RE: Scan for "outsider" Pcs on network


Or spoofing a MAC address, which I find works OK even when the host
being spoofed is connected to the same port at the same time, and works
OK when the MAC is tied to a DHCP reservation (the switch has no way of
knowing there area actually two NICS attached). In fact, a DHCP
reservation is somewhat preferable if trying to go unnoticed during an
"inside" pentest - if the intruder is spoofing hostnames as well as MAC
addresses then it's not very noticeable from a log perspective;
duplicate netBIOS name events would show up but netBIOS can be shut off.
Dynamic DNS updates can also be disabled at the windows client. DHCP
logs would show the lease being renewed by both hosts, but would
probably not look much different from the usual lease renewal activity.

Out of curiosity, what is the largest hard-coded ARP table
implementation that has been performed or observed by the list? Is it
something that is only done in SCIFs or have people implemented it in
general-purpose environments?

-----Original Message-----
From: listbounce@xxxxxxxxxxxxxxxxx
[mailto:listbounce@xxxxxxxxxxxxxxxxx] On Behalf Of Robert D.
Holtz - Lists
Sent: Monday, September 11, 2006 4:18 PM
To: 'Lim Ming Wei'; dhamm@xxxxxxxxxxxxxxxxxx;
focus-ids@xxxxxxxxxxxxxxxxx
Subject: RE: Scan for "outsider" Pcs on network

If security is paramount then you would want to setup your
switching fabric to perform MAC based restrictions by port.
This is one of the best ways of making sure you know what's
hooked up. Anyone just trying to hook up to a port will get nowhere.

Of course, this doesn't prevent someone from going up to a
machine that's already allowed on the 'net and doing what
ever they please.

-----Original Message-----
From: listbounce@xxxxxxxxxxxxxxxxx
[mailto:listbounce@xxxxxxxxxxxxxxxxx] On Behalf Of Lim Ming Wei
Sent: Saturday, September 09, 2006 5:08 AM
To: dhamm@xxxxxxxxxxxxxxxxxx; focus-ids@xxxxxxxxxxxxxxxxx
Subject: RE: Scan for "outsider" Pcs on network

I come across a program call air-snare that is able to detect
that. But you will need to have a list of all your systems
mac address. It is like an IDS program. I believe that most
of the IDS program is able to do that.


-----Original Message-----
From: dhamm@xxxxxxxxxxxxxxxxxx [mailto:dhamm@xxxxxxxxxxxxxxxxxx]
Sent: Friday, March 03, 2006 7:48 AM
To: focus-ids@xxxxxxxxxxxxxxxxx
Subject: Scan for "outsider" Pcs on network

Is there a way to setup a scan and be notified of an
intruding pc that is physically plugged into the network?
When you have an enviroment with a large amount of network
jacks, it's hard to make sure the ones no longer in use are
turned off, and that no "visitors" have sat down to use your
network connections, esp. if you have a large amount of
contractors in and out. It got me to searching the net, and
so far I have found one cemmercial product that can do it,
but nothing else. Any suggestions?

--------------------------------------------------------------
----------
Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it with real-world
attacks from CORE IMPACT.
Go to
http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708
to learn more.
--------------------------------------------------------------
----------



--------------------------------------------------------------
----------
Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it with real-world
attacks from CORE IMPACT.
Go to
http://www.coresecurity.com/index.php5?module=Form&action=impa
ct&campaign=in
tro_sfw
to learn more.
--------------------------------------------------------------
----------


--------------------------------------------------------------
----------
Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it with real-world
attacks from CORE IMPACT.
Go to
http://www.coresecurity.com/index.php5?module=Form&action=impa
ct&campaign=intro_sfw
to learn more.
--------------------------------------------------------------
----------



------------------------------------------------------------------------
Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it
with real-world attacks from CORE IMPACT.
Go to http://www.coresecurity.com/index.php5?module=Form&action=impact&campaign=intro_sfw
to learn more.
------------------------------------------------------------------------

Relevant Pages

  • RE: How to find a changing IP on ethernet network
    ... called "port security". ... tell it how many MAC ... to issue an SMTP trap to your Network Management ...
    (Security-Basics)
  • Re: Networking over mains cables
    ... blocking just about every port except the basic ones needed to ... without blocking him completely it was useable. ... When entering a network key, ... allow the MAC addresses of the machines I know about. ...
    (comp.sys.acorn.networking)
  • Re: How Do I Keep Private Computers Off of Our Network?
    ... I recommend enabling port security on on all the switches; ... port to the system's MAC address and then disabling the unused ports. ... If you really need to lock it down then Network Access Control through ... are using their business computer's wired connection to connect ...
    (microsoft.public.windows.server.active_directory)
  • Re: Scan for "outsider" Pcs on network
    ... can use is the MAC address. ... switch ports by MAC address does not secure one's Ethernet network. ... switch port set up to only accept their mac address. ... OpenBSD Box (SOB) set up as a bridge.He drops it inline with the ...
    (Focus-IDS)
  • Re: Not able to print to shared OS X printer
    ... I've been printing to that exact Brother ... > It's shared, via a Mac running OS X, over the network. ... My guess - and I have no way of testing this, is that Mac users don't ... transmit on cups port but transmit on afp over tcp port and thus ...
    (Fedora)