lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
Open Source and information security mailing list archives
| ||
|
Message-ID: <e4ce4c4405071112255cb7eeab@mail.gmail.com> Date: Mon Jul 11 20:25:52 2005 From: gkverma at gmail.com (Gaurav Kumar) Subject: how to bypass rouge machine detection techniques thanks a lot everybody. now i am just wondering if the detection technique can be integrated at the switch level. for example, one software can connect to switch via ssh, and collect the ipaddress information of the machine trying to plug in to the network, as soon as we detect this machine, we can connect to it to test whether its a part of trusted domain/network or not. i think even if a box is in stealth mode, we can still detect it if we use our detection mechanism at switch level itself. plz comment. regards, gaurav On 7/11/05, Paul Melson <pmelson@...il.com> wrote: > MAC addresses are easily sniffed, spoofed, and exploited in lots of nifty > ways (see: ARP poisoning/routing). The ubiquitous nature of ARP/RARP > broadcasts and the seemingly unique nature of MAC addresses makes them an > obvious means of attempting this type of detection, but these attempts are > trivially defeated - it can be done with pretty much any laptop and a Linux > boot CD. > > I'm not saying it's not worth doing - presumptuous contractors, bad > employees, the generally clueless and their laptops all pose a risk to your > network. These people will likely be detected via this method and can be > dealt with, hopefully before they spread worms and other crap. > > One correct solution to this problem is to authenticate users and devices > before they connect to the network. Whereas this method attempts to > identify devices or users after they have connected. > > PaulM > > > -----Original Message----- > Subject: [Full-disclosure] how to bypass rouge machine detection techniques > > Friends, > > There are several techniques available for detecting rouge (not being a > member of trusted domain) machines, such as active scanning, active > directory querying etc, but I guess most powerful being the one used by > epolicy orchestrator. Its agents (deployed on each subnet) checks for L2 > broadcasts like Arp broadcast etc. After detecting a broadcast, it used the > mac address and ip address to proceed further to detect whether the machine > is rouge or not. > > http://www.networkassociates.com/us/local_content/white_papers/wp_epo3_5_rsd > whitepaper_july2004.pdf > > I was wondering if this approach is foolproof and can be safely deployed or > if there is a way to bypass it? > >
Powered by blists - more mailing lists