Re: Unknown workgroup in Microsoft Windows Network
From: Eric (ews@tellurian.net)Date: 11/13/02
- Previous message: H C: "RE: Tools"
- In reply to: gary_palmer@attbi.com: "Unknown workgroup in Microsoft Windows Network"
- Next in thread: jmcguire@sbcs.com: "Re: Unknown workgroup in Microsoft Windows Network"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Wed, 13 Nov 2002 10:16:40 -0600 To: gary_palmer@attbi.com, focus-ms@securityfocus.com From: Eric <ews@tellurian.net>
I helped track down a similar incident for a customer many years ago, the
workgroup name was far less professional that "Gotcha"...
Since it appears in Network Neighborhood, it's in the browse lists, so it's
a good likelihood that the machine with this domain name or workgroup name
is still on the network. It's probably a workgroup name assigned to one
person's PC. Either intentionally created by the owner or that box was
hacked and the workgroup name changed.
Start by enumerating the membership of this workgroup. Try
'net view /domain:gotcha'
even though the command uses the work 'domain' it will still enumerate
machines in a workgroup
then you can ping the resulting machine name to get an ip address.
You might have to use DHCP or WINS records to help track down who owned
what IP addresses at what point in time, but hopefully you won't need to,
assuming the box is still online.
Once you have an IP, you might be able to enumerate the owner of the
machine by doing null session user enumeration (if you don't have admin
access to it.) We can go into a separate thread on enumeration if you need
that info.
At 09:13 PM 11/12/2002 +0000, gary_palmer@attbi.com wrote:
>Recently a new workgroup name appeared in our organizations "Network
>Neighborhood > Microsoft Windows Network" The workgroup or domain is
>called "Gotcha." Not a particularly pleasing name for a workgroup.
>
>Having verified that no staff members have plugged in new hardware recently,
>and verifying that there are no unauthorized logins to our wireless network,
>I'm somewhat at a loss to explain this. I found information on an SMB hack
>that, as a side-effect causes a rogue workgroup to show up in Network
>Neighborhood in order to sniff cleartext passwords from Windows 95 machines,
>but our firewall blocks ports 137 and 139, and there's nothing unusual in the
>firewall logs.
>
>My question is this--what's the best way to track down an IP address
>associated with a domain or workgroup listing in Network Neighborhood. Is
>this
>possible? This would at least give me an idea of where on the physical
>network
>this is coming from. Does anyone have recommendations on tracing this problem?
>
>Thank you,
>
>Gary
>
>--
>gpalmer@attbi.com
- Previous message: H C: "RE: Tools"
- In reply to: gary_palmer@attbi.com: "Unknown workgroup in Microsoft Windows Network"
- Next in thread: jmcguire@sbcs.com: "Re: Unknown workgroup in Microsoft Windows Network"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
