Re: [Full-disclosure] Strange interactions between tunnelling and SMB under the proprietary Microsoft Windows environment

Hi Marc,

At 07:52 30/03/2006, Marc SCHAEFER wrote:
However, accessing \\192.168.1.2\c$ did go through the Ethernet
interface, and *not the tunnel*, and strangely half-using the private
addresses!

This recalls me an old behavior from Microsoft products I was using to detect Internet rogue backdoors on my company's network.

When a windows is multi-homed, it sends packets towards broadcast @IP of each of its addresses to fill his computer browser tables.
Here I am talking about this behavior:
- Internal @IP -> Internal NIC -> Internal @IP broadcast
- Internal @IP -> Internal NIC -> External @IP broadcast
- External @IP -> External NIC -> Internal @IP broadcast
- External @IP -> External NIC -> External @IP broadcast

So you can imagine how this was useful. I was routing internal networks on Internet towards a probe that was also receiving Intranet routers anti-spoofing realtime logs.
When the probe was receiving a packet from outside targetting an internal @IP broadcast, I was correlating with antispoof logs of packets coming from an @IP compatible with this external broadcast towards the broadcast of the source @IP of the packet received from the outside and gotcha.

I dont know if Windoze keeps behavior like this.
Possibly this is related?

Brgrds

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Relevant Pages

  • Re: Help! "Martian" (packet) invasion via FiOS cablemodem
    ... The wording in "TCP/IP Blueprints" suggests that broadcast packet ... interface internal to cable modem, it's a device talking _to_ it. ... from Verizon or the Internet). ... If the packets annoy you, use iptables to quietly drop (all from ...
    (comp.os.linux.networking)
  • Re: Streaming Video across the IT
    ... for most users there won't be any satellite hops in Internet streaming. ... With Internet, packets are sent, not in a contimuous stream and not ... This is why on receiving the "packets" ... need to "sorted" and joined to give reliable video. ...
    (comp.sys.mac.apps)
  • Re: Help! "Martian" (packet) invasion via FiOS cablemodem
    ... the bytes 08 00 were not incorrect: the Ethernet header ... also to analyse packets captured with the tcpdump -w option. ... from Verizon or the Internet). ... My LAN is 192.x.y.z and the packet is from 169.a.b.c, so passing the broadcast along doesn't _sound_ right. ...
    (comp.os.linux.networking)
  • Re: [Full-disclosure] Strange interactions between tunnelling and SMB under the proprietary Micr
    ... I was routing internal networks on Internet towards a probe that was also receiving Intranet routers anti-spoofing realtime logs. ... When the probe was receiving a packet from outside targetting an internal @IP broadcast, I was correlating with antispoof logs of packets coming from an @IP compatible with this external broadcast towards the broadcast of the source @IP of the packet received from the outside and gotcha. ...
    (Full-Disclosure)
  • Re: TV licence For Internet?
    ... watching TV from a PC via the internet? ... If you are receiving it at the same time (or "virtually the same ... time"), as it is generally broadcast, then yes. ...
    (uk.legal)