Re: Network scanning: Continued (newbie)

• Previous message: some guy: "RE: Outbound Port scans, ports 3800+"
• In reply to: Meidinger Chris: "RE: Network scanning: Continued (newbie)"
• Next in thread: Adam Newhard: "Re: Network scanning: Continued (newbie)"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

To: Meidinger Chris <chris.meidinger@badenit.de>, "'Christos Gioran'" <himicos@freemail.gr>, security-basics <security-basics@securityfocus.com>
Date: Thu, 21 Aug 2003 00:14:11 +0200

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

As far as I know, ARP requests are handled a layer under IP.
That means even with the firewalling rules applied, the ARP request should be
processed.

But much more interesting are broadcasts on ethernet level which must be
addressed.

Sebastian

On Monday 18 August 2003 12:16, Meidinger Chris wrote:
> Hello Christos,
>
> that would certainly avoid letting the box be detected by a ping. What is
> sometimes done on an IDS Sensor is using a cable with only incoming and no
> outgoing wires connected. This can make a box totally silent by making
> egress packets impossible on layer 1. There is also something called an
> ethernet tap which can split a signal and give a second box a look at
> what's going over the wire. (do not use in a full duplex environment unless
> you are 100% sure the second box will stay silent)
>
> Oops, i just saw that you knew about special wiring. At any rate, the box
> should be pretty silent if put that firewall ruleset on it. I am, however,
> not 100% sure that it would ignore ARP requests. Maybe a firewall hero can
> tell you that. If it was me i would use a special cable or a cable tap on a
> covert box to be really sure that nothing could get out.
>
> badenIT GmbH
> System Support
>
> Chris Meidinger
> Tullastrasse 70
> 79108 Freiburg
>
>
> -----Original Message-----
> From: Christos Gioran [mailto:himicos@freemail.gr]
> Sent: Friday, August 15, 2003 10:18 PM
> To: security-basics
> Subject: Network scanning: Continued (newbie)
>
>
> Hi all,
>
> The recent conversation titled network scanning inspired me to ask the
> following:
>
> Say an imaginary attacker snifs traffic of a network, having plugged in
> through a rogue cable. One of the solutions proposed would be to ping sweep
> the network on regular time intervals checking on the responses. Suppose
> the attacker raises a firewall with a simple ruleset like (not exact
> iptables syntax):
>
> input --protocol any -j ACCEPT
> output --protocol any -j DROP
>
> and to be paranoid add this:
>
> input --protocol icmp -j DROP
>
> In iptables, if i am correct, the target DROP causes the packet to be
> silently
> dropped. Then this would remedy this approach, correct?? The idea is that
> all
> outgoing packets will be dropped and only incoming traffic will be
> monitored,
> as the attacker desires. This having been said, is the use of special
> wiring anymore required?
>
> Forgive me for bringing the subject up again but when i originally posted
> this
> question (2003-08-13) i was ignored. If i did something wrong please let me
> know. The posting mentioning the ICMP approach follows.
>
> cheers
>
> CG
>
> > One thing that you could do is use a tool that would send an ICMP
> > packet to all possible addresses in your particular network. That
> > won't detect all connecting hosts, in particular if someone jacks in
> > to sniff only, but that assumes that your network is hub based. If
> > your network is switch based then people will have a hard time
> > logging in and sniffing without being detected as they'd normally
> > have to ARP poison the switch or do something else that would be
> > detectable.
> >
> >
> > So... the simple 99% answer is, ping all possible IP addresses once,
> > if you get a response from an address thats not supposed to be
> > there... well... then you'll know.
> >
> > Also, if you use DHCP then you could watch the DHCP log for new
> > systems... thats not super difficult either.
>
> ____________________________________________________________________
> http://www.freemail.gr - δωρεάν υπηρεσία ηλεκτρονικού ταχυδρομείου.
> http://www.freemail.gr - free email service for the Greek-speaking.
>
> ---------------------------------------------------------------------------
> ---------------------------------------------------------------------------
>-
>
> ---------------------------------------------------------------------------
> ---------------------------------------------------------------------------
>-

- --
straightLiners IT Consulting & Services
Sebastian Schneider
Metzer Str. 12
13595 Berlin
Germany

Phone: +49-30-3510-6168
Fax: +49-30-3510-6169

Diese E-Mail enthält vertrauliche und/oder rechtlich geschützte
Informationen. Wenn Sie nicht der richtige Adressat sind oder
diese E-Mail irrtümlich erhalten haben, informieren Sie bitte
sofort den Absender und vernichten Sie diese Mail. Das unerlaubte
Kopieren sowie die unbefugte Weitergabe dieser Mail ist nicht
gestattet.

This E-Mail may contain confidential and/or privileged information.
If you are not the intended recipient (or have received this E-Mail
in error please notify the sender immediately and destroy this E-Mail.
Any unauthorized copying, disclosure or distribution of the material
in this E-Mail is strictly forbidden.

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.2 (GNU/Linux)

iD8DBQE/Q/KzQ7mOWZBxbPcRAjaQAJ9HWTlym24RPw50aRF0Gn/VcDKwqwCfW2hF
kKa7Aqtx+52Of+lMVGSSIaU=
=welt
-----END PGP SIGNATURE-----

---------------------------------------------------------------------------
----------------------------------------------------------------------------

• Previous message: some guy: "RE: Outbound Port scans, ports 3800+"
• In reply to: Meidinger Chris: "RE: Network scanning: Continued (newbie)"
• Next in thread: Adam Newhard: "Re: Network scanning: Continued (newbie)"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]