Security Basics mailing list archives
Re: Network scanning: Continued (newbie)
From: Schneider Sebastian <ses () straightliners de>
Date: Thu, 21 Aug 2003 00:14:11 +0200
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 As far as I know, ARP requests are handled a layer under IP. That means even with the firewalling rules applied, the ARP request should be processed. But much more interesting are broadcasts on ethernet level which must be addressed. Sebastian On Monday 18 August 2003 12:16, Meidinger Chris wrote:
Hello Christos, that would certainly avoid letting the box be detected by a ping. What is sometimes done on an IDS Sensor is using a cable with only incoming and no outgoing wires connected. This can make a box totally silent by making egress packets impossible on layer 1. There is also something called an ethernet tap which can split a signal and give a second box a look at what's going over the wire. (do not use in a full duplex environment unless you are 100% sure the second box will stay silent) Oops, i just saw that you knew about special wiring. At any rate, the box should be pretty silent if put that firewall ruleset on it. I am, however, not 100% sure that it would ignore ARP requests. Maybe a firewall hero can tell you that. If it was me i would use a special cable or a cable tap on a covert box to be really sure that nothing could get out. badenIT GmbH System Support Chris Meidinger Tullastrasse 70 79108 Freiburg -----Original Message----- From: Christos Gioran [mailto:himicos () freemail gr] Sent: Friday, August 15, 2003 10:18 PM To: security-basics Subject: Network scanning: Continued (newbie) Hi all, The recent conversation titled network scanning inspired me to ask the following: Say an imaginary attacker snifs traffic of a network, having plugged in through a rogue cable. One of the solutions proposed would be to ping sweep the network on regular time intervals checking on the responses. Suppose the attacker raises a firewall with a simple ruleset like (not exact iptables syntax): input --protocol any -j ACCEPT output --protocol any -j DROP and to be paranoid add this: input --protocol icmp -j DROP In iptables, if i am correct, the target DROP causes the packet to be silently dropped. Then this would remedy this approach, correct?? The idea is that all outgoing packets will be dropped and only incoming traffic will be monitored, as the attacker desires. This having been said, is the use of special wiring anymore required? Forgive me for bringing the subject up again but when i originally posted this question (2003-08-13) i was ignored. If i did something wrong please let me know. The posting mentioning the ICMP approach follows. cheers CGOne thing that you could do is use a tool that would send an ICMP packet to all possible addresses in your particular network. That won't detect all connecting hosts, in particular if someone jacks in to sniff only, but that assumes that your network is hub based. If your network is switch based then people will have a hard time logging in and sniffing without being detected as they'd normally have to ARP poison the switch or do something else that would be detectable. So... the simple 99% answer is, ping all possible IP addresses once, if you get a response from an address thats not supposed to be there... well... then you'll know. Also, if you use DHCP then you could watch the DHCP log for new systems... thats not super difficult either.____________________________________________________________________ http://www.freemail.gr - δωρεάν υπηρεσία ηλεκτρονικού ταχυδρομείου. http://www.freemail.gr - free email service for the Greek-speaking. --------------------------------------------------------------------------- --------------------------------------------------------------------------- - --------------------------------------------------------------------------- --------------------------------------------------------------------------- -
- -- straightLiners IT Consulting & Services Sebastian Schneider Metzer Str. 12 13595 Berlin Germany Phone: +49-30-3510-6168 Fax: +49-30-3510-6169 Diese E-Mail enthält vertrauliche und/oder rechtlich geschützte Informationen. Wenn Sie nicht der richtige Adressat sind oder diese E-Mail irrtümlich erhalten haben, informieren Sie bitte sofort den Absender und vernichten Sie diese Mail. Das unerlaubte Kopieren sowie die unbefugte Weitergabe dieser Mail ist nicht gestattet. This E-Mail may contain confidential and/or privileged information. If you are not the intended recipient (or have received this E-Mail in error please notify the sender immediately and destroy this E-Mail. Any unauthorized copying, disclosure or distribution of the material in this E-Mail is strictly forbidden. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.2 (GNU/Linux) iD8DBQE/Q/KzQ7mOWZBxbPcRAjaQAJ9HWTlym24RPw50aRF0Gn/VcDKwqwCfW2hF kKa7Aqtx+52Of+lMVGSSIaU= =welt -----END PGP SIGNATURE----- --------------------------------------------------------------------------- ----------------------------------------------------------------------------
Current thread:
- Network scanning: Continued (newbie) Christos Gioran (Aug 16)
- Re: Network scanning: Continued (newbie) Adam Newhard (Aug 18)
- <Possible follow-ups>
- RE: Network scanning: Continued (newbie) Meidinger Chris (Aug 18)
- Re: Network scanning: Continued (newbie) Schneider Sebastian (Aug 20)
- RE: Network scanning: Continued (newbie) Burt, David (Aug 18)