Security Basics mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Network scanning

From: Sebastian Schneider <ses () straightliners de>
Date: Sun, 10 Aug 2003 20:15:52 +0200
On Sunday 10 August 2003 17:27, White-Tiger wrote:

Ok,
I do not know about eapol for wireless products, just
hardline.

when you plug in your device, you won't be able to see any
broadcasts until you go through the eapol process with the
MAC of the NIC,

this is interesting, i havent worked on that issue before. How is
that eapol working actually?


so if they have access to a PC, they can look at the pc
MAC, then spoof it on the switch with their own device.

just if it allows booting from cd. usually i turn all that options
off and restricting access to the bios as is. In case you're
dealing with a thin-client booting from network i guess this
method is getting even harder.



BUT if they already have access to a network PC, why don't
they just boot from CD and load whatever  CD os with there
tools on it !  that way they don't have to worry about
spoofing.

I kinda thought this is what WEP was for?

WEP is an encryption option for 802.11a/b though its design is
rather weak and can be cracked quite fast.



How about depending on os, the client side of wireless, had
a cert file, that creates a VPN that all traffic gets sent
through,  Not impossible to sniff, but just would take them
a while, depending how strong crypto you use.


in this case an simple IPSec AH in transport mode would do it, since
it should be able to traverse NAT/PAT.
but using certificates makes it hard to administrate though
you could set up a CA.



--- Sebastian Schneider <ses () straightliners de> wrote:

no problem ;-)


I am sorry I got on this late... Some switches support
eapol
that works with a radius server to auth mac address at


port


level before the switch will enable that port... I have
done limited testing.  If you unplug a live connect,


not


only will someone be calling saying that something


doesn't


work, but when they plug in there NIC the switch will


see a


new MAC and disable the port.



Some one can give some ideas about MAC spoofing, But
doesn't the NIC give its real MAC to the switch while


you


are trying to spoof someone elses MAC?


if someone is setting the card into listening mode,
nobody
will get any address (i haven't checked this one out
yet)...
and by analyzing broadcast traffic you might be able to
get existing MACs on the network and spoof hosts easily.
this is a big deal for wireless based communications

On Saturday 09 August 2003 17:18, White-Tiger wrote:

I am sorry I got on this late... Some switches support
eapol
that works with a radius server to auth mac address at


port


level before the switch will enable that port... I have
done limited testing.  If you unplug a live connect,


not


only will someone be calling saying that something


doesn't


work, but when they plug in there NIC the switch will


see a


new MAC and disable the port.



Some one can give some ideas about MAC spoofing, But
doesn't the NIC give its real MAC to the switch while


you


are trying to spoof someone elses MAC?

if this is the case, then you can disable and port that


is


not a known MAC.

I have a baystack450, and I can setup the MAC in each


of


the switchs,  but that will be kinda hard to maintain.


So


I am looking at free radius for OpenBSD that supports
eapol, so I can just setup a file with all allowed


MACs.


Hope this helps,  sorry if someone already said this, I


am


a little late on the thread.


WT

--- Sebastian Schneider <ses () straightliners de> wrote:

On Friday 08 August 2003 14:19, CHRIS GRABENSTEIN


wrote:

As far as the hard wires, I think the best solution


is


to search out those


unused ports and unplug them from the switch.  They


can


be quickly


reconnected if needed, and you'll know about it.


I guess you're actually aware, that not everyone is
locking up rooms
containing switches.
And just plugging out unused cables won't be


sufficient,


since usually
I just can plug out any computer and plug in my own.


|-----Original Message-----
|From: netsec novice [mailto:netsec9 () hotmail com]
|Sent: Thursday, August 07, 2003 4:51 PM
|To: security-basics () securityfocus com
|Subject: Network scanning
|
|
|Are there tools out there that would allow system


administrators to be


|notified when a new workstation attaches to a


network?


 I'm


|thinking both
|wireless and ethernet in this case.  SNMP maybe?


I am


in a


|credit union
|environment and my concern is that someone would


be


able to steal an


|existing jack or a jack that is not physically


protected but


|live and be
|able to capture traffic or do reconaissance.  We


don't


have


|Wireless access
|at this point but may look to it in the future.


My


only


|thought in that
|case would be to encrypt all traffic since


wireless


security


|is a bit scary
|at this point.  Any ideas?


---------------------------------------------------------------------------




---------------------------------------------------------------------------


-


--

-----------------------------
straightLiners IT Consulting & Services
Sebastian Schneider
Metzer Str. 12
13595 Berlin
Germany

Phone: +49-30-3510-6168
Fax: +49-30-3510-6169
Mail: ses () straightliners de


Diese E-Mail enthält vertrauliche und/oder rechtlich
geschützte Informationen.
Wenn Sie nicht der richtige Adressat sind oder diese
E-Mail irrtümlich
erhalten haben,
informieren Sie bitte sofort den Absender und


vernichten


Sie diese Mail.
Das unerlaubte Kopieren sowie die unbefugte


Weitergabe


dieser Mail ist nicht
gestattet.

This e-mail may contain confidential and/or


privileged


information.
If you are not the intended recipient (or have


received


this e-mail in error)
please notify the sender immediately and destroy this
e-mail. Any unauthorized
copying,
disclosure or distribution of the material in this


e-mail


is strictly
forbidden.


---------------------------------------------------------------------------



---------------------------------------------------------------------------

=== message truncated ===


__________________________________
Do you Yahoo!?
Yahoo! SiteBuilder - Free, easy-to-use web site design software
http://sitebuilder.yahoo.com


-- 


straightLiners IT Consulting & Services
Sebastian Schneider
Metzer Str. 12
13595 Berlin
Germany

Phone: +49-30-3510-6168
Fax: +49-30-3510-6169
Mail: ses () straightliners de


Diese E-Mail enthält vertrauliche und/oder rechtlich geschützte Informationen.
Wenn Sie nicht der richtige Adressat sind oder diese E-Mail irrtümlich 
erhalten haben,
informieren Sie bitte sofort den Absender und vernichten Sie diese Mail.
Das unerlaubte Kopieren sowie die unbefugte Weitergabe dieser Mail ist nicht 
gestattet.

This e-mail may contain confidential and/or privileged information.
If you are not the intended recipient (or have received this e-mail in error)
please notify the sender immediately and destroy this e-mail. Any unauthorized 
copying,
disclosure or distribution of the material in this e-mail is strictly 
forbidden.

---------------------------------------------------------------------------
----------------------------------------------------------------------------
Previous By Date Next
Previous By Thread Next

Current thread: