lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <200405181621.i4IGLUB8018817@turing-police.cc.vt.edu>
From: Valdis.Kletnieks at vt.edu (Valdis.Kletnieks@...edu)
Subject: Strange ldap Behavior. 

On Tue, 18 May 2004 15:15:56 +0200, "Soderland, Craig" <craig.soderland@....com>  said:

>  I did a snoop from our tech sandbox (xxxxxx) to port 389 using the
>  following command: 'snoop -v port 389' (without the quotes). The attached
>  file shows a segment of the results. Notice the line:

I don't see an attached file?

>       ETHER:  Destination = 0:0:5e:0:1:1, U.S. Department of Defense

>  Why should a connection be made to US Dept. of Defense? Any Ideas?

Remember - that's an *ethernet* destination.  As such, it's still on your local
network (hopefully ;).  That's probably not a destination, that's supposed to
be a manufacturer code...

However, it looks like somebody has a borked data file someplace.  What I
*suspect* was intended here was that it took the first 3 octets and tried to
convert '0:0:5e' to a manufacturer code (there's a list available at http://
standards.ieee.org/regauth/oui/oui.txt) - so for instance any Ethernet address
that starts off with 00:05:73 is a Cisco card.  One of the Ethernet cards on my
laptop has a MAC address that starts off with 00:10:A4 - which tells  you it's
a Xircom card.  The docking station's MAC address starts with 0:6:5B - that's a
Dell-rebadged 3Com.

Only problem is that 0:0:5e is registered as:

00-00-5E   (hex)		USC INFORMATION SCIENCES INST
00005E     (base 16)		USC INFORMATION SCIENCES INST
				INTERNET ASS'NED NOS.AUTHORITY
				4676 ADMIRALTY WAY
				MARINA DEL REY CA 90292-6695

I don't see the DoD as having registered a prefix of its own there...

If this is a Sun system, you want to be looking at either /etc/ethers file,
or the NIS maps 'ethers', 'ethers.byname', and 'ethers.byaddr' - check
the /etc/nsswitch.conf file for details on which your system uses.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 226 bytes
Desc: not available
Url : http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20040518/a52a29ca/attachment.bin

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