lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Message-ID: <20050711211552.GA30677@dvb.homelinux.org>
Date: Mon Jul 11 22:17:08 2005
From: devdas at dvb.homelinux.org (Devdas Bhagat)
Subject: how to bypass rogue machine detection techniques

On 12/07/05 00:55 +0530, Gaurav Kumar wrote:
> thanks a lot everybody.

Spelling in subject corrected.

> 
> now i am just wondering if the detection technique can be integrated
> at the switch level. for example, one software can connect to switch
> via ssh, and collect the ipaddress information of the machine trying
> to plug in to the network, as soon as we detect this machine, we can
> connect to it to test whether its a part of trusted domain/network or
> not.
> 

You would need to trigger the scan when the host is plugged into the
switch. The device also needs to respond to an ARP request of some sort.

What happens if I plug in a dumb hub into the switch, and then a laptop
with no IP address on the NIC and ARP disabled into the hub?

Keep in mind that switches are designed to fail open, so I just need to
flood the switch with a very large number of MAC addresses to convert it
into a nice broadcast device.

> i think even if a box is in stealth mode, we can still detect it if we
> use our detection mechanism at switch level itself.
> 
Possible. However, in most cases, it is easier to implement proper
physical security and not let random people connect from nodes all over
the place. Using 802.1x is useful as well.

Devdas Bhagat
<snipped>

Powered by blists - more mailing lists