Re: Unknown workgroup in Microsoft Windows Network

From: jmcguire@sbcs.com
Date: 11/14/02 

To: Eric <ews@tellurian.net>
From: jmcguire@sbcs.com
Date: Thu, 14 Nov 2002 11:10:48 -0500

I somehow missed the original post, but if the machine reports to a WINS
server, you should have all the info in your WINS database. There will be a
record for the workgroup with an IP. You can then sort the list by IP to
list the machine name and user logged in that matches the workgroup IP
entry. This should lead you to the culprit.

__________________________________________
JOHN MCGUIRE CISSP, MCSE2k, MCSE+I, MCT
Network Security Specialist
888.529.0401
jmcguire@sbcs.com
Strictly Business
 www.sbcs.com

                                                                                                                                       
                      Eric
                      <ews@tellurian.ne To: gary_palmer@attbi.com, focus-ms@securityfocus.com
                      t> cc:
                                               Subject: Re: Unknown workgroup in Microsoft Windows Network
                      11/13/2002 11:16
                      AM
                                                                                                                                       
                                                                                                                                       

I helped track down a similar incident for a customer many years ago, the
workgroup name was far less professional that "Gotcha"...

Since it appears in Network Neighborhood, it's in the browse lists, so it's

a good likelihood that the machine with this domain name or workgroup name
is still on the network. It's probably a workgroup name assigned to one
person's PC. Either intentionally created by the owner or that box was
hacked and the workgroup name changed.

Start by enumerating the membership of this workgroup. Try
'net view /domain:gotcha'
even though the command uses the work 'domain' it will still enumerate
machines in a workgroup

then you can ping the resulting machine name to get an ip address.

You might have to use DHCP or WINS records to help track down who owned
what IP addresses at what point in time, but hopefully you won't need to,
assuming the box is still online.

Once you have an IP, you might be able to enumerate the owner of the
machine by doing null session user enumeration (if you don't have admin
access to it.) We can go into a separate thread on enumeration if you need

that info.

At 09:13 PM 11/12/2002 +0000, gary_palmer@attbi.com wrote:

>Recently a new workgroup name appeared in our organizations "Network
>Neighborhood > Microsoft Windows Network" The workgroup or domain is
>called "Gotcha." Not a particularly pleasing name for a workgroup.
>
>Having verified that no staff members have plugged in new hardware
recently,
>and verifying that there are no unauthorized logins to our wireless
network,
>I'm somewhat at a loss to explain this. I found information on an SMB hack
>that, as a side-effect causes a rogue workgroup to show up in Network
>Neighborhood in order to sniff cleartext passwords from Windows 95
machines,
>but our firewall blocks ports 137 and 139, and there's nothing unusual in
the
>firewall logs.
>
>My question is this--what's the best way to track down an IP address
>associated with a domain or workgroup listing in Network Neighborhood. Is
>this
>possible? This would at least give me an idea of where on the physical
>network
>this is coming from. Does anyone have recommendations on tracing this
problem?
>
>Thank you,
>
>Gary
>
>--
>gpalmer@attbi.com

Relevant Pages

  • Re: Network Neighborhood
    ... > inability to browse by using Network Neighborhood in Windows 95 or Windows ... > communicated effectively with the other workgroup computers. ... > not have a common networking protocol, a common workgroup, and common user ... the computer that is running Windows ...
    (microsoft.public.win2000.networking)
  • Re: WindowsXP and RISC OS computers
    ... >> - You can however ping Nixiyo from the windows XP machine, ... > workgroup: WORKGROUP ... > Name as M$ calls it, had been changed on the centrex machine. ... > Neither icon appears in My Network Places on the centrex. ...
    (comp.sys.acorn.networking)
  • clarification sought in using XP Pro laptop for domain at work and workgroup at home
    ... I am inquiring for a friend. ... The XP Pro laptop was once configured for a two-computer workgroup. ... "WORKGROUP" as the name of its network affiliation. ...
    (microsoft.public.windowsxp.network_web)
  • Re: Setting up a network using XP and Vista
    ... In XP I have gone to Network Set Up Wizard the default Workgroup is MSHOME. ... a misconfigured firewall or overlooked firewall (including a stateful ...
    (microsoft.public.windowsxp.general)
  • Re: Networks : Workgroups and Domains. How Do I Use Them?
    ... I think the problem is from my lack of understanding whether these machines are together as a workgroup or domain. ... If I want to configure solely for a workgroup network, then I would think I do not need to provide a domain name, and vice versa for a domain network. ... It's not clear whether any of your computers is running Windows 2000 *Server.* If not, you don't have a "domain" and shouldn't be using domain names. ... Problems sharing files between computers on a network are generally caused by 1) a misconfigured firewall or overlooked firewall; or 2) inadvertently running two firewalls such as the built-in Windows Firewall and a third-party firewall; and/or 3) not having identical user accounts and passwords on all Workgroup machines; 4) trying to create shares where the operating system does not permit it. ...
    (microsoft.public.windowsxp.network_web)