lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <42d2b3aa.0970439c.6db1.2e38@mx.gmail.com>
Date: Mon Jul 11 19:00:17 2005
From: pmelson at gmail.com (Paul Melson)
Subject: how to bypass rouge machine detection techniques

MAC addresses are easily sniffed, spoofed, and exploited in lots of nifty
ways (see: ARP poisoning/routing).  The ubiquitous nature of ARP/RARP
broadcasts and the seemingly unique nature of MAC addresses makes them an
obvious means of attempting this type of detection, but these attempts are
trivially defeated - it can be done with pretty much any laptop and a Linux
boot CD.

I'm not saying it's not worth doing - presumptuous contractors, bad
employees, the generally clueless and their laptops all pose a risk to your
network.  These people will likely be detected via this method and can be
dealt with, hopefully before they spread worms and other crap.

One correct solution to this problem is to authenticate users and devices
before they connect to the network.  Whereas this method attempts to
identify devices or users after they have connected.  

PaulM


-----Original Message-----
Subject: [Full-disclosure] how to bypass rouge machine detection techniques

Friends,

There are several techniques available for detecting rouge (not being a
member of trusted domain) machines, such as active scanning, active
directory querying etc, but I guess most powerful being the one used by
epolicy orchestrator. Its agents (deployed on each subnet) checks for L2
broadcasts like Arp broadcast etc. After detecting a broadcast, it used the
mac address and ip address to proceed further to detect whether the machine
is rouge or not.

http://www.networkassociates.com/us/local_content/white_papers/wp_epo3_5_rsd
whitepaper_july2004.pdf

I was wondering if this approach is foolproof and can be safely deployed or
if there is a way to bypass it?

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