Re: Network scanning

From: Sebastian Schneider (ses_at_straightliners.de)
Date: 08/10/03

  • Next message: Kip Sr.: "SMTP DDoS" 
    To: White-Tiger <white-tiger@rocketmail.com>, CHRIS GRABENSTEIN <LFGRABC@LF.VCCS.EDU>, security-basics@securityfocus.com
Date: Sun, 10 Aug 2003 02:34:32 +0200

    On Saturday 09 August 2003 17:18, White-Tiger wrote:
    > I am sorry I got on this late... Some switches support
    > eapol

    be my guest ;-)

    > that works with a radius server to auth mac address at port
    > level before the switch will enable that port... I have
    > done limited testing. If you unplug a live connect, not
    > only will someone be calling saying that something doesn't
    > work, but when they plug in there NIC the switch will see a
    > new MAC and disable the port.

    just if someone is currently using that port, he'd maybe upset
    but if the port is not in use, nobody might even notice, that
    there is someone doing some fancy stuff

    >
    > Some one can give some ideas about MAC spoofing, But
    > doesn't the NIC give its real MAC to the switch while you
    > are trying to spoof someone elses MAC?

    but if you set up you're NIC to listening mode, i guess there
    will be no communications thus the real MAC address won't
    be transmitted. After analyzing broadcast traffic, I guess you
    might have enough information to do MAC spoofing with an
    accepted MAC address.
    this is a big deal for wireless communications since most of
    the available cards can be put into passive mode.

    >
    > if this is the case, then you can disable and port that is
    > not a known MAC.
    >
    > I have a baystack450, and I can setup the MAC in each of
    > the switchs, but that will be kinda hard to maintain. So
    > I am looking at free radius for OpenBSD that supports
    > eapol, so I can just setup a file with all allowed MACs.

    >
    > Hope this helps, sorry if someone already said this, I am
    > a little late on the thread.
    >
    >
    > WT
    >
    > --- Sebastian Schneider <ses@straightliners.de> wrote:
    > > On Friday 08 August 2003 14:19, CHRIS GRABENSTEIN wrote:
    > > > As far as the hard wires, I think the best solution is
    > >
    > > to search out those
    > >
    > > > unused ports and unplug them from the switch. They can
    > >
    > > be quickly
    > >
    > > > reconnected if needed, and you'll know about it.
    > >
    > > I guess you're actually aware, that not everyone is
    > > locking up rooms
    > > containing switches.
    > > And just plugging out unused cables won't be sufficient,
    > > since usually
    > > I just can plug out any computer and plug in my own.
    > >
    > > > |-----Original Message-----
    > > > |From: netsec novice [mailto:netsec9@hotmail.com]
    > > > |Sent: Thursday, August 07, 2003 4:51 PM
    > > > |To: security-basics@securityfocus.com
    > > > |Subject: Network scanning
    > > > |
    > > > |
    > > > |Are there tools out there that would allow system
    > >
    > > administrators to be
    > >
    > > > |notified when a new workstation attaches to a network?
    > >
    > > I'm
    > >
    > > > |thinking both
    > > > |wireless and ethernet in this case. SNMP maybe? I am
    > >
    > > in a
    > >
    > > > |credit union
    > > > |environment and my concern is that someone would be
    > >
    > > able to steal an
    > >
    > > > |existing jack or a jack that is not physically
    > >
    > > protected but
    > >
    > > > |live and be
    > > > |able to capture traffic or do reconaissance. We don't
    > >
    > > have
    > >
    > > > |Wireless access
    > > > |at this point but may look to it in the future. My
    > >
    > > only
    > >
    > > > |thought in that
    > > > |case would be to encrypt all traffic since wireless
    > >
    > > security
    > >
    > > > |is a bit scary
    > > > |at this point. Any ideas?
    >
    > ---------------------------------------------------------------------------
    >
    >
    > ---------------------------------------------------------------------------
    >
    > > >-
    > >
    > > --
    > >
    > > -----------------------------
    > > straightLiners IT Consulting & Services
    > > Sebastian Schneider
    > > Metzer Str. 12
    > > 13595 Berlin
    > > Germany
    > >
    > > Phone: +49-30-3510-6168
    > > Fax: +49-30-3510-6169
    > > Mail: ses@straightliners.de
    > >
    > >
    > > Diese E-Mail enthält vertrauliche und/oder rechtlich
    > > geschützte Informationen.
    > > Wenn Sie nicht der richtige Adressat sind oder diese
    > > E-Mail irrtümlich
    > > erhalten haben,
    > > informieren Sie bitte sofort den Absender und vernichten
    > > Sie diese Mail.
    > > Das unerlaubte Kopieren sowie die unbefugte Weitergabe
    > > dieser Mail ist nicht
    > > gestattet.
    > >
    > > This e-mail may contain confidential and/or privileged
    > > information.
    > > If you are not the intended recipient (or have received
    > > this e-mail in error)
    > > please notify the sender immediately and destroy this
    > > e-mail. Any unauthorized
    > > copying,
    > > disclosure or distribution of the material in this e-mail
    > > is strictly
    > > forbidden.
    >
    > ---------------------------------------------------------------------------
    >
    > ---------------------------------------------------------------------------
    >-
    >
    >
    >
    > __________________________________
    > Do you Yahoo!?
    > Yahoo! SiteBuilder - Free, easy-to-use web site design software
    > http://sitebuilder.yahoo.com 

