Re: [Full-disclosure] Strange interactions between tunnelling and SMB under the proprietary Microsoft Windows environment

From: B3r3n <B3r3n@xxxxxxxxxxxx>
Date: Thu, 30 Mar 2006 08:13:34 +0200

Hi Marc,

At 07:52 30/03/2006, Marc SCHAEFER wrote:

However, accessing \\192.168.1.2\c$ did go through the Ethernet
interface, and *not the tunnel*, and strangely half-using the private
addresses!

This recalls me an old behavior from Microsoft products I was using to detect Internet rogue backdoors on my company's network.

When a windows is multi-homed, it sends packets towards broadcast @IP of each of its addresses to fill his computer browser tables.
Here I am talking about this behavior:
- Internal @IP -> Internal NIC -> Internal @IP broadcast
- Internal @IP -> Internal NIC -> External @IP broadcast
- External @IP -> External NIC -> Internal @IP broadcast
- External @IP -> External NIC -> External @IP broadcast

So you can imagine how this was useful. I was routing internal networks on Internet towards a probe that was also receiving Intranet routers anti-spoofing realtime logs.
When the probe was receiving a packet from outside targetting an internal @IP broadcast, I was correlating with antispoof logs of packets coming from an @IP compatible with this external broadcast towards the broadcast of the source @IP of the packet received from the outside and gotcha.

I dont know if Windoze keeps behavior like this.
Possibly this is related?

Brgrds

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

References:
- [Full-disclosure] Strange interactions between tunnelling and SMB under the proprietary Microsoft Windows environment
  - From: Marc SCHAEFER

Prev by Date: [Full-disclosure] Fwd: how to get johnny to encrypt (his hard drive)
Next by Date: Re: [Full-disclosure] Strange interactions between tunnelling and SMB under the proprietary Microsoft Windows environment
Previous by thread: [Full-disclosure] Strange interactions between tunnelling and SMB under the proprietary Microsoft Windows environment
Next by thread: Re: [Full-disclosure] Strange interactions between tunnelling and SMB under the proprietary Microsoft Windows environment
Index(es):
- Date
- Thread

Relevant Pages

Re: Streaming Video across the IT
... for most users there won't be any satellite hops in Internet streaming. ... With Internet, packets are sent, not in a contimuous stream and not ... This is why on receiving the "packets" ... need to "sorted" and joined to give reliable video. ...
(comp.sys.mac.apps)
Re: [Full-disclosure] Strange interactions between tunnelling and SMB under the proprietary Micr
... I was routing internal networks on Internet towards a probe that was also receiving Intranet routers anti-spoofing realtime logs. ... When the probe was receiving a packet from outside targetting an internal @IP broadcast, I was correlating with antispoof logs of packets coming from an @IP compatible with this external broadcast towards the broadcast of the source @IP of the packet received from the outside and gotcha. ...
(Full-Disclosure)
Re: TV licence For Internet?
... watching TV from a PC via the internet? ... If you are receiving it at the same time (or "virtually the same ... time"), as it is generally broadcast, then yes. ...
(uk.legal)
Re: What to do if confronted by TV Licensing Authority Officers
... programme service includes a reference to receiving by any means any ... members of the public by virtue of its being broadcast or distributed ... available on the internet, you would not normally need a TV licence to ...
(uk.legal)
Local Area Connection Status.
... My computer does not show receiving any packets when the connected to ... internet in the Local Area connection status. ...
(microsoft.public.win2000.advanced_server)