Security Basics mailing list archives
Re: workgroup
From: "Vic Parat" <vic.parat () nssecurity com>
Date: Wed, 12 Feb 2003 23:51:03 -0800
Sorry I forgot to mention, we don't use DHCP and never will. Everything
is
static. Maybe I didn't make myself clear enought. Let me try again. When joe brings his computer to work, his computer will most likely have a different workgroup setup like say, joehome. So when I browse the network neighborhood, I see the workgroup joehome. Then If I go into joehome, I will see joe. But, what I'm trying to say is that, if I see the workgroup joehome, and
try
to access it, it times out or get some error message. How can I see what computer name is in that workgroup. Without the
computer
name I can't do a nbtstat command to get the Ip adsress. I hope this is more helpfull.
You could be viewing ghosted workgroups (workgroups that are cached but the workgroup server is turned down) or could be that the server behind the workgroup is not offering any shares/printers. A good explanation of browsing can be found here: http://support.microsoft.com/default.aspx?scid=kb;en-us;188001 Your best bet is to probably sniff the network if you must know all of the workgroup broadcasts. You can capture the info even if your network is switched since the target is your.subnet.255. Here is the windump/tcpdump syntax: windump -vvv -n -s 243 -X udp and port 138 Look at the src ip and starting at byte 0x00CA for the workgroup name. Then do a nbtstat -A src.ip and look for the <03>s. Obviously, you'll have to do this per segment unless routers pass broadcast traffic. ----- Original Message ----- From: "Kenzo" <kenzo_chin () hotmail com> To: <security-basics () securityfocus com> Sent: Wednesday, February 12, 2003 10:03 AM Subject: Re: workgroup
----- Original Message ----- From: "Vic Parat" <vic.parat () nssecurity com> To: "Kenzo" <kenzo_chin () hotmail com>; <security-basics () securityfocus com> Sent: Tuesday, February 11, 2003 11:55 AM Subject: Re: workgroupKenzo, This reason you're seeing windows workgroup "pop up" is that they broadcast their names every so often and that broadcast is cached.
Going
toad will not stop the broadcast and they will still show up.I meant to say that I wanted to go to AD not to stop this, but just
because
It's better.Workgroups are base on a peer to peer model where accounts are held locally to each machine, you really couldn't get in unless you had an account on each machine belonging to the workgroup. Regardless of the local policy,
they
will still need to broadcast their nbt name table which you can captureviayour local nbt cache: c:\nbtstat -c. At which point you can look them
up
via: c:\nbtstat -A xxx.xxx.xxx.xxx (their ip address). Look for any nbt types <03> (messenger service), it will should list their computer nameandthe currently logged on account. This all assuming they have not
disabled
NetBIOS on their network interface, in which all of this is mute
including
the name broadcast. You can also look at your current leases on your
dhcp
server.Sorry I forgot to mention, we don't use DHCP and never will. Everything
is
static. Maybe I didn't make myself clear enought. Let me try again. When joe brings his computer to work, his computer will most likely have a different workgroup setup like say, joehome. So when I browse the network neighborhood, I see the workgroup joehome. Then If I go into joehome, I will see joe. But, what I'm trying to say is that, if I see the workgroup joehome, and
try
to access it, it times out or get some error message. How can I see what computer name is in that workgroup. Without the
computer
name I can't do a nbtstat command to get the Ip adsress. I hope this is more helpfull.Side note: you're given your end users a lot of credit regarding their technical knowledge. My experience shows that users don't know a thing about workgroups, local policies, or protocol filtering. They just pluginand expect to be able to do their job. Vic Parat ----- Original Message ----- From: "Kenzo" <kenzo_chin () hotmail com> To: <security-basics () securityfocus com> Sent: Tuesday, February 11, 2003 8:31 AM Subject: workgroupI was wondering if there's a way to see who's in a windows workgroup. Yes, my work still use windows workgroup. I 've been trying to changethatto AD so that the guys to have to run around just to install updates. Getting there slowly. Anyways, I've notice that sometimes a workgroup will just pop up. Mostofthe time when someone brings in a laptop from home and plugs it in, itwilldo that. But now, In windows 2000, you have an option that you can
set
sothat no one can get in your computer( I believe in the local security policy), so anyone trying to go into the workgroup won't be able to. Usually if someone bring in their laptop, they let us know ahead of
time
tomake sure that it's ok, but what if someone did come in and set their computer to block all access to it, how can I see who it is. Like the computer name or IP address. Thanks.
Current thread:
- workgroup Kenzo (Feb 11)
- Re: workgroup Vic Parat (Feb 12)
- Re: workgroup Kenzo (Feb 12)
- Re: workgroup Vic Parat (Feb 13)
- RE: workgroup David Gillett (Feb 14)
- Re: workgroup Kenzo (Feb 12)
- Re: workgroup Vic Parat (Feb 12)
- RE: workgroup Jack Furman (Feb 12)