RE: hacking challenge [7:66720]
So ... doesn't that give them enough supporting evidence all by itself? If not, maybe it is a lost cause? As an aside - a pix, if it was permitting the offending port through as well, may not have stopped the worm either. Think Defense in Depth. A firewall, while a necessity for -everyone- (IMHO) is not a cure-all; it is a piece of a very large, very complex puzzle (even for a small network!). .. Have someone in a Decision-making position there read Hacking __(pick an os - Windows2k, Linux, etc.), or attend a SANS course (or just visit their reading room - TONS of articles). Read Eric Cole's or Ed Skoudis's books. .. or, teach him/her to use google ... Thanks! TJ -Original Message- From: Wilmes, Rusty [mailto:[EMAIL PROTECTED] Sent: Thursday, April 03, 2003 2:05 PM To: [EMAIL PROTECTED] Subject: RE: hacking challenge [7:66720] there's an access list on the ethernet interface thats directly connected to a dsl modem. they're allowing telnet and smpt to basically, any any plus various other protocols from/to specific addresses. There're only two outside addresses that are natted but its really hideous and the access list is the only thing resembling a layer of security between the internet and their server farm. I was just hoping to hear some really good verbage about how vulnerable they are. I've told them for 3 months to get a pix but it just aint sinking in. Now they've got a worm loose on their mail server thats bringing down their main host system and their internet line (but thats another story). -Original Message- From: Priscilla Oppenheimer [mailto:[EMAIL PROTECTED] Sent: Thursday, April 03, 2003 8:46 AM To: [EMAIL PROTECTED] Subject: RE: hacking challenge [7:66720] Wilmes, Rusty wrote: this is a general question for the security specialists. Im trying to convince a client that they need a firewall so hypothetically, if you had telnet via the internet open to a router (with an access list that allowed smtp and telnet) (assuming you didn't know the telnet password or the enable password)that had a bunch of nt servers on another interface, Do you actually mean that you are allowing Telnet and SMTP to go through the router? You said to above which is confusing. Allowing Telnet to the router unrestricted would be a horrible security hole, even for people who don't know the password because passwords are often guessable. But I don't think that's what you meant... Allowing Telnet and SMTP through the router is more common, especially SMTP. You have to allow SMTP if you have an e-mail server that gets mail from the outside world. Avoid Telnet, though, if you can. It sends all text as clear text, including passwords. The question is really how vulnerable is the operating system that the SMTP server is running on? It's probably horribly vulnerable if your client hasn't kept up with the latest patches, and it sounds like your client is the type that hasn't? In fact, the server is probably busy attacking the rest of us right now! ;-0 So, as far as convicing your customer The best way may be to put a free firewall, like Zone Alarm, on the decision maker's computer and show her/him all the attacks happening all the time. Or if she already has a firewall, walk her through the log. Good luck. I have a good book to recommend on this topic: Greenberg, Eric. Mission-Critical Security Planner. New York, New York, Wiley Publishing, Inc., 2003. Here's an Amazon link: http://www.amazon.com/exec/obidos/ASIN/0471211656/opendoornetw inc/104-9901005-4572707 Priscilla how long would it take a determined hacker a) cause some kind of network downtime and b) to map a network drive to a share on a file server over the internet. Thanks, Rusty -Original Message- From: Larry Letterman [mailto:[EMAIL PROTECTED] Sent: Wednesday, April 02, 2003 1:44 PM To: [EMAIL PROTECTED] Subject: RE: VLAN loop problem [7:66656] Yes, it prevents loops in spanning tree on layer 2 switches from causing a loop by disabling the port on a cisco switch... Larry Letterman Network Engineer Cisco Systems -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Thomas N. Sent: Wednesday, April 02, 2003 12:18 PM To: [EMAIL PROTECTED] Subject: Re: VLAN loop problem [7:66656] What does portfast bpdu-guard do? Does it prevent interfaces with portfast enabled from causing the loop in my scenario? Larry Letterman wrote in message news:[EMAIL PROTECTED] port mac address security might work, altho its a lot of admin overhead..are you running portfast bpdu-guard on the access ports? Larry Letterman Network Engineer Cisco Systems - Original Message
RE: hacking challenge [7:66720]
I would have to take issue with the following statement: You should of course harden any Internet facing network device, however the point is not really the type of server OS you run, or the Apps on it, but how good you are at proactively keeping them patched. -MANY- so-called vulnerabilities are actually by design, we usually call them features. This is where the quality of the original coding, the quality/details of the installation/configuration, and the layers wrapped around all of this come together. Typically, we as users have no control over the coding aspect, aside from auditing the application in question before deploying it and choosing your vendor accordingly. The installation / config is *very* important. Nearly every vulnerability would be bypassed if we could just disable all of the services, or leave the machine without a network connection :). Code Red and Slammer, to site two VERY BIG examples, would never have been an issue if the recommended best practices from the vendor (MS, in this case) had been followed. Patching, of course, is not to be underrated. This *REALLY* comes into play when the vulnerability exists in the services you offer - web services or SQL, for ex. I hate to sound repetitive, but the key lies in knowing how to address all applicable layers and do maintain vigilance in doing so. Defense in Depth Thanks! TJ -Original Message- From: Symon Thurlow [mailto:[EMAIL PROTECTED] Sent: Thursday, April 03, 2003 4:09 PM To: [EMAIL PROTECTED] Subject: RE: hacking challenge [7:66720] This prompts me to say something about a comment from a previous poster about how vulnerable Windows is compared to Linux/xBSD etc I see many, many vulnerability alerts weekly for *nix based systems. Probably just as many as you see for Windows. You should of course harden any Internet facing network device, however the point is not really the type of server OS you run, or the Apps on it, but how good you are at proactively keeping them patched. I suggest that you go to some firewall vendor sites and plagiarise a bit of marketing guff if you want to sell the firewall idea to a sceptic, although just plonking a firewall in front of your unpatched sendmail