lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <7.0.1.0.2.20060330092102.020c56b8@argosnet.com>
Date: Thu Mar 30 08:20:52 2006
From: llevier at argosnet.com (Laurent LEVIER)
Subject: Strange interactions between tunnelling
	and SMB under the proprietary Microsoft Windows environment

Hi Marc,

At 07:52 30/03/2006, Marc SCHAEFER wrote:
>    However, accessing \\192.168.1.2\c$ did go through the Ethernet
>    interface, and *not the tunnel*, and strangely half-using the private
>    addresses!

This recalls me an old behavior from Microsoft products I was using 
to detect Internet rogue backdoors on my company's network.

When a windows is multi-homed, it sends packets towards broadcast @IP 
of each of its addresses to fill his computer browser tables.
Here I am talking about this behavior:
- Internal @IP -> Internal NIC -> Internal @IP broadcast
- Internal @IP -> Internal NIC -> External @IP broadcast
- External @IP -> External NIC -> Internal @IP broadcast
- External @IP -> External NIC -> External @IP broadcast

So you can imagine how this was useful. I was routing internal 
networks on Internet towards a probe that was also receiving Intranet 
routers anti-spoofing realtime logs.
When the probe was receiving a packet from outside targetting an 
internal @IP broadcast, I was correlating with antispoof logs of 
packets coming from an @IP compatible with this external broadcast 
towards the broadcast of the source @IP of the packet received from 
the outside and gotcha.

I dont know if Windoze keeps behavior like this.
Possibly this is related?

Brgrds

Laurent LEVIER
Systems & Networks Security Expert, CISSP CISM

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