RE: Unknown workgroup in Microsoft Windows Network

From: Jason Ross (JRoss@SBFL.com)
Date: 11/13/02


From: Jason Ross <JRoss@SBFL.com>
To: "'gary_palmer@attbi.com'" <gary_palmer@attbi.com>, focus-ms@securityfocus.com
Date: Wed, 13 Nov 2002 08:03:16 -0500

for domains, one way is to use "net view" and "nbtstat" from a command
prompt.
I am not sure if this process works for workgroups also or not, it's been a
while since
I've dealt with workgroups in my environment:

C:\>net view /domain
Domain

----------------------------------------------------------------------------

---
DOMAIN1
DOMAIN2
DOMAIN3
The command completed successfully.

C:\>net view /domain:domain1 Server Name Remark

---------------------------------------------------------------------------- --- \\DOMAIN1-FS The command completed successfully.

C:\>nbtstat -a domain1-fs

Internal: Node IpAddress: [192.168.1.20] Scope Id: [] <= Here's where you can view the IP of the node in the particular domain

NetBIOS Remote Machine Name Table

Name Type Status --------------------------------------------- DOMAIN1-FS <00> UNIQUE Registered DOMAIN1-FS <20> UNIQUE Registered DOMAIN1 <00> GROUP Registered DOMAIN1 <1C> GROUP Registered DOMAIN1 <1B> UNIQUE Registered DOMAIN1 <1E> GROUP Registered DOMAIN1-FS <6A> UNIQUE Registered DOMAIN1-FS <03> UNIQUE Registered DOMAIN1-FS <BE> UNIQUE Registered SRVCACCT <03> UNIQUE Conflict DOMAIN1 <1D> UNIQUE Registered ..__MSBROWSE__.<01> GROUP Registered DOMAIN1 <01> UNIQUE Registered

MAC Address = 00-80-5F-C1-41-29

C:\>

-----Original Message----- From: gary_palmer@attbi.com [mailto:gary_palmer@attbi.com] Sent: Tuesday, November 12, 2002 4:13 PM To: focus-ms@securityfocus.com Subject: Unknown workgroup in Microsoft Windows Network

Recently a new workgroup name appeared in our organizations "Network Neighborhood > Microsoft Windows Network" The workgroup or domain is called "Gotcha." Not a particularly pleasing name for a workgroup.

Having verified that no staff members have plugged in new hardware recently,

and verifying that there are no unauthorized logins to our wireless network,

I'm somewhat at a loss to explain this. I found information on an SMB hack that, as a side-effect causes a rogue workgroup to show up in Network Neighborhood in order to sniff cleartext passwords from Windows 95 machines,

but our firewall blocks ports 137 and 139, and there's nothing unusual in the firewall logs.

My question is this--what's the best way to track down an IP address associated with a domain or workgroup listing in Network Neighborhood. Is this possible? This would at least give me an idea of where on the physical network this is coming from. Does anyone have recommendations on tracing this problem?

Thank you,

Gary

-- gpalmer@attbi.com



Relevant Pages

  • RE: Unknown workgroup in Microsoft Windows Network
    ... Unknown workgroup in Microsoft Windows Network ... Neighborhood in order to sniff cleartext passwords from Windows 95 machines, ...
    (Focus-Microsoft)
  • Unknown workgroup in Microsoft Windows Network
    ... Recently a new workgroup name appeared in our organizations "Network ... Neighborhood> Microsoft Windows Network" The workgroup or domain is ... Neighborhood in order to sniff cleartext passwords from Windows 95 machines, ...
    (Focus-Microsoft)
  • RE: Unknown workgroup in Microsoft Windows Network
    ... You can punch in the workgroup and after a delay, ... Unknown workgroup in Microsoft Windows Network ... Neighborhood in order to sniff cleartext passwords from Windows 95 machines, ...
    (Focus-Microsoft)
  • Re: Network Views
    ... > neighborhood?" ... > A machine's workgroup or domain membership will effect how the browse list ... > is initially displayed in My Network Places. ... > not aware of each other because they are not using the same WINS server ...
    (microsoft.public.windows.server.general)