Full Disclosure mailing list archives
Re: how to bypass rouge machine detection techniques
From: Gaurav Kumar <gkverma () gmail com>
Date: Tue, 12 Jul 2005 00:55:19 +0530
thanks a lot everybody. now i am just wondering if the detection technique can be integrated at the switch level. for example, one software can connect to switch via ssh, and collect the ipaddress information of the machine trying to plug in to the network, as soon as we detect this machine, we can connect to it to test whether its a part of trusted domain/network or not. i think even if a box is in stealth mode, we can still detect it if we use our detection mechanism at switch level itself. plz comment. regards, gaurav On 7/11/05, Paul Melson <pmelson () gmail com> wrote:
MAC addresses are easily sniffed, spoofed, and exploited in lots of nifty ways (see: ARP poisoning/routing). The ubiquitous nature of ARP/RARP broadcasts and the seemingly unique nature of MAC addresses makes them an obvious means of attempting this type of detection, but these attempts are trivially defeated - it can be done with pretty much any laptop and a Linux boot CD. I'm not saying it's not worth doing - presumptuous contractors, bad employees, the generally clueless and their laptops all pose a risk to your network. These people will likely be detected via this method and can be dealt with, hopefully before they spread worms and other crap. One correct solution to this problem is to authenticate users and devices before they connect to the network. Whereas this method attempts to identify devices or users after they have connected. PaulM -----Original Message----- Subject: [Full-disclosure] how to bypass rouge machine detection techniques Friends, There are several techniques available for detecting rouge (not being a member of trusted domain) machines, such as active scanning, active directory querying etc, but I guess most powerful being the one used by epolicy orchestrator. Its agents (deployed on each subnet) checks for L2 broadcasts like Arp broadcast etc. After detecting a broadcast, it used the mac address and ip address to proceed further to detect whether the machine is rouge or not. http://www.networkassociates.com/us/local_content/white_papers/wp_epo3_5_rsd whitepaper_july2004.pdf I was wondering if this approach is foolproof and can be safely deployed or if there is a way to bypass it?
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- how to bypass rouge machine detection techniques Gaurav Kumar (Jul 11)
- RE: how to bypass rouge machine detection techniques Paul Melson (Jul 11)
- Re: how to bypass rouge machine detection techniques Gaurav Kumar (Jul 11)
- Re: how to bypass rouge machine detection techniques Michael Holstein (Jul 11)
- Re: how to bypass rogue machine detection techniques Devdas Bhagat (Jul 11)
- Re: how to bypass rouge machine detection techniques Gaurav Kumar (Jul 11)
- <Possible follow-ups>
- RE: how to bypass rouge machine detection techniques Cassidy Macfarlane (Jul 11)
- RE: how to bypass rouge machine detection techniques Lauro, John (Jul 11)
- RE: how to bypass rouge machine detection techniques Paul Melson (Jul 11)