server won't achieve a great deal. My 2c, YMMV Symon -Original Message- From: Wilmes, Rusty [mailto:[EMAIL PROTECTED] Sent: 03 April 2003 20:05 To: [EMAIL PROTECTED] Subject: RE: hacking challenge [7:66720] there's an access list on the ethernet interface thats directly connected to a dsl modem. they're allowing telnet and smpt to basically, any any plus various other protocols from/to specific addresses. There're only two outside addresses that are natted but its really hideous and the access list is the only thing resembling a layer of security between the internet and their server farm. I was just hoping to hear some really good verbage about how vulnerable they are. I've told them for 3 months to get a pix but it just aint sinking in. Now they've got a worm loose on their mail server thats bringing down their main host system and their internet line (but thats another story). -Original Message- From: Priscilla Oppenheimer [mailto:[EMAIL PROTECTED] Sent: Thursday, April 03, 2003 8:46 AM To: [EMAIL PROTECTED] Subject: RE: hacking challenge [7:66720] Wilmes, Rusty wrote: this is a general question for the security specialists. Im trying to convince a client that they need a firewall so hypothetically, if you had telnet via the internet open to a router (with an access list that allowed smtp and telnet) (assuming you didn't know the telnet password or the enable password)that had a bunch of nt servers on another interface, Do you actually mean that you are allowing Telnet and SMTP to go through the router? You said to above which is confusing. Allowing Telnet to the router unrestricted would be a horrible security hole, even for people who don't know the password because passwords are often guessable. But I don't think that's what you meant... Allowing Telnet and SMTP through the router is more common, especially SMTP. You have to allow SMTP if you have an e-mail server that gets mail from the outside world. Avoid Telnet, though, if you can. It sends all text as clear text, including passwords. The question is really how vulnerable is the operating system that the SMTP server is running on? It's probably horribly vulnerable if your client hasn't kept up with the latest patches, and it sounds like your client is the type that hasn't? In fact, the server is probably busy attacking the rest of us right now! ;-0 So, as far as convicing your customer The best way may be to put a free firewall, like Zone Alarm, on the decision maker's computer and show her/him all the attacks happening all the time. Or if she already has a firewall, walk her through the log. Good luck. I have a good book to recommend
RE: PATCH PANEL stuff [7:64503]
Watch out for port specific settings (VLAN assignments, speed, duplex, portfast, description/names, trunk settings, etc.) too; i.e. - once you unplug everything you will need to either plug the cables into the same ports or at the very least ensure the new port gets similar settings. If this is an issue in your environment this can be the most time-consuming part of the whole event! Obviously - if you have a large flat network of all hosts (minus an uplink or 12) most of these are less of an issue. FWIW you should also ensure the port description/names are 'descriptive' ... either the hostname, the rack/server location, etc - what matters is that it is meaningful to you :) TJ -Original Message- From: Nate [mailto:[EMAIL PROTECTED] Sent: Wednesday, March 05, 2003 4:06 PM To: [EMAIL PROTECTED] Subject: Re: PATCH PANEL stuff [7:64503] Sam, A lot of the questions can be answered by knowing how the cables are strung into the racks. For esthetics, I rewire everything, but each admin is different as well as managements needs. I'd say if you had to rewire and repunch down everything for the patch panel as well as rewire all of the CAT 5 you'll have to allow yourself at lease a couple of hours of downtime for rewiring, reorganizing, and testing. What I suggest is to label everything. Labels save lives. After that, I'd suggest creating a step-by-step instructions for yourself (i.e.. [1] Unplug all RJ45 cables. [2] Pull all punched cables from back of Patch Panel. [3] Rewire RJ 45 cable. [4] you get the picture). That way, there is no surprises and nothing you forgot. Just a suggestion. -Nate - Original Message - From: Sam To: Sent: Wednesday, March 05, 2003 10:19 AM Subject: PATCH PANEL stuff [7:64503] Hey Guys, In my wiring closet, I have about 3 racks and about 10 patch panels(The Racks got capacity for at least 30 PP's) I need to move a patch panel out and to the rack next to the one it currently is on. What is the best way to do this? Do i have to follow this kind of procedure: -remove all the cables connected to the back of this patch panel and then label the cables -move the patch panel to the other rack -looking at the labels, again punch-down these cables to their appropriate locations. Would this be the normal way of doing it? Or can I simply unscrew the patch panel from the rack and then somehow move it with the cables still connected to the other rack. This way, the cables won't be sorted as good as they would be normally but it should be ok i think.. My other question is how long does it take on an average to punch down a single cable(4pairs) onto the back of the patch panel? I've never done it, though I think after I buy the tools, I would be able to figure it out. Please give me an approximation. For eg. Making a straight-cable takes about 4-6 minutes Thx Sam ** The information in this email is confidential and may be legally privileged. Access to this email by anyone other than the intended addressee is unauthorized. If you are not the intended recipient of this message, any review, disclosure, copying, distribution, retention, or any action taken or omitted to be taken in reliance on it is prohibited and may be unlawful. If you are not the intended recipient, please reply to or forward a copy of this message to the sender and delete the message, any attachments, and any copies thereof from your system. ** Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=64555t=64503 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: VPN client conflict [7:63951]
