lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <e4ce4c4405071112255cb7eeab@mail.gmail.com>
Date: Mon Jul 11 20:25:52 2005
From: gkverma at gmail.com (Gaurav Kumar)
Subject: how to bypass rouge machine detection techniques

thanks a lot everybody.

now i am just wondering if the detection technique can be integrated
at the switch level. for example, one software can connect to switch
via ssh, and collect the ipaddress information of the machine trying
to plug in to the network, as soon as we detect this machine, we can
connect to it to test whether its a part of trusted domain/network or
not.

i think even if a box is in stealth mode, we can still detect it if we
use our detection mechanism at switch level itself.

plz comment.

regards,
gaurav

On 7/11/05, Paul Melson <pmelson@...il.com> wrote:
> MAC addresses are easily sniffed, spoofed, and exploited in lots of nifty
> ways (see: ARP poisoning/routing).  The ubiquitous nature of ARP/RARP
> broadcasts and the seemingly unique nature of MAC addresses makes them an
> obvious means of attempting this type of detection, but these attempts are
> trivially defeated - it can be done with pretty much any laptop and a Linux
> boot CD.
> 
> I'm not saying it's not worth doing - presumptuous contractors, bad
> employees, the generally clueless and their laptops all pose a risk to your
> network.  These people will likely be detected via this method and can be
> dealt with, hopefully before they spread worms and other crap.
> 
> One correct solution to this problem is to authenticate users and devices
> before they connect to the network.  Whereas this method attempts to
> identify devices or users after they have connected.
> 
> PaulM
> 
> 
> -----Original Message-----
> Subject: [Full-disclosure] how to bypass rouge machine detection techniques
> 
> Friends,
> 
> There are several techniques available for detecting rouge (not being a
> member of trusted domain) machines, such as active scanning, active
> directory querying etc, but I guess most powerful being the one used by
> epolicy orchestrator. Its agents (deployed on each subnet) checks for L2
> broadcasts like Arp broadcast etc. After detecting a broadcast, it used the
> mac address and ip address to proceed further to detect whether the machine
> is rouge or not.
> 
> http://www.networkassociates.com/us/local_content/white_papers/wp_epo3_5_rsd
> whitepaper_july2004.pdf
> 
> I was wondering if this approach is foolproof and can be safely deployed or
> if there is a way to bypass it?
> 
>

Powered by blists - more mailing lists