 <mi estevens> ma e sure the IP is unused <mi estevens> (see above stuff) *** Guy_SJS sets mode: +v Prophecy2K1 <Prophecy2K1> thanx <mi estevens> then you can see them as a local LAN user, and can get their MAC a ddy, very important <mi estevens> next you want to use arpredirect from the dsniff pac age <mi estevens> Registering 24.x.x.69 to our MAC <mi estevens> arpredirect 24.x.x.69& <mi estevens> tada *** Joins: gUeSt51 <mi estevens> we are stealing them now <mi estevens> this sends out bogus arp pac ets to our yet to be IP

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

                                                                     

<mi estevens> saying we are now them <mi estevens> now you want to stop services, etc... <mi estevens> ta e down eth0 <mi estevens> and bring it up again as their IP <mi estevens> you should have no problems <mi estevens> go in and add your default gateway again <mi estevens> and start up your services <mi estevens> tada <mi estevens> you are them *** Mi eee sets mode: +v TracerT <mi estevens> Q&A time *** mi estevens sets mode: -m <Matt> whu <Matt> its that easy <mi estevens> yup <mi estevens> isn't everything <mi estevens> any questions people? * Matt trundles off to ta e down calbeinet.co.u <Sup|ED-209|Craft> Matt: i thought you was the big brain here :D * Mi eee is editing the first lecture <Ellis_D> hmm..can you set up a place where we can try this out maybe? <Mi eee> heh <Edrin> isn´t the only way to do this with windows by using the libpcap-clone winp cap? (i mean for the arp-fa e maybe win2 can do it but win9x, too?) <Matt> Sup|ED-209|Craft, broadband has never been heard of in the UK :( *** Quits: Guy_SJS (Quit: Oogerbay) <Frydo> where's the point in this exercise ? <Sup|ED-209|Craft> lol <mi estevens> say copperd is giving out crac ers <mi estevens> and you don't li e this <mi estevens> and want him to stop <mi estevens> and ma e him be nice <TracerT> so there will be a lecture on ASCII <TracerT> ? <Leper> :) <mi estevens> you would hijac copperd's IP *** TracerT is now nown as [T]racer[T] <Matt> cheese crac ers? <mi estevens> and log onto IRC as him <mi estevens> and start ta eing bac all the crac ers he gave out *** Quits: SpiderMan (Ping timeout) <mi estevens> and not impersonate an admin *** Joins: ToRmEnThOr <mi estevens> well anyways <mi estevens> onto the cool part *** Joins: MasJCrasJ *** Joins: SpiderMan *** ChanServ sets mode: +o SpiderMan <mi estevens> intercepting downsteam traffic *** mi estevens sets mode: +m <Sup|ED-209|Craft> this is better then school lecture, why not ma e 'BSRF School ' ? :P <mi estevens> first thing first <Matt> mi estevens, are there any time when you can't become the stealer? <Matt> bobbie: node position? <Ralph> later *** Quits: Ralph (Quit: Leaving) <mi estevens> Matt: when you are not on the same router *** Quits: K1llabee (Connection reset by peer) *** MasJCrasJ is now nown as _MasjCrasj-

 

 

 

 

 

 

 

 

 

 

 

 

 

   

 

 

       

   

   

                                                   

