I think this may help: http://msdn.microsoft.com/en-us/library/dd162722%28VS.85%29.aspx
""" The *FindFirstPrinterChangeNotification* call specifies the type of changes to be monitored. You can specify a set of conditions to monitor for changes, a set of printer information fields to monitor, or both. A wait operation on the change notification handle succeeds when one of the specified changes occurs in the specified printer or print server. You then call the *FindNextPrinterChangeNotification*<http://msdn.microsoft.com/en-us/library/dd162723%28VS.85%29.aspx>function to retrieve information about the change, and to reset the change notification object for use in the next wait operation. """" On Wed, Aug 26, 2009 at 1:48 AM, Nathan Sweaney <[email protected]>wrote: > Rather than try to emulate all of that, what if you just skipped ahead to > your really crafty idea and forward all incoming traffic to an actual device > on the network? If you goal is just to hide on the network, then at that > point you’re not limited to just being a printer, you can become any device, > specific or random. > > > > If I’m scanning my network & see a new printer that I wasn’t aware of, then > I may get suspicious. But if instead I just have Bob’s laptop or a Dell > Switch listed twice, I may not notice. > > > > And if you do want to allow specific incoming traffic, you could either > allow it by IP or get fancy with some sort of port-knocking implementation. > > > ------------------------------ > > *From:* [email protected] [mailto: > [email protected]] *On Behalf Of *bytes abit > *Sent:* Tuesday, August 25, 2009 8:14 PM > *To:* PaulDotCom Security Weekly Mailing List > *Subject:* Re: [Pauldotcom] Honeypot techniques for use in rogue APs. > > > > > Sounds interesting, well thought out. > > As for your redirects, a few IPTABLES commands would take care of that one, > easy as pie... er well the crust is rather hard to make.. so I hesitate to > use that expression ;P > > Enabling logging on the port activity and would be wise/useful as well. > > > > BTW: Watch Wolverine Origin, it's freaking great! > > HAHAHA Just got a message: Back of the shirt: www.thepiratebay.org > .... Front of the shirt: http://tracker.btarena.org/ > > > Jay > > On Tue, Aug 25, 2009 at 10:45 AM, Chris Merkel <[email protected]> wrote: > > The recent discussions on honeypots got me thinking - has anyone modified a > wireless AP in a way to make it look like another device? A multi-function > printer perhaps? (If the answer is "It's in Paul's book" - I will go out and > purchase it right away ;-) > > What if: > > You could leave telnet open to allow logons to actually manage the AP (you > would have to pick a print server that requires a logon, so it would look > legit), from there, you would need to modify OpenWRT to run: > FTP/21 - allow anonymous logons, set up the folder structure, change the > banner > HTTP/80 - Mirror the status pages from a typical print server > TCP/515 - lpd > TCP/631 - ipp > TCP/9100 - lpd / jetdirect > > You would also need to change the MAC address to the vendor ID of the > device you're emulating. > > If you wanted to get really crafty, you could figure out a way to forward > packets sent to 515,631 and 9100 to forward to an actual network printer on > the same subnet. > > Let's say you did all of those things - think you'd be able to fool nmap's > service fingerprinting? What if you found a match between a printer and AP, > so that they're running a similar embedded linux kernel - that would fool > nmap's TCP fingerprinting, right? > > I don't have a WAP readily available, nor the time in the next few months > to hack something together, but if anyone else is headed down this road, I'd > be interested to know. > > -- > - Chris Merkel > > _______________________________________________ > Pauldotcom mailing list > [email protected] > http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom > Main Web Site: http://pauldotcom.com > > > > _______________________________________________ > Pauldotcom mailing list > [email protected] > http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom > Main Web Site: http://pauldotcom.com >
_______________________________________________ Pauldotcom mailing list [email protected] http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom Main Web Site: http://pauldotcom.com
