Re: ARP problem in Windows9X/NT

[gandalf () POBOX COM (gandalf () POBOX COM)]

On Wed, 14 Apr 1999, Joseph Gooch wrote:

> Same behavior here, however NT LOGS all packets to the event log.  I'm not
> sure of NT's logging behavior, it could either fill the drive or if it has a
> max size it could erase old events.  Possibly cover up other vulnerabilities
> that were tested.  Since the MAC address isn't a real one, it's alot harder
> to trace.

The NT system logger has a size limit, on my system (and therefore I
assume the default since I don't think I ever touched it) it is 512kb.  It
also will by default (this is configurable) not write over any
entries less than 7 days old, which means when you fill all 512Kb it gives
you a warning that the log is full, and _stops logging_.

of course all of these attacks only work on the local subnet, which makes
them a lot less worrisome then a more remote attack.

> 9x is boring, just a lame message box.

what versions?  It definetly does work on some versions of 95
(like 4.00.950 B)

If people want to test and send me the exact version and the results on
the version I'll collate and post a summary.

-chris

_______________________________________________________
Christopher Rogers      Stevens Institute of Technology
gandalf () pobox com       http://www.pobox.com/~gandalf

I can prove anything with research except the truth.
                                                 -Unknown