<mi estevens> routers cover alot of ground though <mi estevens> usually a few mile range <Sup|ED-209|Craft> mi estevens: so the data to the IP that is not be used, goes to the router? <mi estevens> so people at school, neighbors, etc are all potential victims <mi estevens> that slut next door <mi estevens> etc... *** mi estevens sets mode: -m <Matt> mi estevens, I was under the impression most cable companies cluster thei r routers and create a mesh networ ? <Sup|ED-209|Craft> later ppl <mi estevens> Sup|ED-209|Craft: I don't really understand what you said <Sup|ED-209|Craft> i will xplain later *** Quits: _MasjCrasj- (Quit: ) <mi estevens> Matt: they have local routers and lin them with FDDI <Sup|ED-209|Craft> later *** Quits: Sup|ED-209|Craft (Quit: ) <mi estevens> then the FDDI ring goes to the local datacenter *** Joins: nebunu *** Quits: SileNceR (Ping timeout) <mi estevens> anyways onto intercepting traffic if no one has any more questions / comments *** mi estevens sets mode: +m <mi estevens> o <mi estevens> first we need to now a little more about the networ <Matt> af <mi estevens> you have the cable router, your cable modem/router, and your PC <mi estevens> the cable modem is nothing more than a bridge <mi estevens> meaning it sees traffic on both sides and seamlessly forwards as n eeded <[T]racer[T]> there gonna be an lecture on streamz here? <[T]racer[T]> *stringz *** Joins: K3rNEL[PAn1C] *** Parts: nebunu *** Joins: Pupp3tM *** ChanServ sets mode: +v Pupp3tM <mi estevens> the 3100 surfboard has a webserver which you can play with from in side your networ <mi estevens> http://192.168.100.1/ <mi estevens> I found the IP by sniffing <mi estevens> and I saw IGMP traffic coming from that IP <mi estevens> so I browsed to it <mi estevens> anyways, the bridge is based on MAC addresses *** Quits: Pupp3tM (Quit: ) <mi estevens> so if it sees your MAC behind the bridge it will let in traffic th at is destined to that MAC <mi estevens> the outside has no clue what is going on with the Cable modem <mi estevens> another issue <mi estevens> not all cable modems will detect the MAC how mine does <mi estevens> you may have to try arp pac ets to fool it into it <mi estevens> I will provide both ways here <mi estevens> so onto the interception <mi estevens> first you want to find the targets MAC <mi estevens> get onto their subnet <mi estevens> and ping them or something <mi estevens> then do an arp -an and write down their MAC <mi estevens> also do an ifconfig -a and write down your MAC <mi estevens> it is best to hard boot your cable modem at this point *** Quits: Prophecy2K1 (Ping timeout) <mi estevens> that way it clears the memory of MACs

 

 

 

 

 

 

 

 

 

 

 

 

                                                                   

<mi estevens> this is done by pressing the little reset button in the bac or ho wever you documentation says so <mi estevens> it should ta e a few minutes up to 30 to get bac on <mi estevens> so in the time being <mi estevens> you want to stop all services <mi estevens> then bring down eth0 <mi estevens> then type this with the target's MAC in place of it <mi estevens> ifconfig eth0 hw ether 00:00:00:00:00:00 <mi estevens> bring the interface up with your IP address and normal settings <mi estevens> add your default gateway <mi estevens> and ping the router a few times till it wor s <mi estevens> ta e bac down the interface <mi estevens> and bring it up again with your settings <mi estevens> start up your services again <mi estevens> and ping the router again to ma e sure your are on <mi estevens> you should now be getting the target's downstream traffic *** Joins: Prophecy2K1 *** Quits: Matt (Ping timeout) <mi estevens> you can use all your fun sniffer tools to invade their privacy,etc ... <mi estevens> I will open up a Q&A section while I get the code mods for the ARP section *** mi estevens sets mode: -m <mi estevens> any questions? *** Joins: UraniumD <[T]racer[T]> yes <mi estevens> o <Ellis_D> does the person whose traffic we are stealing have a way of nowing we are doing this? *** Parts: UraniumD <ToRmEnThOr> i thin so *** Joins: MosdestMouse <mi estevens> no <[T]racer[T]> NM <mi estevens> they can't see it <shellfish> i havnt follow this very well, but is this secure? are the cops gonn a come noc ing on your door or what? <ToRmEnThOr> no? <mi estevens> your cable modem silently passes on the traffic to you <Ellis_D> hm <mi estevens> probally not <ToRmEnThOr> cool <mi estevens> unless someone chec s on your cablemodem <mi estevens> hijac ing is a little ris ier <[T]racer[T]> and what if someone does it? <mi estevens> they will probally just thin the cable is out <mi estevens> interception is less ris y <mi estevens> well first they have to prove you did it on purpose,etc <[T]racer[T]> but if noone sees my cabel modem? <mi estevens> but if you don't tell anyone they probally will never now <[T]racer[T]> hehe <mi estevens> actually if you bring up the interface (when you are using their M AC as your MAC) <mi estevens> with a local IP <mi estevens> sometimes the CM will see that <[T]racer[T]> but on some External cabel modems there is a way to connect to the modem <[T]racer[T]> from the local machine <[T]racer[T]> and chec what's up there <mi estevens> and there will be no traffic hitting the real networ (cable netwo