Dunno (if)/(how much) this helps - but I have heard similar complaints / issues WRT the Nortel Contivity client and the Cisco VPN Client as well ... Thanks! TJ [EMAIL PROTECTED] -Original Message- From: Robert Edmonds [mailto:[EMAIL PROTECTED] Sent: Thursday, February 27, 2003 10:59 AM To: [EMAIL PROTECTED] Subject: Re: VPN client conflict [7:63951] I'm not sure what the actual cause or fix is, but I had the same problem. I ended up uninstalling the ATT client to get it to work. supernet wrote in message news:[EMAIL PROTECTED] I have ATT VPN client on my laptop. It stopped working after I installed Cisco VPN client. Is there any conflict between them? Is there a work around? Thanks. Yoshi. ** The information in this email is confidential and may be legally privileged. Access to this email by anyone other than the intended addressee is unauthorized. If you are not the intended recipient of this message, any review, disclosure, copying, distribution, retention, or any action taken or omitted to be taken in reliance on it is prohibited and may be unlawful. If you are not the intended recipient, please reply to or forward a copy of this message to the sender and delete the message, any attachments, and any copies thereof from your system. ** Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=64040t=63951 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: L3 Switching Huh???? [7:63728]
That all looks pretty good ... On the MSFC/RSM - do a show interface: (edited for length) Vlan8 is up, line protocol is up Hardware is Cat6k RP Virtual Ethernet, address is 00d0.d335.6614 Vlan9 is up, line protocol is up Hardware is Cat6k RP Virtual Ethernet, address is 00d0.d335.6614 So ... each 'router interface' has a MAC. The fact that it is the same is irrelevant as they are on different network/logical segments . So the frame comes in with a destination mac of 00d0.d335.6614, and when forwarded will leave with a source mac of 00d0.d335.6614 (same) ... Does that help? Oh - and I think you meant to say layer 3 switching is a marketing term, not scientific or engineering in nature. ... you said layer 3 routing ... Thanks! TJ [EMAIL PROTECTED] -Original Message- From: DeVoe, Charles (PKI) [mailto:[EMAIL PROTECTED] Sent: Wednesday, February 26, 2003 7:45 AM To: [EMAIL PROTECTED] Subject: RE: L3 Switching Huh [7:63728] OK, let me try this again. I am trying to figure out the difference between conventional layer 3 routing and layer 3 switching. A little background. I am currently working towards my CCNA (have been for about 3 years). At any rate, everything I read and look at says that switching/bridging is a layer 2 function, routing is a layer 3 function. Either I don't have a good grasp of the OSI model, switching, routing, VLANs or all of the above. The network: Host A 10.1.1.2 MAC 00.AA Host B 10.1.2.2 MAC 00.BB |10.1.1.1 MAC 01.AA 10.1.2.1 MAC 02.BB| switch A---Router-switch B 10.1.1.0/2410.1.2.0/24 This is an ethernet network. Both segments are connected by a traditional router say a 2500. In this instance the router interfaces are subnet A 10.1.1.1, and subnet B 10.1.2.1 For simplicity, assume ARP cache is empty. Host A wishes to ping Host B End user on Host A enters - ping 10.1.2.2 The IP packet places the source address 10.1.1.2 and the destination address 10.1.2.2 into the packet. The IP protocol examines the IP address and based on the IP address determines this is in another subnet. An ARP request goes out for 10.1.1.1 (default gateway) and the MAC address is found. The DLL then places the source MAC address 00.AA and the destination MAC 01.AA into the frame. The frame then goes out the wire to the destination MAC. The router interface sees this frame as destined for itself. It de-encapsulates the frame removing the MAC addresses. The router then examines the IP address, based on the routing table it knows the destination port. The router leaves the same IP source (10.1.1.2) and destination (10.1.2.2) in the packet. The frame is rebuilt with the new MAC address of source 02.BB and destination 00.BB Host B grabs this packet and does it's thing. Now, if I replace the router with a 6509 switch, with routing, how does the process change? Said 6509 would be equipped with a 10/100 card so that the hosts are now directly connected. The router interface is now a virtual interface, there is no physical interface. Which is another question. How does the 6509 determine this virtual address? Am I correct? Inter VLAN communication cannot occur without a router. Switching is based on MAC address. Routing is based on IP address. I believe the term layer 3 routing is a marketing term, not scientific or engineering in nature. ** The information in this email is confidential and may be legally privileged. Access to this email by anyone other than the intended addressee is unauthorized. If you are not the intended recipient of this message, any review, disclosure, copying, distribution, retention, or any action taken or omitted to be taken in reliance on it is prohibited and may be unlawful. If you are not the intended recipient, please reply to or forward a copy of this message to the sender and delete the message, any attachments, and any copies thereof from your system. ** Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=63869t=63728 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: ISS Real Secure Vs Cisco IDS [7:63461]
A good, relevant quote from one of the SANS instructors: (Eric Cole, IIRC) Prevention is ideal, but detection is a must I.e. - stopping the attack altogether is the best possible outcome, but failing that you must be able to know that something -has- happened or -is- happening. Otherwise, you have nothing ... (quite literally) Thanks! TJ [EMAIL PROTECTED] -Original Message- From: Jim Brown [mailto:[EMAIL PROTECTED] Sent: Friday, February 21, 2003 11:27 PM To: [EMAIL PROTECTED] Subject: RE: ISS Real Secure Vs Cisco IDS [7:63461] Come on now, the slammer worm? If you are security conscious this shouldn't have had any effect on you. Microsoft released a patch last summer. Security is a best effort solution. It is about layers and maintenance. You cannot eliminate risk, you can only reduce risk. An IDSs responsibility is to pick up attacks on the wire, not prevent them. I personally don't believe in allowing my IDS to respond to an attack. -Original Message- From: cebuano [mailto:[EMAIL PROTECTED] Sent: Friday, February 21, 2003 8:22 PM To: [EMAIL PROTECTED] Subject: RE: ISS Real Secure Vs Cisco IDS [7:63461] Hi Albert, Very good point. Which brings me to this question - how can one measure the security of a network? It almost always is an after-the-fact response whichever vendor you choose. As you pointed out in your example regarding the slammer virus, have you heard any vendor claiming immunity from this? Is detecting synonymous with preventing? I'm also interested in this topic due to the fact that the pricing structure from almost ALL the major players in the IDS/Firewall market is astronomical. Elmer -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Albert Lu Sent: Friday, February 21, 2003 9:19 AM To: [EMAIL PROTECTED] Subject: RE: ISS Real Secure Vs Cisco IDS [7:63461] Hi Troy, Must be some secure site, reason I was interested is that I had a discussion with someone else before in regards to multi-vendor IDS solutions and how effective they might be. So if you mostly rely on manual action, and an attack came