Re: Rootkit discovery tools

[Valdis Kletnieks <Valdis.Kletnieks () VT EDU>]

On Tue, 27 Jun 2006 09:42:14 EDT, Caroline Couture said:
> How would do this kind of scan? Would you have the computer on the network and
> scan the ip with nmap or do something else so the computer is not live on the
> network?

I'd configure their port 'down' at the switch end of the cable, and then unplug
the cat-5 at the system end, and replace it with a crossover cable connected to
a laptop that's been ifconfig'ed to appear to be on the subnet the computer was
on, and then launch the nmap from the laptop.

Bonus points if you use a VLAN solution to put them on a different VLAN with
the same IP address to save having to make a house call, and/or if your laptop
solution leverages ARP and/or ICMP Redirect to either autoconfigure itself
onto the correct "subnet" or snarf up the IP address of the default router...

If you're still using thinwire rather than cat-5, your jump bag should
have the pieces needed to build a 2-foot-long thinwire network - I keep
an old 8-port stupid hub (you want a hub, not a switch, here) with a
thinwire uplink port for just such occasions. Every time I think we've
stamped out thinwire campus-wide, I get proven wrong in an encounter
with ancient lab equipment on a homegrown private network..