Full Disclosure mailing list archives
RE: how to bypass rouge machine detection techniques
From: "Paul Melson" <pmelson () gmail com>
Date: Mon, 11 Jul 2005 14:00:08 -0400
MAC addresses are easily sniffed, spoofed, and exploited in lots of nifty ways (see: ARP poisoning/routing). The ubiquitous nature of ARP/RARP broadcasts and the seemingly unique nature of MAC addresses makes them an obvious means of attempting this type of detection, but these attempts are trivially defeated - it can be done with pretty much any laptop and a Linux boot CD. I'm not saying it's not worth doing - presumptuous contractors, bad employees, the generally clueless and their laptops all pose a risk to your network. These people will likely be detected via this method and can be dealt with, hopefully before they spread worms and other crap. One correct solution to this problem is to authenticate users and devices before they connect to the network. Whereas this method attempts to identify devices or users after they have connected. PaulM -----Original Message----- Subject: [Full-disclosure] how to bypass rouge machine detection techniques Friends, There are several techniques available for detecting rouge (not being a member of trusted domain) machines, such as active scanning, active directory querying etc, but I guess most powerful being the one used by epolicy orchestrator. Its agents (deployed on each subnet) checks for L2 broadcasts like Arp broadcast etc. After detecting a broadcast, it used the mac address and ip address to proceed further to detect whether the machine is rouge or not. http://www.networkassociates.com/us/local_content/white_papers/wp_epo3_5_rsd whitepaper_july2004.pdf I was wondering if this approach is foolproof and can be safely deployed or if there is a way to bypass it? _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- how to bypass rouge machine detection techniques Gaurav Kumar (Jul 11)
- RE: how to bypass rouge machine detection techniques Paul Melson (Jul 11)
- Re: how to bypass rouge machine detection techniques Gaurav Kumar (Jul 11)
- Re: how to bypass rouge machine detection techniques Michael Holstein (Jul 11)
- Re: how to bypass rogue machine detection techniques Devdas Bhagat (Jul 11)
- Re: how to bypass rouge machine detection techniques Gaurav Kumar (Jul 11)
- <Possible follow-ups>
- RE: how to bypass rouge machine detection techniques Cassidy Macfarlane (Jul 11)
- RE: how to bypass rouge machine detection techniques Lauro, John (Jul 11)
- RE: how to bypass rouge machine detection techniques Paul Melson (Jul 11)