in after hours, how quickly can you respond to your alerts? Since for some attacks, a half hour response time could cause your site to be down (eg. slammer virus). If that was the case, even if you had all the vendor's IDS, it will be useless. Albert -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Sent: Friday, February 21, 2003 10:57 PM To: [EMAIL PROTECTED] Subject: RE: ISS Real Secure Vs Cisco IDS [7:63461] As with most things, you need to way up costs againts your requirements. IN our case, security is absolutely essential, so having a multivendor security solutions (and indeed fully redundant) is costly, but we see it as justified. With regards to action during attacks etc. We mostly rely on manual actions as we dont want to inadvertently block legitimate traffic (for example if an attack came from a spoofed IP). For automatic action, you can make use of Ciso Policy manage, which has the ability to dynamically rewrite ACL's, on Pix's, Routers, and indeed Cat's. according to data from IDS. So for example, if you where really paraniod (like we are),. you could have pix's as the first firewall, with IDS on the inside / dmz etc (using IDSM or standalone IDS), tie these together with Policy manager .. then taking a further step into your network, a set of Nokia Fw1 NG, along with further Nokia IDS solutions on the inside, and tied together using the enterprisef software! Albert Lu wrote: Hi, I'm just curious about your multi-vendor solution. It must cost quite alot in order to have 3 IDS running. What about redundancy, if you are using dual switch/router/fw/ids, you would have a total of 6 IDS. Being able to detect attacks with multiple IDS is one thing. What action can it take once the IDS detects an attack? Logging it into the syslog server is not enough. Albert -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Sent: Friday, February 21, 2003 7:53 PM To: [EMAIL PROTECTED] Subject: RE: ISS Real Secure Vs Cisco IDS [7:63461] Hi Sean, I currently use Cisco IDSM (IDS module for the Cat6500), Nokia IDS, and Snort on the server themselves. You can never be paranoid enough about these sort of things. Each vendor has different exploits etc, so by implementing a multi vendor path to your critical servers, you protect yourself from any signle vendor specific exploit! Sean Kim wrote: Hello all, My company is thinking about installing an IDS (dedicated appliance type) for our network. As far as I know, the Real Secure and the Cisco IDS are two biggest names out there. So I checked out the documents and white papers provided by the each company, but I couldn't really come up with what the differences are between them, and which one is better suited for our network. Can anyone voice
RE: Network Blackholes. [7:63620]
Blackholing is frequently used to block traffic to known 'bad' addresses, or to alleviate a (D)DoS attack victim's woes. Using ACL's is not the preferred way however - just route traffic to nul0 (use no icmp unreachables too ... ) Google can be your friend! Thanks! TJ -Original Message- From: MADMAN [mailto:[EMAIL PROTECTED] Sent: Monday, February 24, 2003 10:19 AM To: [EMAIL PROTECTED] Subject: Re: Network Blackholes. [7:63620] AFAIK blackholes in networking have to do with reachability or more accurately lack thereof not something you block via access-lists. I suppose you could create blackholes with access-lists though;) Dave Manoj Ghorpade wrote: Hi All, Have a question for all the networking guru's. Can somebody explain me the concept of network blackholes. Any idea how to block these on the router using access-lists ? Regards Manoj Ghorpade. -- David Madland CCIE# 2016 Sr. Network Engineer Qwest Communications 612-664-3367 You don't make the poor richer by making the rich poorer. --Winston Churchill ** The information in this email is confidential and may be legally privileged. Access to this email by anyone other than the intended addressee is unauthorized. If you are not the intended recipient of this message, any review, disclosure, copying, distribution, retention, or any action taken or omitted to be taken in reliance on it is prohibited and may be unlawful. If you are not the intended recipient, please reply to or forward a copy of this message to the sender and delete the message, any attachments, and any copies thereof from your system. ** Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=63634t=63620 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: NT4.0 password crack tool [7:61807]
That's already been said (in fact - it was mentioned earlier in this thread and was included below); but that can take time to run ... the only reason I brought up LinNT (aside from just suggesting an alternative) is because it take 10 minutes, counting the time for two server reboots :). Thanks! TJ -Original Message- From: William [mailto:[EMAIL PROTECTED]] Sent: Thursday, February 27, 2003 5:32 PM To: 'Evans, TJ (BearingPoint)'; [EMAIL PROTECTED] Subject: RE: NT4.0 password crack tool [7:61807] One wordL0phtCrack Will Gragido CISSP CCNP CIPTSS CCDA MCP -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Evans, TJ (BearingPoint) Sent: Monday, January 27, 2003 3:58 PM To: [EMAIL PROTECTED] Subject: RE: NT4.0 password crack tool [7:61807] Why not use LinNT? ... boot off of a linux floppy, reset admin password and boot up with new password. Since you are (presumably) not trying to be sneaky _and_ you have direct access to the machine changing the PW should not be a problem, yes? Oh - and it is free, and works with WinNT4 - WinXP. Thanks! TJ -Original Message- From: Arnold, Jamie [mailto:[EMAIL PROTECTED]] Sent: Saturday, January 25, 2003 2:54 PM To: [EMAIL PROTECTED] Subject: RE: NT4.0 password crack tool [7:61807] Why do a command line? Just rename user manager to logon.scr and reboot (you'll need NTFSDOS Pro) and in 15 minutes you get user manager with root perms. Imagination is more important than knowledge Albert Einstein -Original Message- From: Juntao [mailto:[EMAIL PROTECTED]] Sent: Friday, January 24, 2003 4:50 PM To: [EMAIL PROTECTED] Subject: Re: NT4.0 password crack tool [7:61807] u'r talking about nt4 login passwords, the SAM database? lophtcrack works, it takes a long time though systernals has tools to login to the box, and change things. u can also change cmd.exe to the default screen savec name, the command line will pope up after a while, after reboot. and change the password with the net user command if the server or the box is part of the global admin group, i'm sure u know u can change the password or reset it, even just with, user manager for domains. and there is of course a lot of other things that can be done, depending on ur situation. hope the above helps regards Kazan, Naim a icrit dans le message de news: [EMAIL PROTECTED] I am trying to recover my password