Or spoofing a MAC address, which I find works OK even when the host being spoofed is connected to the same port at the same time, and works OK when the MAC is tied to a DHCP reservation (the switch has no way of knowing there area actually two NICS attached). In fact, a DHCP reservation is somewhat preferable if trying to go unnoticed during an "inside" pentest - if the intruder is spoofing hostnames as well as MAC addresses then it's not very noticeable from a log perspective; duplicate netBIOS name events would show up but netBIOS can be shut off. Dynamic DNS updates can also be disabled at the windows client. DHCP logs would show the lease being renewed by both hosts, but would probably not look much different from the usual lease renewal activity.
Out of curiosity, what is the largest hard-coded ARP table implementation that has been performed or observed by the list? Is it something that is only done in SCIFs or have people implemented it in general-purpose environments? > -----Original Message----- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of Robert D. > Holtz - Lists > Sent: Monday, September 11, 2006 4:18 PM > To: 'Lim Ming Wei'; [EMAIL PROTECTED]; > [email protected] > Subject: RE: Scan for "outsider" Pcs on network > > If security is paramount then you would want to setup your > switching fabric to perform MAC based restrictions by port. > This is one of the best ways of making sure you know what's > hooked up. Anyone just trying to hook up to a port will get nowhere. > > Of course, this doesn't prevent someone from going up to a > machine that's already allowed on the 'net and doing what > ever they please. > > -----Original Message----- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of Lim Ming Wei > Sent: Saturday, September 09, 2006 5:08 AM > To: [EMAIL PROTECTED]; [email protected] > Subject: RE: Scan for "outsider" Pcs on network > > I come across a program call air-snare that is able to detect > that. But you will need to have a list of all your systems > mac address. It is like an IDS program. I believe that most > of the IDS program is able to do that. > > > -----Original Message----- > From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] > Sent: Friday, March 03, 2006 7:48 AM > To: [email protected] > Subject: Scan for "outsider" Pcs on network > > Is there a way to setup a scan and be notified of an > intruding pc that is physically plugged into the network? > When you have an enviroment with a large amount of network > jacks, it's hard to make sure the ones no longer in use are > turned off, and that no "visitors" have sat down to use your > network connections, esp. if you have a large amount of > contractors in and out. It got me to searching the net, and > so far I have found one cemmercial product that can do it, > but nothing else. Any suggestions? > > -------------------------------------------------------------- > ---------- > Test Your IDS > > Is your IDS deployed correctly? > Find out quickly and easily by testing it with real-world > attacks from CORE IMPACT. > Go to > http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 > to learn more. > -------------------------------------------------------------- > ---------- > > > > -------------------------------------------------------------- > ---------- > Test Your IDS > > Is your IDS deployed correctly? > Find out quickly and easily by testing it with real-world > attacks from CORE IMPACT. > Go to > http://www.coresecurity.com/index.php5?module=Form&action=impa ct&campaign=in > tro_sfw > to learn more. > -------------------------------------------------------------- > ---------- > > > -------------------------------------------------------------- > ---------- > Test Your IDS > > Is your IDS deployed correctly? > Find out quickly and easily by testing it with real-world > attacks from CORE IMPACT. > Go to > http://www.coresecurity.com/index.php5?module=Form&action=impa ct&campaign=intro_sfw > to learn more. > -------------------------------------------------------------- > ---------- > > ------------------------------------------------------------------------ Test Your IDS Is your IDS deployed correctly? Find out quickly and easily by testing it with real-world attacks from CORE IMPACT. Go to http://www.coresecurity.com/index.php5?module=Form&action=impact&campaign=intro_sfw to learn more. ------------------------------------------------------------------------
