RE: TCP/IP services, Win2k, and Snort.

["Kurt" <kurtbuff () spro net>]

This will only work well in a 10 megabit environment. There are issues
with a Fast Ethernet or faster environment, mostly regarding the fact
that many (most, all?) switches that use FE like to see both pairs
working, and tend to shut down the port if they aren't.

| -----Original Message-----
| From: CHRIS GRABENSTEIN [mailto:LFGRABC () LF VCCS EDU]
| Sent: Wednesday, May 14, 2003 10:18
| To: security-basics () securityfocus com
| Subject: RE: TCP/IP services, Win2k, and Snort.
| 
| 
| I would recommend building or buying a sniffer cable.  Take a look at
| http://www.geocities.com/samngms/sniffing_cable/  This will 
| allow you to
| receive traffic while making it impossible to send any yourself.
| 
| |-----Original Message-----
| |From: dataclaus1 () hushmail com [mailto:dataclaus1 () hushmail com] 
| |Sent: Tuesday, May 13, 2003 8:10 PM
| |To: security-basics () securityfocus com
| |Subject: TCP/IP services, Win2k, and Snort.
| |
| |
| |
| |-----BEGIN PGP SIGNED MESSAGE-----
| |Hash: SHA1
| |
| |Hello List,
| |
| |I have prepped a win2k/snort2.0/mysql/acid standalone box to 
| |listen outside
| |our firewall.
| |
| |In order for MySQL to run, TCP/IP has to be installed (but not 
| |necessarily
| |active) for an interface.
| |
| |In order for ACID to work with IIS, Client for Microsoft Networks has
| |to be installed (but not necessarily active) for an interface.
| |
| |Thus, with a single ethernet card in the box, Local Area 
| |Connection properties
| |show both TCP/IP and Client for MS Networks.  Both check boxes 
| |are empty,
| | and I get no ping response from the box anymore, and 
| |Promiscan promiscuous
| |node sensor does not turn it up (but it enumerates by IP address).
| |
| |I guess my question is--without an IP address, in pasive 
| sniffer mode,
| | and setting aside any vulnerabilities in snort (recent RPC 
| and stream4
| |fr'instance), can its presence be detected (via MAC address?), and if
| |so, with TCP/IP turned off for the interface, what kind of 
| exploitation
| |could it be vulnerable to?  I know there are papers about 
| how to detect
| |promiscuous interfaces.
| |
| |Such as:  Having obtained the MAC address on the sniffing interface,
| |could pure 802.b packets be sent to try to crack the box?
| |
| |IIS, PHP, and MySQL should all be relatively safe should they 
| |not, because
| |they are being used via localmachine only (assuming correct 
| |configuration)?
| |
| |Thanks,
| |cm
| |-----BEGIN PGP SIGNATURE-----
| |Note: This signature can be verified at 
| |https://www.hushtools.com/verify
| |Version: Hush 2.3
| |
| |
| |wkYEARECAAYFAj7BiVQACgkQxfxie4/I/Q8AggCguqTg+tk498jJ6hJwkn/pzcMC9UYA
| |n35uHneff6sZG9XKswkU3l4bXB28
| |=FYY8
| |-----END PGP SIGNATURE-----
| |
| |
| |
| |
| |Concerned about your privacy? Follow this link to get
| |FREE encrypted email: https://www.hushmail.com/?l=2
| |
| |Free, ultra-private instant messaging with Hush Messenger
| |https://www.hushmail.com/services.php?subloc=messenger&l=434
| |
| |Big $$$ to be made with the HushMail Affiliate Program: 
| |https://www.hushmail.com/about.php?subloc=affiliate&l=427
| |
| |---------------------------------------------------------------
| |------------
| |Thinking About Security Training? You Can't Afford Not To!
| |
| |Vigilar's industry leading curriculum includes:  Security +, 
| |Check Point, 
| |Hacking & Assessment, Cisco Security, Wireless Security & 
| |more! Register Now!
| |--UP TO 30% off classes in select cities-- 
| |http://www.securityfocus.com/Vigilar-security-basics
| |---------------------------------------------------------------
| |-------------
| |
| |
| 
| --------------------------------------------------------------
| -------------
| Thinking About Security Training? You Can't Afford Not To!
| 
| Vigilar's industry leading curriculum includes:  Security +, 
| Check Point, 
| Hacking & Assessment, Cisco Security, Wireless Security & 
| more! Register Now!
| --UP TO 30% off classes in select cities-- 
| http://www.securityfocus.com/Vigilar-security-basics
| --------------------------------------------------------------
| --------------
| 
| 

---------------------------------------------------------------------------
Thinking About Security Training? You Can't Afford Not To!

Vigilar's industry leading curriculum includes:  Security +, Check Point, 
Hacking & Assessment, Cisco Security, Wireless Security & more! Register Now!
--UP TO 30% off classes in select cities-- 
http://www.securityfocus.com/Vigilar-security-basics
----------------------------------------------------------------------------