that someone set on my sniffer box running on NT4.0. Any help will be greatly appreciated. Naim Kazan FISC-SDS WORK: 201-915-7347 HOME: 973-492-1466 CELL: 917-559-0591 EMAIL: [EMAIL PROTECTED] PAGER: 800-759-8352 Pin 1145361 ** The information in this email is confidential and may be legally privileged. Access to this email by anyone other than the intended addressee is unauthorized. If you are not the intended recipient of this message, any review, disclosure, copying, distribution, retention, or any action taken or omitted to be taken in reliance on it is prohibited and may be unlawful. If you are not the intended recipient, please reply to or forward a copy of this message to the sender and delete the message, any attachments, and any copies thereof from your system. ** ** The information in this email is confidential and may be legally privileged. Access to this email by anyone other than the intended addressee is unauthorized. If you are not the intended recipient of this message, any review, disclosure, copying, distribution, retention, or any action taken or omitted to be taken in reliance on it is prohibited and may be unlawful. If you are not the intended recipient, please reply to or forward a copy of this message to the sender and delete the message, any attachments, and any copies thereof from your system. ** Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=61996t=61807 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: NT4.0 password crack tool [7:61807]
Why not use LinNT? ... boot off of a linux floppy, reset admin password and boot up with new password. Since you are (presumably) not trying to be sneaky _and_ you have direct access to the machine changing the PW should not be a problem, yes? Oh - and it is free, and works with WinNT4 - WinXP. Thanks! TJ -Original Message- From: Arnold, Jamie [mailto:[EMAIL PROTECTED]] Sent: Saturday, January 25, 2003 2:54 PM To: [EMAIL PROTECTED] Subject: RE: NT4.0 password crack tool [7:61807] Why do a command line? Just rename user manager to logon.scr and reboot (you'll need NTFSDOS Pro) and in 15 minutes you get user manager with root perms. Imagination is more important than knowledge Albert Einstein -Original Message- From: Juntao [mailto:[EMAIL PROTECTED]] Sent: Friday, January 24, 2003 4:50 PM To: [EMAIL PROTECTED] Subject: Re: NT4.0 password crack tool [7:61807] u'r talking about nt4 login passwords, the SAM database? lophtcrack works, it takes a long time though systernals has tools to login to the box, and change things. u can also change cmd.exe to the default screen savec name, the command line will pope up after a while, after reboot. and change the password with the net user command if the server or the box is part of the global admin group, i'm sure u know u can change the password or reset it, even just with, user manager for domains. and there is of course a lot of other things that can be done, depending on ur situation. hope the above helps regards Kazan, Naim a icrit dans le message de news: [EMAIL PROTECTED] I am trying to recover my password that someone set on my sniffer box running on NT4.0. Any help will be greatly appreciated. Naim Kazan FISC-SDS WORK: 201-915-7347 HOME: 973-492-1466 CELL: 917-559-0591 EMAIL: [EMAIL PROTECTED] PAGER: 800-759-8352 Pin 1145361 ** The information in this email is confidential and may be legally privileged. Access to this email by anyone other than the intended addressee is unauthorized. If you are not the intended recipient of this message, any review, disclosure, copying, distribution, retention, or any action taken or omitted to be taken in reliance on it is prohibited and may be unlawful. If you are not the intended recipient, please reply to or forward a copy of this message to the sender and delete the message, any attachments, and any copies thereof from your system. ** Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=61960t=61807 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Automated Script for backing up Cisco configs and Image [7:61193]
In the past I have just scripted telnet in a batch file; that has my pw passed as a command line parameter and a device list / device type setting to account for differences between IOS and CatOS ... oh yeah, and to 'script' telnet I used pushkeys ... Thanks! -Original Message- From: Kerry Ogedegbe [ MTN - Portharcourt ] [mailto:[EMAIL PROTECTED]] Sent: 16 January 2003 11:12 AM To: [EMAIL PROTECTED] Subject: Automated Script for backing up Cisco configs and Image [7:61188] Hello People, Can anyone help me with were I can get an automated script / shareware application that I could use in backing up my cisco router switches config Cheers ___ Kerry [GroupStudy.com removed an attachment of type image/jpeg which had a name of Clear Day Bkgrd.JPG] ** The information in this email is confidential and may be legally privileged. Access to this email by anyone other than the intended addressee is unauthorized. If you are not the intended recipient of this message, any review, disclosure, copying, distribution, retention, or any action taken or omitted to be taken in reliance on it is prohibited and may be unlawful. If you are not the intended recipient, please reply to or forward a copy of this message to the sender and delete the message, any attachments, and any copies thereof from your system. ** Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=61193t=61193 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: Cisco VPN Question [7:61148]
IMHO - it is all a question of usability/functionality vs. security ... Ideally (from a security perspective) - you would not split tunnel; as the hosts are then, in effect, multi-homed. In fact, ideally, you wouldn't VPN at all ; However, in the real world, there are issues with not using split tunnels - Bandwidth utilization - every VPN user would be sending all traffic to you ... may hit limits on VPN Concentrator, may overload your circuits, would use more NAT/PAT resources, etc. Work requirements - users may require ability to access local servers as well as servers via the VPN ... in fact, users may have multiple VPN's running at once (using non-cisco client). You can also mitigate many of the security concerns with VPN's in general by following other current-best-practices ... POLP, Layered defense, auditing/accountability, default-deny policies/access-control, etc. etc. Thanks! TJ -Original Message- From: Mark W. Odette II [mailto:[EMAIL PROTECTED]] Sent: Thursday, January 16, 2003 10:13 AM To: [EMAIL PROTECTED] Subject: RE: Cisco VPN Question [7:61148] Split tunneling has been enabled up until now. Does this mean you have recently DISabled split tunneling?? If not, does the newest client 3.6? have a function for keeping traffic sourced from the internet from using the Split-tunneling host from