lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <20050712124513.622FC33C23@mailserver5.hushmail.com>
Date: Tue Jul 12 14:55:49 2005
From: amrnems at hushmail.com (amrnems@...hmail.com)
Subject: how to bypass rogue machine detection techniques

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Great physical access is a must when dealing with rogue devices on
a physical network.  But using 802.1x, and disabling the unused
ports would probably be your best answer.  If you just implement
802.1x or as you first mentioned, some kind of port scanning, then
you would never be able to detect a person with a “receive” only
cable connected to you switch.

AmRnEmS


- -----Original Message-----
From: full-disclosure-bounces@...ts.grok.org.uk [mailto:full-
disclosure-bounces@...ts.grok.org.uk] On Behalf Of Gaurav Kumar
Sent: Monday, July 11, 2005 4:59 AM
To: full-disclosure@...ts.grok.org.uk
Subject: [Full-disclosure] how to bypass rouge machine detection
techniques

Friends,

There are several techniques available for detecting rouge (not
being a member of trusted domain) machines, such as active
scanning, active directory querying etc, but I guess most powerful
being the one used by epolicy orchestrator. Its agents (deployed on
each subnet) checks for L2 broadcasts like Arp broadcast etc. After
detecting a broadcast, it used the mac address and ip address to
proceed further to detect whether the machine is rouge or not.

http://www.networkassociates.com/us/local_content/white_papers/wp_ep
o3_5_rsdwhitepaper_july2004.pdf

I was wondering if this approach is foolproof and can be safely
deployed or if there is a way to bypass it?

Regards,
Gaurav
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

-----BEGIN PGP SIGNATURE-----
Note: This signature can be verified at https://www.hushtools.com/verify
Version: Hush 2.4

wkYEARECAAYFAkLTu1MACgkQcExBwOFdkZGK+wCeNKxnA/QoMt97JGLNUcYfvJe5gdgA
n081SOqPudl7p9eZnW1t9liwdpi+
=eNjB
-----END PGP SIGNATURE-----




Concerned about your privacy? Follow this link to get
secure FREE email: http://www.hushmail.com/?l=2

Free, ultra-private instant messaging with Hush Messenger
http://www.hushmail.com/services-messenger?l=434

Promote security and make money with the Hushmail Affiliate Program: 
http://www.hushmail.com/about-affiliate?l=427

Powered by blists - more mailing lists