RE: Network scanning: Continued (newbie)

[Meidinger Chris <chris.meidinger () badenit de>]

Hello Christos,

that would certainly avoid letting the box be detected by a ping. What is
sometimes done on an IDS Sensor is using a cable with only incoming and no
outgoing wires connected. This can make a box totally silent by making
egress packets impossible on layer 1. There is also something called an
ethernet tap which can split a signal and give a second box a look at what's
going over the wire. (do not use in a full duplex environment unless you are
100% sure the second box will stay silent)

Oops, i just saw that you knew about special wiring. At any rate, the box
should be pretty silent if put that firewall ruleset on it. I am, however,
not 100% sure that it would ignore ARP requests. Maybe a firewall hero can
tell you that. If it was me i would use a special cable or a cable tap on a
covert box to be really sure that nothing could get out.

badenIT GmbH
System Support

Chris Meidinger
Tullastrasse 70
79108 Freiburg


-----Original Message-----
From: Christos Gioran [mailto:himicos () freemail gr]
Sent: Friday, August 15, 2003 10:18 PM
To: security-basics
Subject: Network scanning: Continued (newbie)


Hi all,

The recent conversation titled network scanning inspired me to ask the
following:

Say an imaginary attacker snifs traffic of a network, having plugged in
through a rogue cable. One of the solutions proposed would be to ping sweep
the network on regular time intervals checking on the responses. Suppose the
attacker raises a firewall with a simple ruleset like (not exact iptables
syntax):

input --protocol any  -j ACCEPT
output --protocol any -j DROP

and to be paranoid add this:

input --protocol icmp -j DROP

In iptables, if i am correct, the target DROP causes the packet to be
silently
dropped. Then this would remedy this approach, correct?? The idea is that
all
outgoing packets will be dropped and only incoming traffic will be
monitored,
as the attacker desires. This having been said, is the use of special wiring
anymore  required?

Forgive me for bringing the subject up again but when i originally posted
this
question (2003-08-13) i was ignored. If i did something wrong please let me
know. The posting mentioning the ICMP approach follows.

cheers

CG

> One thing that you could do is use a tool that would send an ICMP
> packet to all possible addresses in your particular network.  That
> won't detect all connecting hosts, in particular if someone jacks in
> to sniff only, but that assumes that your network is hub based.  If
> your network is switch based then people will have a hard time
> logging in and sniffing without being detected as they'd normally
> have to ARP poison the switch or do something else that would be
> detectable.
>
>
> So... the simple 99% answer is, ping all possible IP addresses once,
> if you get a response from an address thats not supposed to be
> there... well... then you'll know.
>
> Also, if you use DHCP then you could watch the DHCP log for new
> systems... thats not super difficult either.



____________________________________________________________________
http://www.freemail.gr - δωρεάν υπηρεσία ηλεκτρονικού ταχυδρομείου.
http://www.freemail.gr - free email service for the Greek-speaking.

---------------------------------------------------------------------------
----------------------------------------------------------------------------

---------------------------------------------------------------------------
----------------------------------------------------------------------------