Howdy, Stranger!

It looks like you're new here. If you want to get involved, click one of these buttons!


Putting 192.168 addresses in public DNS - Page 2
New on LowEndTalk? Please Register and read our Community Rules.

All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.

Putting 192.168 addresses in public DNS

2»

Comments

  • rm_ said: I hope your dictionary includes Japanese words and Anime character names then?

    I hope your passwords aren't chosen on the basis that Anime characters can't be part of a "dictionary" attack.

  • rm_ said: Okay at home I have one host with IP 192.168.0.214 and another with 192.168.9.117. What exactly does that give you?

    I could even let you know my IPv6 (but they're dynamic), still gives you nothing as no incoming connections from the outside are allowed by the firewall.

    If I use a browser exploit to attack low-hanging fruit on your LAN, I can then turn around and attack your more important machines on your LAN from within the LAN, even without root permissions on the beachhead machine (with root permissions it would be easier to do packet sniffing to discover local addresses). Exporting any NFS or Samba shares to your LAN from your shiny otherwise-firewalled Linux box? Maybe not you, but many people do, and these softwares are far from perfect. Randomization is a good idea.

  • @LordSpock said:
    Should work fine, some big router companies do it.

    yup netgear has done this for ages

  • rm_rm_ IPv6 Advocate, Veteran

    I hope your passwords aren't chosen on the basis that Anime characters can't be part of a "dictionary" attack.

    Certainly not, but as you probably realize passwords are several orders of magnitude more valuable data than a hostname (which might resolve to a private IP, and which is most likely firewalled even if not).

  • KuJoeKuJoe Member, Host Rep
    edited August 2015

    rm_ said: Okay at home I have one host with IP 192.168.0.214 and another with 192.168.9.117. What exactly does that give you?

    I could even let you know my IPv6 (but they're dynamic), still gives you nothing as no incoming connections from the outside are allowed by the firewall.

    With the way DNS works, no external client can just "list" all the records you have and get your "map", unless AXFR is allowed (which is disabled by default in nameservers and typically allowed to specific client IPs only). So the only way they could get that is via bruteforcing, and again, that isn't anywhere near effective or feasible.

    What about the people on my network? Obviously I don't want my neighbors or guests knowing what subnet camera1.my.domain is on or what subnet I have my important NAS on. I'm not worried about people on the internet, I'm worried about people who either know one of my WIFI passwords or people who want to break into my house.

    I understand I'm a special case and I'm not saying what others are doing is a bad idea it's just a bad idea for me and I won't do it for security reasons.

  • rm_rm_ IPv6 Advocate, Veteran

    KuJoe said: I don't want my neighbors or guests knowing what subnet camera1.my.domain is on or what subnet I have my important NAS on.

    Set up your network so that these are on separate VLANs/SSIDs, and that the guest ones don't have access to sensitive ones.

    Thanked by 1netomx
  • People knowing your wifi password can probably just scan your private subnet to find out all your devices if they want to. People breaking in your house.. they are not after your IPs :)

    Thanked by 1vedran
  • ATHKATHK Member

    With WPS pin enabled its not difficult to get access with Kali Linux anyway, any kid can do it now days.. Make sure that shiz is turned off..

  • KuJoeKuJoe Member, Host Rep

    @rm_ said:
    Set up your network so that these are on separate VLANs/SSIDs, and that the guest ones don't have access to sensitive ones.

    I can't find a way to setup VLANs on wireless interfaces especially when the guest interface is a slave to the primary interface. If I could VLAN my network off then things would be much easier although my biggest security issue is physical and not wireless though so VLANs won't protect me from people wanting access to my security system.

    rds100 said: People knowing your wifi password can probably just scan your private subnet to find out all your devices if they want to. People breaking in your house.. they are not after your IPs :)

    People breaking into my house would probably love to disable my security system though. ;)

  • KuJoeKuJoe Member, Host Rep

    I'm not sure how we got so off topic since these security concerns don't affect 99% of people. I already said my case is extremely rare and people in my situation probably don't care as much about network security as I do.

  • rm_rm_ IPv6 Advocate, Veteran

    KuJoe said: I can't find a way to setup VLANs on wireless interfaces especially when the guest interface is a slave to the primary interface. If I could VLAN my network off then things would be much easier although my biggest security issue is physical and not wireless though so VLANs won't protect me from people wanting access to my security system.

    For wireless you set up two different SSIDs, and then bridge those SSIDs with trusted/guest VLANs on the wired side (if that's even required; could just give the guest SSID access to WAN only). This all is easily done with e.g. OpenWRT.

  • KuJoeKuJoe Member, Host Rep

    rm_ said: For wireless you set up two different SSIDs, and then bridge those SSIDs with trusted/guest VLANs on the wired side (if that's even required; could just give the guest SSID access to WAN only). This all is easily done with e.g. OpenWRT.

    When I was researching this Mikrotik only allowed one VLAN for all wireless interfaces (since they are all the same physical interface with just virtual interfaces). I'll look into it but as of a few months ago it either wasn't possible or nobody on their forum could figure out how.

  • raza19 said: yup netgear has done this for ages

    Because Netgear own routerlogin.net

    kcaj said: Not quite.

    Hm, you're right. I didn't bother querying the domain externally.

  • ATHK said: With WPS pin enabled

    There's actually a newer WPS exploit that isn't PIN bruteforcing, called pixiedust.

    If the router's network chipset is vulnerable (I think Ralink, Realtek, and some Broadcom are.) it can calculate the WPS PIN after scripts like reaver sniff the hashes during a transaction.

    Look it up. It's quite interesting.

    Thanked by 3netomx singsing ATHK
  • perennateperennate Member, Host Rep

    singsing said: If I use a browser exploit to attack low-hanging fruit on your LAN, I can then turn around and attack your more important machines on your LAN from within the LAN, even without root permissions on the beachhead machine (with root permissions it would be easier to do packet sniffing to discover local addresses). Exporting any NFS or Samba shares to your LAN from your shiny otherwise-firewalled Linux box? Maybe not you, but many people do, and these softwares are far from perfect. Randomization is a good idea.

    Really, randomization for IPv4??

  • @kcaj said:
    Jacks-MacBook-Air:~ jackxxx$

    You didn't get the pun my friend.

  • perennate said: Really, randomization for IPv4??

    Depends what kind of attack, against some it may help. If an attack is based on fooling the browser into making a connect() to a LAN address, but only once per page load, or you can only have one outstanding connection with a long timeout, you can see why it would be hard to scan an /8. If you also randomize the ports you put services on on your LAN, you require even more throughput for an attacker to find services.

  • Nat IPv4?

  • perennateperennate Member, Host Rep
    edited August 2015

    singsing said: Depends what kind of attack, against some it may help. If an attack is based on fooling the browser into making a connect() to a LAN address, but only once per page load, or you can only have one outstanding connection with a long timeout, you can see why it would be hard to scan an /8. If you also randomize the ports you put services on on your LAN, you require even more throughput for an attacker to find services.

    If you're connecting from browser attack, presumably browser would have access to the private DNS infrastructure (otherwise it could be firewalled from whatever sensitive services are running).

    Anyway I suppose for some situations you might care, but in this case it sounds like the convenience outweighs the potential security risk.

  • Keep in mind that such things are called "DNS Rebinding" attacks. Many DNS servers filter this by default and you might run into issues if you for example use a laptop that needs to resolve a domain into an IP address inside a VPN when you're at some public WiFi.

Sign In or Register to comment.