RE: rogue IP address

• Previous message: Iain Balmer: "RE: LANguard vs Nessus"
• Maybe in reply to: dondon_at_pacbell.net: "rogue IP address"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Date: Wed, 7 May 2003 16:57:27 +0100
To: <security-basics@securityfocus.com>

Look at the server logs and see who is logging in from the rogue address

NT and Unix give this information.

Are you sure it is an end user and not a real ROGUE on your network?

-----Original Message-----
From: Burton M. Strauss III [mailto:BStrauss@acm.org]
Sent: 06 May 2003 22:05
To: security-basics@securityfocus.com
Cc: dondon@pacbell.net; Erik !; jharris@rallycentral.us
Subject: RE: rogue IP address

A much better link for MAC lookup is

http://standards.ieee.org/regauth/oui/index.shtml

since the IEEE is the body that manages the assignments, they're the
most current.

Be aware that you can spoof the MAC address. Values beginning 02:xx:xx
(mask 0x02, really) are what's supposed to be used, but if the OS allows
you to set it, you can usually set it to ANYTHING.

This might be relevant if somebody has put up a rogue wireless
router/access point and used the spoofing capability to try and hide it.
If they are trying to hide it, you're going to have to look for cabinets
and boxes which are plugged into the outlets...

Also, the name that the database will show you isn't always the name you
know. Sometimes it's the chipset vendor or the oem or the name on the
box. Those are all legal, it's just a matter of who does the paperwork
(and who burns the bits into what).

Still, if they've pieced the rogue together from outdated parts it will
sometimes stand out - gee, what's the ABC Corp. box doing on the
network, we haven't used anybody but XYZ, Corp in five years... tell you
exactly what piece of kit to go snooping for.

-----Burton

-----Original Message-----
From: Erik ! [mailto:viking0069@hotmail.com]
Sent: Monday, May 05, 2003 7:00 PM
To: jharris@rallycentral.us; security-basics@securityfocus.com
Cc: dondon@pacbell.net
Subject: Re: rogue IP address

Yea, if you have the MAC address you're money.

IF you have this, then you can start tracking down what type of NIC your
rogue IP is bound to ... and by deduction MAYBE even the box's hardware.

We used this trick once for a dup IP issue we had on a tier-one ISP's
class B network.

Here's how you do it:

1. Use this link to correlate the MAC address with a manufacturer:

http://www.coffer.com/mac_find/

The first three sets of numbers in the MAC address represent the vendor
code. At this site, do your search e.g. 00c095

MAC Address
   prefix Vendor
   00C095 Zynx Network Appliance box

2. Now match the type of NICs you use to the type of boxes you put them
in (this works best if your company hardware is running the rogue IP
address).

Zynx is the brand of NICs we used in our Nokia firewalls. So in this
case I knew that issue was limited to a select number of firewall boxes
and we eventually fixed the dup IP issue.

You don't always get a cut and dry answer, but it does provide an extra
step you can use to troubleshoot.

The alternative may be to have your network guys trace the MAC address
to a
*working* switch port. We know how long of a turnaround time that can be
;)

Of course, you need the MAC address here 8)

Erik

------------------------------------------------------------------------

---
FastTrain has your solution for a great CISSP Boot Camp. The industry's
most 
recognized corporate security certification track, provides a
comprehensive 
prospectus based upon the core principle concepts of security. This ALL
INCLUSIVE curriculum utilizes lectures, case studies and true hands-on
utilization 
of pertinent security tools. For a limited time you can enter for a
chance 
to win one of the latest technological innovations, the SEGWAY HT. 
Log onto http://www.securityfocus.com/FastTrain-security-basics 
------------------------------------------------------------------------
----
---------------------------------------------------------------------------
FastTrain has your solution for a great CISSP Boot Camp. The industry's most 
recognized corporate security certification track, provides a comprehensive 
prospectus based upon the core principle concepts of security. This ALL INCLUSIVE curriculum utilizes lectures, case studies and true hands-on utilization 
of pertinent security tools. For a limited time you can enter for a chance 
to win one of the latest technological innovations, the SEGWAY HT. 
Log onto http://www.securityfocus.com/FastTrain-security-basics 
----------------------------------------------------------------------------

• Previous message: Iain Balmer: "RE: LANguard vs Nessus"
• Maybe in reply to: dondon_at_pacbell.net: "rogue IP address"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]