RE: Unknown workgroup in Microsoft Windows Network
From: Jason Ross (JRoss@SBFL.com)Date: 11/13/02
- Previous message: Gaydosh, Adam: "RE: Tools"
- Maybe in reply to: gary_palmer@attbi.com: "Unknown workgroup in Microsoft Windows Network"
- Next in thread: Eric: "Re: Unknown workgroup in Microsoft Windows Network"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
From: Jason Ross <JRoss@SBFL.com> To: "'gary_palmer@attbi.com'" <gary_palmer@attbi.com>, focus-ms@securityfocus.com Date: Wed, 13 Nov 2002 08:03:16 -0500
for domains, one way is to use "net view" and "nbtstat" from a command
prompt.
I am not sure if this process works for workgroups also or not, it's been a
while since
I've dealt with workgroups in my environment:
C:\>net view /domain
Domain
----------------------------------------------------------------------------
--- DOMAIN1 DOMAIN2 DOMAIN3 The command completed successfully.C:\>net view /domain:domain1 Server Name Remark
---------------------------------------------------------------------------- --- \\DOMAIN1-FS The command completed successfully.
C:\>nbtstat -a domain1-fs
Internal: Node IpAddress: [192.168.1.20] Scope Id: [] <= Here's where you can view the IP of the node in the particular domain
NetBIOS Remote Machine Name Table
Name Type Status --------------------------------------------- DOMAIN1-FS <00> UNIQUE Registered DOMAIN1-FS <20> UNIQUE Registered DOMAIN1 <00> GROUP Registered DOMAIN1 <1C> GROUP Registered DOMAIN1 <1B> UNIQUE Registered DOMAIN1 <1E> GROUP Registered DOMAIN1-FS <6A> UNIQUE Registered DOMAIN1-FS <03> UNIQUE Registered DOMAIN1-FS <BE> UNIQUE Registered SRVCACCT <03> UNIQUE Conflict DOMAIN1 <1D> UNIQUE Registered ..__MSBROWSE__.<01> GROUP Registered DOMAIN1 <01> UNIQUE Registered
MAC Address = 00-80-5F-C1-41-29
C:\>
-----Original Message----- From: gary_palmer@attbi.com [mailto:gary_palmer@attbi.com] Sent: Tuesday, November 12, 2002 4:13 PM To: focus-ms@securityfocus.com Subject: Unknown workgroup in Microsoft Windows Network
Recently a new workgroup name appeared in our organizations "Network Neighborhood > Microsoft Windows Network" The workgroup or domain is called "Gotcha." Not a particularly pleasing name for a workgroup.
Having verified that no staff members have plugged in new hardware recently,
and verifying that there are no unauthorized logins to our wireless network,
I'm somewhat at a loss to explain this. I found information on an SMB hack that, as a side-effect causes a rogue workgroup to show up in Network Neighborhood in order to sniff cleartext passwords from Windows 95 machines,
but our firewall blocks ports 137 and 139, and there's nothing unusual in the firewall logs.
My question is this--what's the best way to track down an IP address associated with a domain or workgroup listing in Network Neighborhood. Is this possible? This would at least give me an idea of where on the physical network this is coming from. Does anyone have recommendations on tracing this problem?
Thank you,
Gary
- Previous message: Gaydosh, Adam: "RE: Tools"
- Maybe in reply to: gary_palmer@attbi.com: "Unknown workgroup in Microsoft Windows Network"
- Next in thread: Eric: "Re: Unknown workgroup in Microsoft Windows Network"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
