RE: Win XP IP address hijack?

From: Burton@SNS
Date: 12/14/01

• Previous message: Cedric Blancher: "Re: iptables 'syn but not new' packets"
• In reply to: Curt Wilson: "Win XP IP address hijack?"
• Next in thread: Dimitry Andric: "Re: Win XP IP address hijack?"
• Reply: Dimitry Andric: "Re: Win XP IP address hijack?"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

---

From: "Burton@SNS" <Burton@SmallNetSolutions.com>
To: <vuln-dev@securityfocus.com>
Date: Fri, 14 Dec 2001 16:03:14 -0600

Historically for Microsoft's multiple-user operating systems (e.g. Windows
NT and Windows 2K), those messages are in the event log, not a console
alert. Did you check there?

-----Burton

-----Original Message-----
From: Curt Wilson [mailto:cwsecgeek@yahoo.com]
Sent: Friday, December 14, 2001 3:37 AM
To: vuln-dev@securityfocus.com
Subject: Win XP IP address hijack?

I was doing some experimentation in my home lab
recently and came across something I thought was
interesting. I would enjoy any comments on this
potential issue, which may be known already but is a
new one for me.

I was running a desktop with Win XP pro using a
static IP address. I booted up a laptop running Win98
with a duplicate IP address; the duplicate IP address
message appeared on the 98 box and the 98
interface was disabled. XP connectivitiy worked as
normal. (this is standard operation so far). I shut
down the win98 box.

Next, I booted a RedHat 7.0 system using the same
static IP address. XP lost it's IP, showing 0.0.0.0, did
not display any message about this, and the Linux
box hummed away happily, receiving connections
destined for that IP. Perhaps the RH system
implements it's ARP/duplicate IP address check in a
different manner that is not recognized by XP, at least
in this particular instance.

I did not test this with any other version of windows
but, having never tried this particular scenario, I was
wondering if this is normal operation? If this is of any
interest I'll grab a sniff of the traffic.

Secgeek

---

• Previous message: Cedric Blancher: "Re: iptables 'syn but not new' packets"
• In reply to: Curt Wilson: "Win XP IP address hijack?"
• Next in thread: Dimitry Andric: "Re: Win XP IP address hijack?"
• Reply: Dimitry Andric: "Re: Win XP IP address hijack?"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

---

Relevant Pages Re: Cant get out of safe mode ... Norton web support links suggested my remaining problem ... No restore points get it out of safe mode, ... duplicate drive ... How to perform an in-place upgrade of Windows ... (microsoft.public.windowsxp.help_and_support) Re: Need help sorting images. ... In Windows Explorer add "Date Picture Taken" to the columns of the ... :>> I have been asked to sort a lot of images into subfolders based ... You'd still want a tool such as uniq to handle duplicate ... Because two cameras were used and one camera was left on PDT, ... (rec.photo.digital) Re: How do I stop duplication and get rid of them ... > duplicate of everything on my desktop in the admin files. ... Create and Configure User Accounts in Windows XP ... Folders in Windows XP ... Why you should use a computer firewall.. ... (microsoft.public.windowsxp.perform_maintain) Re: Netbios duplicate name error ... assist you to the best of my ability. ... Windows NT/2000/2003 Cluster Technologies ... A duplicate name has been detected on the TCP network. ... (microsoft.public.win2000.advanced_server) Re: Concrete Examples of Duplicate SID problems--Do yall have any? ... Do not disk duplicate installed versions of Windows ... The Microsoft Policy Concerning Disk Duplication of Windows XP Installations ... | problems if you have duplicate SIDs in a workgroup setting, ... (microsoft.public.windowsxp.setup_deployment)

---

We are proud to have Web Hosting and Rack Housing from 9 Net Avenue Deutschland.
(12)