acting as a mirror to breach the corporate network?? From what I understand, enabling the Split Tunnel feature is a BAD option, Cisco just created it for those clients that didn't want their remote users surfing the net via the corporate network. Can anybody clarify on any of these points?? -Mark -Original Message- From: Kim Graham [mailto:[EMAIL PROTECTED]] Sent: Thursday, January 16, 2003 5:57 AM To: [EMAIL PROTECTED] Subject: RE: Cisco VPN Question [7:61148] Basically it performs as per stated. We have VPN users that come into our concentrator from all over North American and abroad. They have used a variety of cable, dsl, dial-up providers and for the most part do not have any issues. Split tunnelling has been enabled up until now. As for private networks (home networks) we have some home users utilizing Nexlands and Ugates and probably other Internet Sharing Boxes. Some cable companies have had compatibiity issues with this but I believe the most recent version of software on those boxes has corrected the problem. As a test while at Nanog I was able to log into my internal network from a wireless laptop. All and all it is a pretty solid client. Kim / Zukee ** The information in this email is confidential and may be legally privileged. Access to this email by anyone other than the intended addressee is unauthorized. If you are not the intended recipient of this message, any review, disclosure, copying, distribution, retention, or any action taken or omitted to be taken in reliance on it is prohibited and may be unlawful. If you are not the intended recipient, please reply to or forward a copy of this message to the sender and delete the message, any attachments, and any copies thereof from your system. ** Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=61212t=61148 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: PIX access-list problem [7:61043]
Nice... FYI - Another painful thing like this can happen if you have an interface disabled on one but not the other, or even worse - different #'s of ports (i.e. - one with 6 ports and one with 4 ... doh!) Thanks! TJ -Original Message- From: Sam Sneed [mailto:[EMAIL PROTECTED]] Sent: Wednesday, January 15, 2003 10:20 AM To: [EMAIL PROTECTED] Subject: Re: PIX access-list problem [7:61043] Found problem. I had the 2 PIX's configured for failover. The problem was that the failover cable was loose on one end so they both flip flopped each taking control as master. Thanks for the help. Waters, Kristina wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... Sam, Do you have any sort of statement that's translating the addresses in your DMZ? For example, static (DMZ,outside) 141.152.135.23 141.152.135.23 netmask 255.255.255.255 If you aren't nat'ing I believe you still have to translate the address. HTH, Kris. -Original Message- From: Sam Sneed [mailto:[EMAIL PROTECTED]] Sent: Tuesday, January 14, 2003 2:08 PM To: [EMAIL PROTECTED] Subject: PIX access-list problem [7:61043] I cannot seem to get the following config to work and am clueless why. My incoming access lists for DMZ and outside are wide open. The goal is not to NAT DMZ ever since its public addressing. I can't even ping hosts on the outside network from PIX. Why am I having these problems? nameif ethernet0 outside security0 nameif ethernet1 inside security100 nameif ethernet2 dmz security50 access-list internal permit ip 172.19.90.0 255.255.255.0 any access-list test permit ip any any access-list test permit icmp any any access-list int-dmz permit ip 172.19.90.0 255.255.255.0 83.23.43.0 255.255.255.0 ip address outside 83.23.44.60 255.255.255.192 ip address inside 172.19.90.1 255.255.255.0 ip address dmz 83.23.43.250 255.255.255.0 global (outside) 1 83.23.44.58 nat (inside) 0 access-list int-dmz nat (inside) 1 172.19.90.0 255.255.255.0 0 0 nat (dmz) 0 0.0.0.0 0.0.0.0 0 0 access-group test in interface outside access-group test in interface dmz route outside 0.0.0.0 0.0.0.0 83.23.44.1 1 ** This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the sender by email, delete and destroy this message and its attachments. ** ** The information in this email is confidential and may be legally privileged. Access to this email by anyone other than the intended addressee is unauthorized. If you are not the intended recipient of this message, any review, disclosure, copying, distribution, retention, or any action taken or omitted to be taken in reliance on it is prohibited and may be unlawful. If you are not the intended recipient, please reply to or forward a copy of this message to the sender and delete the message, any attachments, and any copies thereof from your system. ** Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=61110t=61043 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: PIX access-list problem [7:61043]
Is your outside link up, and plugged into an enabled switch port that is on the correct vlan/segment and set to correct speed/duplex? Can other devices on same switch communicate with anyone else? Thanks! TJ [EMAIL PROTECTED] -Original Message- From: Sam Sneed [mailto:[EMAIL PROTECTED]] Sent: Tuesday, January 14, 2003 3:43 PM To: [EMAIL PROTECTED] Subject: Re: PIX access-list problem [7:61043] This type of NAT is required for incoming connections. I can't get access going out so I haven't even looked at that yet. Even worse is from 83.23.44.60 (outside interface of PIX) I can't ping 83.23.44.50 which is outside of the PIX. If you look at my access-list , this should not be a problem. I am stumped on this. Waters, Kristina wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... Sam, Do you have any sort of statement that's translating the addresses in your DMZ? For example, static (DMZ,outside) 141.152.135.23 141.152.135.23 netmask 255.255.255.255 If you aren't nat'ing I believe you still have to translate the address. HTH, Kris. -Original Message- From: Sam Sneed [mailto:[EMAIL PROTECTED]] Sent: Tuesday, January 14, 2003 2:08 PM To: [EMAIL PROTECTED] Subject: PIX access-list problem [7:61043] I cannot seem to get the following config to work and am clueless why. My incoming access lists for DMZ and outside are wide open. The goal is not to NAT DMZ ever since its public addressing. I can't even ping hosts on the outside network from PIX. Why am I having these problems? nameif ethernet0 outside security0 nameif ethernet1 inside security100 nameif ethernet2 dmz security50 access-list internal permit ip 172.19.90.0 255.255.255.0 any access-list test permit ip any any access-list test permit icmp any any access-list int-dmz permit ip 172.19.90.0 255.255.255.0 83.23.43.0 255.255.255.0 ip address outside 83.23.44.60 255.255.255.192 ip address inside 172.19.90.1 255.255.255.0 ip address dmz 83.23.43.250 255.255.255.0 global (outside) 1 83.23.44.58 nat (inside) 0 access-list