Security Basics mailing list archives
RE: Network scanning: Continued (newbie)
From: Meidinger Chris <chris.meidinger () badenit de>
Date: Mon, 18 Aug 2003 11:16:19 +0100
Hello Christos, that would certainly avoid letting the box be detected by a ping. What is sometimes done on an IDS Sensor is using a cable with only incoming and no outgoing wires connected. This can make a box totally silent by making egress packets impossible on layer 1. There is also something called an ethernet tap which can split a signal and give a second box a look at what's going over the wire. (do not use in a full duplex environment unless you are 100% sure the second box will stay silent) Oops, i just saw that you knew about special wiring. At any rate, the box should be pretty silent if put that firewall ruleset on it. I am, however, not 100% sure that it would ignore ARP requests. Maybe a firewall hero can tell you that. If it was me i would use a special cable or a cable tap on a covert box to be really sure that nothing could get out. badenIT GmbH System Support Chris Meidinger Tullastrasse 70 79108 Freiburg -----Original Message----- From: Christos Gioran [mailto:himicos () freemail gr] Sent: Friday, August 15, 2003 10:18 PM To: security-basics Subject: Network scanning: Continued (newbie) Hi all, The recent conversation titled network scanning inspired me to ask the following: Say an imaginary attacker snifs traffic of a network, having plugged in through a rogue cable. One of the solutions proposed would be to ping sweep the network on regular time intervals checking on the responses. Suppose the attacker raises a firewall with a simple ruleset like (not exact iptables syntax): input --protocol any -j ACCEPT output --protocol any -j DROP and to be paranoid add this: input --protocol icmp -j DROP In iptables, if i am correct, the target DROP causes the packet to be silently dropped. Then this would remedy this approach, correct?? The idea is that all outgoing packets will be dropped and only incoming traffic will be monitored, as the attacker desires. This having been said, is the use of special wiring anymore required? Forgive me for bringing the subject up again but when i originally posted this question (2003-08-13) i was ignored. If i did something wrong please let me know. The posting mentioning the ICMP approach follows. cheers CG
One thing that you could do is use a tool that would send an ICMP packet to all possible addresses in your particular network. That won't detect all connecting hosts, in particular if someone jacks in to sniff only, but that assumes that your network is hub based. If your network is switch based then people will have a hard time logging in and sniffing without being detected as they'd normally have to ARP poison the switch or do something else that would be detectable. So... the simple 99% answer is, ping all possible IP addresses once, if you get a response from an address thats not supposed to be there... well... then you'll know. Also, if you use DHCP then you could watch the DHCP log for new systems... thats not super difficult either.
____________________________________________________________________ http://www.freemail.gr - δωρεάν υπηρεσία ηλεκτρονικού ταχυδρομείου. http://www.freemail.gr - free email service for the Greek-speaking. --------------------------------------------------------------------------- ---------------------------------------------------------------------------- --------------------------------------------------------------------------- ----------------------------------------------------------------------------
Current thread:
- Network scanning: Continued (newbie) Christos Gioran (Aug 16)
- Re: Network scanning: Continued (newbie) Adam Newhard (Aug 18)
- <Possible follow-ups>
- RE: Network scanning: Continued (newbie) Meidinger Chris (Aug 18)
- Re: Network scanning: Continued (newbie) Schneider Sebastian (Aug 20)
- RE: Network scanning: Continued (newbie) Burt, David (Aug 18)