As an InfoSec professional, let me take a moment and deliver a warning. Make sure you have permission from everyone in the organization before you begin. Too many times I've seen a network admin give someone approval to hack *their* network, only to have it blow up in their faces when they are reminded that it doesnt actually belong to them. Network admin gives approval for a pen test, tester starts, next thing you know personnel in other groups and departments start noticing the strange behavior of the network (i.e. their custom apps go down, data center personnel pick it up on their IDS, etc) and they contact their managers. Suddenly you end up in a situation where now different flavors of management (and possibly legal) are involved in trying to resolve what happened. At best, someones getting chewed out, at worst there will be diciplinary or legal action taken.

If your government is anything like ours, its a sea of buracracy and useless middle managers who have nothing to do, so they live for being able to have a problem wth things. Make sure the people that can bring the hammer down on you are ok with what you are doing first, get it in writing if needed. Make sure anyone that may be affected by your hacking attempts is aware of what you are doing in case your testing begins to have issues with their stuff.

I bring this up not because I dont think you know what you are doing, but rather that its bitten me in the ass before. Sometimes the people that give you permission to do this stuff dont have the authority to do so, so watch your back (but you're a government employee, so that should be SOP already ).

Just to back up Noid's timely warning, I don't send a single packet to a customer's box unless I have a signed Rules of Engagement signed by my manager and the business/process owner of the target. Myself and co-workers have been on many different penetration tests, and have been accosted by building security, local PD, and state police on different occasions, and the ROE has been the true "get out of jail" card.

In in answer to your question, you don't always have to hit the primary security control head-on, i.e. trying to spoof certs, etc. I'd go for the OOB management or check to see if you can intercept the initial communication that a client uses before full authentication or encryption kicks in.

Yea thanks for the tips...But I do have permission, The OOB mangament sounds a good idea...How would i implement it?

So your sorta saying that if i hit there certs via spoofed then crack there WEP...i may be able to bypass there security.

I know there SSID, as i helped them setup the network.

But yea thanks NOID. I am Lord GrayFox, I signed up to be the DC for my city, but I have tried getting ppl to go to my meeting...but for some reason ppl don't think much about Computer/Internet/Telecommunications Security.

From
Binaryboy aka Lord GrayFox
DC4118

It looks like you completely misunderstood AlxRogan's statements.

Attacking the OOB (Out-Of-Band) management means getting the credentials to access the wireless network before you ever touch the network. For example, how do people normally get the keys to access the network? Is that channel secure, and, if not, how can you attack it (social engineering through email might be one method)?

Failing that, the Internet is not short of tools/information on cracking WEP keys. Do a little research. I'm sure you will be able to find what you are looking for.

PS: You may already know the SSID, but I hardly think "insider" knowledge counts as a security breach. If you truly want to build a strong case, then pretend like you know only of the existence of the network and work from there.

They are using a digital certificate....I have read up on WEP cracking, and I know social engineering...Thats how I got the ssid via phone, I work inside the government but When i did the setup i overheard how they are going to set there security up. They are using a 801.1g...
The network is 1 floor away from me...but i still can access it.


But yea....I just want your ideas...so I can prove these guys wrong.

I am going to try find the same certificate...or social engineer the staff outta there mac address and ip address so i can spoof my laptop to fake one there's...cause they are using SNMP to track ppl down.

so i wanna try make them think i am on the same range as them.

dont most staff not even know what those things are ? ;)

I doubt I'm the first to think it, but I'll be the first to say it.

I have serious doubts that you are who you say you are. Like noid and AlxRogan, I do this professionally. Possibly unlike them (ignorance, not arrogance), I've worked for the government before. I'm willing to bet money that you are either bullshitting, or you're setting yourself up for a world of hurt.

OOB Management is usually a secondary interface to a device. This is generally another network interface, almost always less protected, connected to a network management segment, or a modem interface, or some such. If you can determine how the device is accessed out of band, you can generally get more bang for your buck.

luci

My bullshit alarm went off on the first post...it revved up with each additional post. I agree with you, I am not buying what BinaryBoy is selling here.