int-dmz nat (inside) 1 172.19.90.0 255.255.255.0 0 0 nat (dmz) 0 0.0.0.0 0.0.0.0 0 0 access-group test in interface outside access-group test in interface dmz route outside 0.0.0.0 0.0.0.0 83.23.44.1 1 ** This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the sender by email, delete and destroy this message and its attachments. ** ** The information in this email is confidential and may be legally privileged. Access to this email by anyone other than the intended addressee is unauthorized. If you are not the intended recipient of this message, any review, disclosure, copying, distribution, retention, or any action taken or omitted to be taken in reliance on it is prohibited and may be unlawful. If you are not the intended recipient, please reply to or forward a copy of this message to the sender and delete the message, any attachments, and any copies thereof from your system. ** Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=61065t=61043 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: PIX Question [7:60941]
It is just a static NAT of the internal address to an external address, in this case they happen to be the same address ... sometimes used in conjunction with conduits/ACL's to permit certain monitoring/syslog/tftp/etc. traffic to external devices (edge routers, for ex.) without exposing the internal hosts globally. However, this seems to not by your case as you are using external IP's. In this case, it may be an example of a network that was not behind a firewall originally, but has now been moved behind one ... and they didn't want to bother re-addressing :). Just my $.01 Thanks! TJ [EMAIL PROTECTED] -Original Message- From: Arni V. Skarphedinsson [mailto:[EMAIL PROTECTED]] Sent: Monday, January 13, 2003 6:13 AM To: [EMAIL PROTECTED] Subject: PIX Question [7:60941] Hi Can anyone please tell me what the point of the following command is static (inside,outside) 157.157.146.13 157.157.146.13 netmask 255.255.255.255 0 0 Same IP address on the inside and the outside, I have seen this used on production networks, but can not figure out why, can anyone please explain. ** The information in this email is confidential and may be legally privileged. Access to this email by anyone other than the intended addressee is unauthorized. If you are not the intended recipient of this message, any review, disclosure, copying, distribution, retention, or any action taken or omitted to be taken in reliance on it is prohibited and may be unlawful. If you are not the intended recipient, please reply to or forward a copy of this message to the sender and delete the message, any attachments, and any copies thereof from your system. ** Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=60951t=60941 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: PIX Question [7:60941]
If there is no route for that block, including summarizations thereof (and no interface in that subnet), then it shouldn't go anywhere / be reachable. So the next question - does it work? * Can that machine get out, and if so ... try www.whatismyip.com ... and what is it's IP? Also - is there another router somewhere that will route it, or another router/FW that will re/de-NAT it to a routed IP? Thanks! TJ [EMAIL PROTECTED] -Original Message- From: Arni V. Skarphedinsson [mailto:[EMAIL PROTECTED]] Sent: Monday, January 13, 2003 8:44 AM To: [EMAIL PROTECTED] Subject: RE: PIX Question [7:60941] The thing is the the router external to the pix, does not have a route for the 157.157.0.0 network, considering that, whill this ever work ??? Although the address is a public IP address, this company uses it as an internal address, and It sould not be visible on the internet, also the server with the IP address in on the inside network, not the DMZ ** The information in this email is confidential and may be legally privileged. Access to this email by anyone other than the intended addressee is unauthorized. If you are not the intended recipient of this message, any review, disclosure, copying, distribution, retention, or any action taken or omitted to be taken in reliance on it is prohibited and may be unlawful. If you are not the intended recipient, please reply to or forward a copy of this message to the sender and delete the message, any attachments, and any copies thereof from your system. ** Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=60961t=60941 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: Load balancing NAT [7:60663]
I wonder - is this a situation where specific code level, or the family of products in question, etc., is causing a discrepancy? I know the PIX (currently), for example, works as TLaWR states below ... However, perhaps in IOS when you specify ip nat pool overload (start) (finish) netmask (mask) it treats it differently since you are explicitly saying to 'overload' ? ... just curious ... Thanks! TJ [EMAIL PROTECTED] -Original Message- From: The Long and Winding Road [mailto:[EMAIL PROTECTED]] Sent: Friday, January 10, 2003 11:12 AM To: [EMAIL PROTECTED] Subject: Re: Load balancing NAT [7:60663] Doug S wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... The way PAT works when overloading multiple addresses is to overload the first address in the pool until ALL port numbers are used up. I can't point you to any publicly available documentation on this, but cut and pasted from Network Academy curriculum: However, on a Cisco IOS router, NAT will overload the first address in the pool until it's maxed out, and then move on to the second address, and so on. I don't think so. I think whoever put this into Cisco training materials ought to be named and publicly humiliated. I know from cold hard experience that if you have a pool with several addresses and overload configured, each addres in the pool is translated one to one, and then the last number is shared among all comers after that. isn't there any real technical review of the training materials? I've seen people wanting to get around this behavior for a variety of reasons and I haven't seen anyone post a good reply. I've come up with a a workaround that I beleive should work for you, although you'll have to take a good look at your inside local addresses and figure out how to best define those in to two equal groups. Each group could then be separately translated to a different address. For instance, if you are now transating 8000 inside addresses all in the range of 10.0.32.0/19 to one overloaded pool, you could configure it to translate 10.0.32.0/20 to one overloaded pool and 10.0.48.0/20 to a separate overloaded pool something like #access-list 1 permit 10.0.32.0 0.0.15.255 #access-list 2 permit 10.0.48.0 0.0.15.255 #ip nat pool LOWER_ADDRESSES_TRANSLATE_TO 209.211.100.1 209.211.100.5 pre 24 #ip nat pool HIGHER_ADDRESSES_TRANSLATE_TO 209.211.100.6 