Re: Unknown workgroup in Microsoft Windows Network

From: Tony Gordon (tony.gordon@hewitt.com)
Date: 11/14/02

  • Next message: Jason Normanton: "RE: Active Directory network security"

    To: gary_palmer@attbi.com
    From: "Tony Gordon" <tony.gordon@hewitt.com>
    Date: Thu, 14 Nov 2002 15:49:54 -0600
    
    

    If all previous ideas do not work, try running NetMon or any other
    "sniffer" on the Domain master browser. It will receive a browser
    announce frame sooner or later. The frame will tell you which browser
    supplied the name. Doing strings searches in a large trace could be an
    issue. Some sniffers are better at it then others. Then follow the
    browser chain until you find the one that is on the same subnet as the
    "offender". That will give the IP address of the system that send the
    browser announce frame.

    Somewhat painful process, so use it as a last resort. I had to use it
    when nothing else worked.

    Thank you, Tony.
    Tony Gordon, Windows 2000 MCSE
    tony.gordon@hewitt.com
    Windows Server Infrastructure
    Phone: 847.295.5000 x14534
    Fax: 847.295.8877
    Hewitt Associates

    gary_palmer@attbi.com
    11/12/2002 03:13 PM

     
            To: focus-ms@securityfocus.com
            cc:
            Subject: Unknown workgroup in Microsoft Windows Network

    Recently a new workgroup name appeared in our organizations "Network
    Neighborhood > Microsoft Windows Network" The workgroup or domain is
    called "Gotcha." Not a particularly pleasing name for a workgroup.

    Having verified that no staff members have plugged in new hardware
    recently,
    and verifying that there are no unauthorized logins to our wireless
    network,
    I'm somewhat at a loss to explain this. I found information on an SMB hack

    that, as a side-effect causes a rogue workgroup to show up in Network
    Neighborhood in order to sniff cleartext passwords from Windows 95
    machines,
    but our firewall blocks ports 137 and 139, and there's nothing unusual in
    the
    firewall logs.

    My question is this--what's the best way to track down an IP address
    associated with a domain or workgroup listing in Network Neighborhood. Is
    this
    possible? This would at least give me an idea of where on the physical
    network
    this is coming from. Does anyone have recommendations on tracing this
    problem?

    Thank you,

    Gary

    --
    gpalmer@attbi.com
    



    Relevant Pages

    • Re: help understanding authentication on workgroups
      ... network client services on and print/file sharing on), ... workgroup authentication is said to be ... the password for that guest account on that computer, I get access to that PC ... The browser provides visibility. ...
      (microsoft.public.windowsxp.network_web)
    • Re: help understanding authentication on workgroups
      ... shared files on the PCs in my workgroup, I don't have any shared files there ... network client services on and print/file sharing on), ... the password for that guest account on that computer, I get access to that PC ... The browser provides visibility. ...
      (microsoft.public.windowsxp.network_web)
    • Re: help understanding authentication on workgroups
      ... network client services on and print/file sharing on), ... workgroup authentication is said to be ... the password for that guest account on that computer, I get access to that PC ... The browser provides visibility. ...
      (microsoft.public.windowsxp.network_web)
    • Re: help understanding authentication on workgroups
      ... network client services on and print/file sharing on), ... workgroup authentication is said to be ... the password for that guest account on that computer, I get access to that PC ... The browser provides visibility. ...
      (microsoft.public.windowsxp.network_web)
    • Re: help understanding authentication on workgroups
      ... figure out a way to make the whole browser process deterministic and stable. ... My problem with workgroup authentication is that I'm using a router on my ... see another workgroup on the network. ... the password for that guest account on that computer, I get access to that PC ...
      (microsoft.public.windowsxp.network_web)