Security Basics mailing list archives
RE: Network scanning: Continued (newbie)
From: "Burt, David" <david.burt () wcsr com>
Date: Mon, 18 Aug 2003 14:21:24 -0400
Please see Confidentiality Notice before reading email. ******************************************************************* I don't think an ip address is required for sniffing. I think you would have to arp request the mac of the sniffing party to find them. -----Original Message----- From: Adam Newhard [mailto:atnewhard () microstrain com] Sent: Monday, August 18, 2003 8:59 AM To: security-basics Subject: Re: Network scanning: Continued (newbie) Why don't you just regulate the ip numbers...in other words, if a machine goes off the network, that ip can no longer be used...you control the ip's completely. Pretty much the same idea as mac filtering. Then, no matter what he does he won't get an ip address and won't be able to do beans. This might be a little off, but you might like this article on security focus about physically tracking down a machine...someone here probably has a link to it...i don't and unfortunately i don't have time to search for it...scan some of the security focus archives. adam ----- Original Message ----- From: "Christos Gioran" <himicos () freemail gr> To: "security-basics" <security-basics () securityfocus com> Sent: Friday, August 15, 2003 4:17 PM Subject: Network scanning: Continued (newbie)
Hi all, The recent conversation titled network scanning inspired me to ask the following: Say an imaginary attacker snifs traffic of a network, having plugged in through a rogue cable. One of the solutions proposed would be to ping
sweep
the network on regular time intervals checking on the responses. Suppose
the
attacker raises a firewall with a simple ruleset like (not exact iptables syntax): input --protocol any -j ACCEPT output --protocol any -j DROP and to be paranoid add this: input --protocol icmp -j DROP In iptables, if i am correct, the target DROP causes the packet to be
silently
dropped. Then this would remedy this approach, correct?? The idea is that
all
outgoing packets will be dropped and only incoming traffic will be
monitored,
as the attacker desires. This having been said, is the use of special
wiring
anymore required? Forgive me for bringing the subject up again but when i originally posted
this
question (2003-08-13) i was ignored. If i did something wrong please let
me
know. The posting mentioning the ICMP approach follows. cheers CGOne thing that you could do is use a tool that would send an ICMP packet to all possible addresses in your particular network. That won't detect all connecting hosts, in particular if someone jacks in to sniff only, but that assumes that your network is hub based. If your network is switch based then people will have a hard time logging in and sniffing without being detected as they'd normally have to ARP poison the switch or do something else that would be detectable. So... the simple 99% answer is, ping all possible IP addresses once, if you get a response from an address thats not supposed to be there... well... then you'll know. Also, if you use DHCP then you could watch the DHCP log for new systems... thats not super difficult either.____________________________________________________________________ http://www.freemail.gr - d??e?? ?p??es?a ??e?t??????? ta??d???e???. http://www.freemail.gr - free email service for the Greek-speaking. --------------------------------------------------------------------------
-
--------------------------------------------------------------------------
--
--------------------------------------------------------------------------- ---------------------------------------------------------------------------- ******************************************************************* CONFIDENTIALITY NOTICE: This electronic mail transmission may have been sent on behalf of a lawyer. It may contain information that is confidential, privileged, proprietary, or otherwise legally exempt from disclosure. If you are not the intended recipient, you are hereby notified that you are not authorized to read, print, retain, copy or disseminate this message, any part of it, or any attachments. If you have received this message in error, please delete this message and any attachments from your system without reading the content and notify the sender immediately of the inadvertent transmission. There is no intent on the part of the sender to waive any privilege, including the attorney-client privilege, that may attach to this communication. The sender of this electronic mail transmission is not authorized to practice law and all information and materials included herewith are under the supervision of and subject to the review of counsel and should not be relied upon until such review has occurred. Thank you for your cooperation. --------------------------------------------------------------------------- ----------------------------------------------------------------------------
Current thread:
- Network scanning: Continued (newbie) Christos Gioran (Aug 16)
- Re: Network scanning: Continued (newbie) Adam Newhard (Aug 18)
- <Possible follow-ups>
- RE: Network scanning: Continued (newbie) Meidinger Chris (Aug 18)
- Re: Network scanning: Continued (newbie) Schneider Sebastian (Aug 20)
- RE: Network scanning: Continued (newbie) Burt, David (Aug 18)