RE: Network scanning: Continued (newbie)

["Burt, David" <david.burt () wcsr com>]

Please see Confidentiality Notice before reading email.
*******************************************************************

I don't think an ip address is required for sniffing.  I think you would
have to arp request the mac of the sniffing party to find them.

-----Original Message-----
From: Adam Newhard [mailto:atnewhard () microstrain com]
Sent: Monday, August 18, 2003 8:59 AM
To: security-basics
Subject: Re: Network scanning: Continued (newbie)


Why don't you just regulate the ip numbers...in other words, if a machine
goes off the network, that ip can no longer be used...you control the ip's
completely.  Pretty much the same idea as mac filtering.  Then, no matter
what he does he won't get an ip address and won't be able to do beans.  This
might be a little off, but you might like this article on security focus
about physically tracking down a machine...someone here probably has a link
to it...i don't and unfortunately i don't have time to search for it...scan
some of the security focus archives.
adam

----- Original Message ----- 
From: "Christos Gioran" <himicos () freemail gr>
To: "security-basics" <security-basics () securityfocus com>
Sent: Friday, August 15, 2003 4:17 PM
Subject: Network scanning: Continued (newbie)


> Hi all,
>
> The recent conversation titled network scanning inspired me to ask the
> following:
>
> Say an imaginary attacker snifs traffic of a network, having plugged in
> through a rogue cable. One of the solutions proposed would be to ping
sweep
> the network on regular time intervals checking on the responses. Suppose
the
> attacker raises a firewall with a simple ruleset like (not exact iptables
> syntax):
>
> input --protocol any  -j ACCEPT
> output --protocol any -j DROP
>
> and to be paranoid add this:
>
> input --protocol icmp -j DROP
>
> In iptables, if i am correct, the target DROP causes the packet to be
silently
> dropped. Then this would remedy this approach, correct?? The idea is that
all
> outgoing packets will be dropped and only incoming traffic will be
monitored,
> as the attacker desires. This having been said, is the use of special
wiring
> anymore  required?
>
> Forgive me for bringing the subject up again but when i originally posted
this
> question (2003-08-13) i was ignored. If i did something wrong please let
me
> know. The posting mentioning the ICMP approach follows.
>
> cheers
>
> CG
>
> > One thing that you could do is use a tool that would send an ICMP
> > packet to all possible addresses in your particular network.  That
> > won't detect all connecting hosts, in particular if someone jacks in
> > to sniff only, but that assumes that your network is hub based.  If
> > your network is switch based then people will have a hard time
> > logging in and sniffing without being detected as they'd normally
> > have to ARP poison the switch or do something else that would be
> > detectable.
> >
> >
> > So... the simple 99% answer is, ping all possible IP addresses once,
> > if you get a response from an address thats not supposed to be
> > there... well... then you'll know.
> >
> > Also, if you use DHCP then you could watch the DHCP log for new
> > systems... thats not super difficult either.
>
>
>
> ____________________________________________________________________
> http://www.freemail.gr - d??e?? ?p??es?a ??e?t??????? ta??d???e???.
> http://www.freemail.gr - free email service for the Greek-speaking.
>
> --------------------------------------------------------------------------
-
> --------------------------------------------------------------------------
--
>


---------------------------------------------------------------------------
----------------------------------------------------------------------------


*******************************************************************
CONFIDENTIALITY NOTICE: This electronic mail transmission may have 
been sent on behalf of a lawyer. It may contain information that
is confidential, privileged, proprietary, or otherwise legally
exempt from disclosure. If you are not the intended recipient,
you are hereby notified that you are not authorized to read,
print, retain, copy or disseminate this message, any part of it,
or any attachments. If you have received this message in error,
please delete this message and any attachments from your system
without reading the content and notify the sender immediately of
the inadvertent transmission. There is no intent on the part of
the sender to waive any privilege, including the attorney-client
privilege, that may attach to this communication. The sender of
this electronic mail transmission is not authorized to practice
law and all information and materials included herewith are under
the supervision of and subject to the review of counsel and should
not be relied upon until such review has occurred. Thank you for
your cooperation.



---------------------------------------------------------------------------
----------------------------------------------------------------------------