RE: TCP/IP services, Win2k, and Snort.

["CHRIS GRABENSTEIN" <LFGRABC () LF VCCS EDU>]

I would recommend building or buying a sniffer cable.  Take a look at
http://www.geocities.com/samngms/sniffing_cable/  This will allow you to
receive traffic while making it impossible to send any yourself.

|-----Original Message-----
|From: dataclaus1 () hushmail com [mailto:dataclaus1 () hushmail com] 
|Sent: Tuesday, May 13, 2003 8:10 PM
|To: security-basics () securityfocus com
|Subject: TCP/IP services, Win2k, and Snort.
|
|
|
|-----BEGIN PGP SIGNED MESSAGE-----
|Hash: SHA1
|
|Hello List,
|
|I have prepped a win2k/snort2.0/mysql/acid standalone box to 
|listen outside
|our firewall.
|
|In order for MySQL to run, TCP/IP has to be installed (but not 
|necessarily
|active) for an interface.
|
|In order for ACID to work with IIS, Client for Microsoft Networks has
|to be installed (but not necessarily active) for an interface.
|
|Thus, with a single ethernet card in the box, Local Area 
|Connection properties
|show both TCP/IP and Client for MS Networks.  Both check boxes 
|are empty,
| and I get no ping response from the box anymore, and 
|Promiscan promiscuous
|node sensor does not turn it up (but it enumerates by IP address).
|
|I guess my question is--without an IP address, in pasive sniffer mode,
| and setting aside any vulnerabilities in snort (recent RPC and stream4
|fr'instance), can its presence be detected (via MAC address?), and if
|so, with TCP/IP turned off for the interface, what kind of exploitation
|could it be vulnerable to?  I know there are papers about how to detect
|promiscuous interfaces.
|
|Such as:  Having obtained the MAC address on the sniffing interface,
|could pure 802.b packets be sent to try to crack the box?
|
|IIS, PHP, and MySQL should all be relatively safe should they 
|not, because
|they are being used via localmachine only (assuming correct 
|configuration)?
|
|Thanks,
|cm
|-----BEGIN PGP SIGNATURE-----
|Note: This signature can be verified at 
|https://www.hushtools.com/verify
|Version: Hush 2.3
|
|
|wkYEARECAAYFAj7BiVQACgkQxfxie4/I/Q8AggCguqTg+tk498jJ6hJwkn/pzcMC9UYA
|n35uHneff6sZG9XKswkU3l4bXB28
|=FYY8
|-----END PGP SIGNATURE-----
|
|
|
|
|Concerned about your privacy? Follow this link to get
|FREE encrypted email: https://www.hushmail.com/?l=2
|
|Free, ultra-private instant messaging with Hush Messenger
|https://www.hushmail.com/services.php?subloc=messenger&l=434
|
|Big $$$ to be made with the HushMail Affiliate Program: 
|https://www.hushmail.com/about.php?subloc=affiliate&l=427
|
|---------------------------------------------------------------
|------------
|Thinking About Security Training? You Can't Afford Not To!
|
|Vigilar's industry leading curriculum includes:  Security +, 
|Check Point, 
|Hacking & Assessment, Cisco Security, Wireless Security & 
|more! Register Now!
|--UP TO 30% off classes in select cities-- 
|http://www.securityfocus.com/Vigilar-security-basics
|---------------------------------------------------------------
|-------------
|
|

---------------------------------------------------------------------------
Thinking About Security Training? You Can't Afford Not To!

Vigilar's industry leading curriculum includes:  Security +, Check Point,
Hacking & Assessment, Cisco Security, Wireless Security & more! Register Now!
--UP TO 30% off classes in select cities--
http://www.securityfocus.com/Vigilar-security-basics
----------------------------------------------------------------------------