    -- 
-----------------------------
straightLiners IT Consulting & Services
Sebastian Schneider
Metzer Str. 12
13595 Berlin
Germany
Phone: +49-30-3510-6168
Fax: +49-30-3510-6169
Mail: ses@straightliners.de
Diese E-Mail enthält vertrauliche und/oder rechtlich geschützte Informationen.
Wenn Sie nicht der richtige Adressat sind oder diese E-Mail irrtümlich 
erhalten haben,
informieren Sie bitte sofort den Absender und vernichten Sie diese Mail.
Das unerlaubte Kopieren sowie die unbefugte Weitergabe dieser Mail ist nicht 
gestattet.
This e-mail may contain confidential and/or privileged information.
If you are not the intended recipient (or have received this e-mail in error)
please notify the sender immediately and destroy this e-mail. Any unauthorized 
copying,
disclosure or distribution of the material in this e-mail is strictly 
forbidden.
---------------------------------------------------------------------------
----------------------------------------------------------------------------
  • Next message: Kip Sr.: "SMTP DDoS"

    Relevant Pages

    • RE: Exploit code for IP Smart Spoofing
      ... If there is a MAC violation, this is logged and the port is ... traffic of one other host on the switch. ... but there is no way to protect against ...
      (Bugtraq)
    • [INFO] Power Mac G5 (Ende 2004) Firmware-Update
      ... Das Power Mac G5 System Firmware-Update darf nur auf dem 1,8 GHz Power ... Dieses Update verbessert die Zuverlssigkeit Ihres Power Mac G5, ... verwenden Sie die Software-Aktualisierung, um sicherzustellen, dass Sie ...
      (de.comp.sys.mac.misc)
    • Re: Panie Jozefie Ross....
      ... ma MAC sa duzo wieksze, dodam ze mam w domu 4 PC - wiec przejsc na Mac ... Z calym szacunkiem, Panie Zalku, ale jezeli chce sie jezdzic Mercedesem ... ale to nie bedzie Mercedes. ... kladzie sie nacisk na DUZY komfort, ...
      (soc.culture.polish)
    • RE: gratuitous arp and bad mac
      ... Are you implementing any Layer 2 Switch Fault Tolerance? ... public network only but also NOT recommened in a cluster. ... > I looked at the arp table and found that the mac address for ... > sql-a was now matching the mac for node2. ...
      (microsoft.public.windows.server.clustering)
    • RE: Caching a sniffer
      ... I can think of at least four behaviors, each of which would give different ... Dump the entire MAC table. ... Switch acts as if power on reset just ... Shutdown port - assume hostile intent and stop forwarding traffic. ...
      (Security-Basics)