Re: workgroup

["Vic Parat" <vic.parat () nssecurity com>]

> Sorry I forgot to mention, we don't use DHCP and never will.  Everything
is
> static.
> Maybe I didn't make myself clear enought. Let me try again.
> When joe brings his computer to work, his computer will most likely have a
> different workgroup setup like say, joehome.
> So when I browse the network neighborhood, I see the workgroup joehome.
> Then If I go into joehome, I will see joe.
> But, what I'm trying to say is that, if I see the workgroup joehome, and
try
> to access it, it times out or get some error message.
> How can I see what computer name is in that workgroup.  Without the
computer
> name I can't do a nbtstat command to get the Ip adsress.
> I hope this is more helpfull.

You could be viewing ghosted workgroups (workgroups that are cached but the
workgroup server is turned down) or could be that the server behind the
workgroup is not offering any shares/printers.  A good explanation of
browsing can be found here:
http://support.microsoft.com/default.aspx?scid=kb;en-us;188001

Your best bet is to probably sniff the network if you must know all of the
workgroup broadcasts.  You can capture the info even if your network is
switched since the target is your.subnet.255.  Here is the windump/tcpdump
syntax:
windump -vvv -n -s 243 -X udp and port 138

Look at the src ip and starting at byte 0x00CA for the workgroup name.  Then
do a nbtstat -A src.ip and look for the <03>s.  Obviously, you'll have to do
this per segment unless routers pass broadcast traffic.

----- Original Message -----
From: "Kenzo" <kenzo_chin () hotmail com>
To: <security-basics () securityfocus com>
Sent: Wednesday, February 12, 2003 10:03 AM
Subject: Re: workgroup


> ----- Original Message -----
> From: "Vic Parat" <vic.parat () nssecurity com>
> To: "Kenzo" <kenzo_chin () hotmail com>; <security-basics () securityfocus com>
> Sent: Tuesday, February 11, 2003 11:55 AM
> Subject: Re: workgroup
>
>
> > Kenzo,
> >   This reason you're seeing windows workgroup "pop up" is that they
> > broadcast their names every so often and that broadcast is cached.
Going
> to
> > ad will not stop the broadcast and they will still show up.
>
> I meant to say that I wanted to go to AD not to stop this, but just
because
> It's better.
>
>
> >  Workgroups are
> > base on a peer to peer model where accounts are held locally to each
> > machine, you really couldn't get in unless you had an account on each
> > machine belonging to the workgroup.  Regardless of the local policy,
they
> > will still need to broadcast their nbt name table which you can capture
> via
> > your local nbt cache: c:\nbtstat -c.  At which point you can look them
up
> > via: c:\nbtstat -A xxx.xxx.xxx.xxx (their ip address).  Look for any nbt
> > types <03> (messenger service), it will should list their computer name
> and
> > the currently logged on account.  This all assuming they have not
disabled
> > NetBIOS on their network interface, in which all of this is mute
including
> > the name broadcast.  You can also look at your current leases on your
dhcp
> > server.
>
> Sorry I forgot to mention, we don't use DHCP and never will.  Everything
is
> static.
> Maybe I didn't make myself clear enought. Let me try again.
> When joe brings his computer to work, his computer will most likely have a
> different workgroup setup like say, joehome.
> So when I browse the network neighborhood, I see the workgroup joehome.
> Then If I go into joehome, I will see joe.
> But, what I'm trying to say is that, if I see the workgroup joehome, and
try
> to access it, it times out or get some error message.
> How can I see what computer name is in that workgroup.  Without the
computer
> name I can't do a nbtstat command to get the Ip adsress.
> I hope this is more helpfull.
>
> > Side note: you're given your end users a lot of credit regarding their
> > technical knowledge.  My experience shows that users don't know a thing
> > about workgroups, local policies, or protocol filtering.  They just plug
> in
> > and expect to be able to do their job.
> > Vic Parat
> >
> > ----- Original Message -----
> > From: "Kenzo" <kenzo_chin () hotmail com>
> > To: <security-basics () securityfocus com>
> > Sent: Tuesday, February 11, 2003 8:31 AM
> > Subject: workgroup
> >
> >
> > > I was wondering if there's a way to see who's in a windows workgroup.
> > > Yes, my work still use windows workgroup.  I 've been trying to change
> > that
> > > to AD so that the guys to have to run around just to install updates.
> > > Getting there slowly.
> > > Anyways, I've notice that sometimes a workgroup will just pop up. Most
> of
> > > the time when someone brings in a laptop from home and plugs it in, it
> > will
> > > do that.  But now, In windows 2000, you have an option that you can
set
> so
> > > that no one can get in your computer( I believe in the local security
> > > policy), so anyone trying to go into the workgroup won't be able to.
> > > Usually if someone bring in their laptop, they let us know ahead of
time
> > to
> > > make sure that it's ok, but what if someone did come in and set their
> > > computer to block all access to it, how can I see who it is. Like the
> > > computer name or IP address.
> > >
> > > Thanks.