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

                                                                 

r ) <[T]racer[T]> *in there <Edrin> well, in this case you are using spoofed MACs and spoofd IPs on the "sam e cable" so it would be extremly dificult for others to find you (well, if there are only 2 computers on the cable... anyway: police does not now what an arp t able is *** Joins: No io <[T]racer[T]> LOL <mi estevens> lol <mi estevens> good point <No io> hey guys <mi estevens> anyways for the other method of getting your CM to see you <mi estevens> I made a simple mod to arpspoof.c <mi estevens> of dsniff *** Quits: Leper (Quit: Leaving) <mi estevens> I commented out the arp_send routine on line 193 *** Quits: gUeSt51 (Quit: Leaving) <SpiderMan> DF: I'm going to DCC the linux networ ing log to you, o ? <mi estevens> you can get the CM to see you li e this with the modified arpspoof <No io> hey all, is the lecture over? *** Joins: vanished[coding[ *** Parts: vanished[coding[ <mi estevens> ./arpspoof -t victimip victimip <mi estevens> then controlC it <mi estevens> it will send out the needed pac ets saying their IP is their MAC <mi estevens> but <mi estevens> the important part *** Quits: Prophecy2K1 (Ping timeout) *** Joins: Exposed_Truth <mi estevens> your Cable modem will thin that the computer is in your lan *** Joins: jimi <Edrin> mi estevens: i have onece done an ip+mac spoofer for windows using the w inpcap. that´s a nice thing but i never realy found out what use there is on it? <mi estevens> well this could be a use for it <mi estevens> :-) <[T]racer[T]> for what MAC stends <[T]racer[T]> ? <mi estevens> ? *** Joins: zhortrox <Ellis_D> media access.. <Ellis_D> or something <mi estevens> something *** zhortrox is now nown as _ZhorTroX<mi estevens> I forget <[T]racer[T]> yes *** Quits: vanished (Ping timeout) <Ellis_D> controller? *** Joins: Prophecy2K1 *** _ZhorTroX- is now nown as Esamurai <Ellis_D> no.. <[T]racer[T]> LEMME chec in the BOOX:) *** Mi eee sets mode: +v Esamurai <mi estevens> just call it their ethernet address <mi estevens> now <mi estevens> on to why you can't get the router's traffic <mi estevens> and stay on <Edrin> i thin it comes from the BigMac... the inventor once eat a BigMac when he infentedarp and MACs *** Quits: CodE4 (Quit: ) <SpiderMan> Media Access Control

 

 

 

 

 

 

 

 

 

 

 

 

   

           

 

   

         

 

   

 

 

 

       

 

<mi estevens> well if you broadcast this stuff and ma e the CM thin that the ro uter is inside your networ *** Esamurai is now nown as _Esamurai<mi estevens> it won't forward data for it out <_Esamurai-> mi eee this are masjcrasj and zhortrox at esamurais house actually .. lo <mi estevens> so you will then be screwed and can't get online <Edrin> or maybe MacGyver... <[T]racer[T]> MIKESTEEVENS: mac is not only their address, its their Uniqe addre ss, and its hardware address that you cant change <mi estevens> so don't try doing this as the router and expect to get everyone's upstream <mi estevens> cuz you won't be online yourself <[T]racer[T]> LOL <mi estevens> anyways <[T]racer[T]> my router is a bac bone <[T]racer[T]> thats KEWL! <Edrin> [T]racer[T]: yes, you can change it by using simply another in softwarem ode *** Parts: No io *** Joins: gUeSt51 <mi estevens> there are some otherways to hac your cable modem that I have to r esearch more <mi estevens> the software is updated with TFTP *** _Esamurai- is now nown as MasjZhorEsam <Mi eee> hehe <gUeSt51> hi evrybody <mi estevens> if you could spoof that you could reload your CM with a new image and enable yourself to sniff all traffic including upstream <mi estevens> so that would be really cool <mi estevens> other things could include spoofing DOCSIS commands <shellfish> a maybe not related q: we have bought a new switch for the comp. clu b, and they say it "can ban mt harwhare address", is that MAC? <mi estevens> so you could change your limits and the li e <[T]racer[T]> thats a nasty one <Edrin> in addition to that only MACs of LAN-cards are fix. i now that the MAC of a modem is created by random in windows and then gets saved in the registry.. . dunno how it is with cablemodem <mi estevens> shellfish: yes <shellfish> o tnx <mi estevens> o <mi estevens> for security <gUeSt51> i have an issue concerning paltal : anyone have any idea how to get ip 's through paltal ? *** mi estevens sets mode: +m *** Joins: Matt <Mi eee> wb <[T]racer[T]> gest: netstat LOL <[T]racer[T]> *gest <mi estevens> you can use arpspoof to send out arps for your computer <[T]racer[T]> *guest! <Mi eee> netstat -a *** Matt is now nown as M[a]tt <mi estevens> that way if sometries arpsoofing against you *** Quits: jimi (Ping timeout) <mi estevens> your computer has counter arps going out <mi estevens> much nicer :-) -M[a]tt- its late, nite :) <mi estevens> as for sniffing <mi estevens> don't use cable

 

 

 

 

 

 

 

 

 

 

 

  

 

 

 

 

 

   

   

   

                                         

<mi estevens> or get a secure tunneled connection elsewhere <mi estevens> and use proxies through that <mi estevens> use SSH <mi estevens> etc... *** Quits: ToRmEnThOr (Quit: good users don't use colored quits) <mi estevens> as for local arp security <mi estevens> add static arp entries for all your computers <mi estevens> for servers this is really important <mi estevens> so one sever can't be hijac ed as easy <mi estevens> that should really be a whole other lecture *** Parts: Y0Yo <mi estevens> it would also be good to now your enemy <mi estevens> get a program to detect stealth scans <mi estevens> or use arpwatch *** Joins: Y0Yo <[T]racer[T]> where are all the lectures stored, cos i am in college, so i cant be on every lecture:( <mi estevens> that way you can see people being naughty *** Parts: Prophecy2K1 <Mi eee> heh <mi estevens> now that is it <mi estevens> I will provide a few lin s <mi estevens> then close up with a Q&A section <mi estevens> just remember Cable is not secure <mi estevens> http://www.gi.com/noflash/sb3100.html <<< page for my Cable modem <Edrin> yes <mi estevens> its a bitch <mi estevens> http://www.cisco.com/univercd/cc/td/doc/product/cable/bbcwcrg/bbcm ts.htm <<< wonderful page on cisco cable router commands, if you would ever need this <[T]racer[T]> whos on linux box outa here? <mi estevens> It was on the neworder board <mi estevens> I'm not sure, matt might have something to do with its posting <mi estevens> http://www.mon ey.org/~dugsong/dsniff/ <mi estevens> Dsniff <mi estevens> this sniffer set is awesome <mi estevens> get it <Mi eee> yup <mi estevens> http://www.ethereal.com <mi estevens> Ethereal <mi estevens> great sniffer (I use tethereal) <mi estevens> can decode aim traffic coming on the downstream <mi estevens> one more thing <mi estevens> if you want their aim password (naughty naughty) <Edrin> you can find a collection of sniffers at securityfocus <mi estevens> e-mail it to them with the password reminder <mi estevens> and wait for them to chec their e-mail <mi estevens> it will be in their downstream for mail <mi estevens> well thats it <mi estevens> now for Q&A *** mi estevens sets mode: -m *** Parts: Y0Yo <Edrin> mi estevens: i wish i would have a cable modem :) that would be much fun <mi estevens> Just a question, was this too technical? <[T]racer[T]> i am geting ADSL soon <Edrin> do you have some firms on the same line? <[T]racer[T]> very soon <Mi eee> nah <mi estevens> does anyone want anything explained better <Mi eee> mi e u going to release a tut soon on this topic right

 

 

 

 

 

 

 

 

             

                           

         

                                         

<[T]racer[T]> mi esteevens: so wich cable modem to buy? <mi estevens> I will post some source code and a better explanation later on my site, and hopefully on bsrf *** Joins: sitech <b0iler> mi estevens: well, I thin it was too much of a guide rather than a way of teaching them about networ ing and cable modems <gUeSt51> i was loo ing for in depth registry tutorials <K3rNEL[PAn1C]> does anybody have the complete logs ?? <[T]racer[T]> guest: www.regedit.com <[T]racer[T]> :) *** Joins: PhoeniX <[T]racer[T]> ernel <mi estevens> try my cable modem <gUeSt51> thnx TracerT <mi estevens> its nice <[T]racer[T]> I have them. <mi estevens> if you have an external surfboard <mi estevens> browse to http://192.168.100.1/ <[T]racer[T]> nope <mi estevens> play around <mi estevens> RCAs are also common <mi estevens> I don't li e them, I had one and it bro e alot *** Joins: CodE4 * Mi eee got all the logs <mi estevens> well I have to go eat dinner *** Parts: PhoeniX <SpiderMan> good job mi e <mi estevens> so if you have any questions e-mail me at mi e@unixclan.box.s <Mi eee> <--------------End of lecture------------>

 

 

 

 

 

 

 

 

 

 

 

   

     

                 

Sign up to vote on this title
UsefulNot useful