209.211.100.10 pre 24 #ip nat inside source list 1 pool LOWER_ADDRESSES_TRANSLATE_TO overload #ip nat inside source list 2 pool HIGHER_ADDRESSES_TRANSLATE_TO overload Forgive me if I've screwed up the syntax somewhere, but the idea is there. As I said, you'll have to put some thought into what best works in your addressing scheme to best separate translated addresses in to two roughly equal groups. You might even find it helpful to partition them in to more than two groups. Hope it helps. ** The information in this email is confidential and may be legally privileged. Access to this email by anyone other than the intended addressee is unauthorized. If you are not the intended recipient of this message, any review, disclosure, copying, distribution, retention, or any action taken or omitted to be taken in reliance on it is prohibited and may be unlawful. If you are not the intended recipient, please reply to or forward a copy of this message to the sender and delete the message, any attachments, and any copies thereof from your system. ** Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=60825t=60663 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: Load balancing NAT [7:60663]
And more importantly, from a semantics perspective - is a horrible kludge a bad thing or a good thing? Or a case of two wrongs not making a right. ... double negatives are fun. Thanks! TJ [EMAIL PROTECTED] -Original Message- From: Doug S [mailto:[EMAIL PROTECTED]] Sent: Friday, January 10, 2003 5:13 PM To: [EMAIL PROTECTED] Subject: Re: Load balancing NAT [7:60663] I liked the comment and definitely agree that some of the authors of Cisco training material should be named and publicly humiliated, although the sheer volume of mistakes could make this a somewhat overwhelming task for the public doing the humiliating. Still, I want to add my opinion that Cisco documentation and training material is of a lot higher quality a lot of what's out there, not to name names like MS Press or anything. The reason I blindly accepted and posted that particular quote is because it DOES match my personal experience, which, I admit is considerably less than the other posters in this thread. The only experience I have is in a lab on 2500's and 2600's running something around IOS 12.1(T). I also want to point of that this behavior of only overloading the first address in the pool sounds like exactly what the original poster is experiencing. The fact that Emilia's and my experience contradicts Peter's and TLaWR makes me think that there are differences in how this works on different platforms, as TJ suggests. I'd also like to hear people's opinions on why my solution is a horrible kludge, as opposed to just a plain old vanilla kludge. ** The information in this email is confidential and may be legally privileged. Access to this email by anyone other than the intended addressee is unauthorized. If you are not the intended recipient of this message, any review, disclosure, copying, distribution, retention, or any action taken or omitted to be taken in reliance on it is prohibited and may be unlawful. If you are not the intended recipient, please reply to or forward a copy of this message to the sender and delete the message, any attachments, and any copies thereof from your system. ** Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=60855t=60663 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: VPN Concentrator #3030 [7:58982]
Minor comment - protocol 50 and 51, not port ... Also - worth noting, using TCP for remote client VPN's is useful as well ... like 443 since it will be permitted out from just about everywhere! Thanks! TJ [EMAIL PROTECTED] -Original Message- From: Elijah Savage III [mailto:[EMAIL PROTECTED]] Sent: Wednesday, December 11, 2002 4:18 PM To: [EMAIL PROTECTED] Subject: RE: VPN Concetrator #3030 [7:58982] I have just finished a project like this. You can only do one or the other you can't do redundant and load balancing all at once on the 3030. If you want to be redundant where if one concentrator fails secondary comes online and accepts request for it then you need to look into VRRP so easy to do on the concentrator. If you want to do load balancing then you will need to go to configuration, system, load balancing page on the concentrator and set those options real easy also but Cisco has tons of docs on CCO explaining it if you are not familiar. Now in load balancing mode it is sort of redundant, because what happens; based on cpu usage of your concentrators you have a master and slave the master will send a redirect to the client and tells the client which concentrator to connect to and if one fails then the other accepts all the connections so what you have is if 100 connections are on the master and the slave only has 50 connections more than likely the next connection to come in will go to the slave. There is a myth that it round robins the connections that is NOT true. There are also a few gotchas with this and arp and such like if you are going to be giving out different ip address for your dial in users than what subnet the concentrator is on then you will have to route traffic from your internal network to the interface of the concentrator because it does not answer arps for those clients, (hope I did not confuse you with that last statement). If you are going to put the concentrator behind a firewall make sure you pass all appropriate vpn traffic without filtering, such as port 50 port 51 port 500 to the concentrator. That should get you started in the right direction if you have any more DIRECT questions please let us know and we will try to help you out, if I missed anything I am sure someone else on the group will pick it up. -Original Message- From: neil K. [mailto:[EMAIL PROTECTED]] Sent: Wednesday, December 11, 2002 12:16 PM To: [EMAIL PROTECTED] Subject: VPN Concetrator #3030 [7:58982] Hi All, Few questions regarding the VPN Concentrator 1. what do I do for Redundancy, ( VPN Redundant Bundle) 2. Load balancing 3. Where to put the Concentrator ( prefer putting the VPN Concetrator behind Firewall).What are issues I will have to consider if I put the concentrator behind Firewall. Thanks, Sunil ** The information in this email is confidential and may be legally privileged. Access to this email by anyone other than the intended addressee is unauthorized. If you are not the intended recipient of this message, any review, disclosure, copying, distribution, retention, or any action taken or omitted to be taken in reliance on it is prohibited and may be unlawful. If you are not the intended recipient, please reply to or forward a copy of this message to the sender and delete the message, any attachments, and any copies thereof from your system. ** Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=59022t=58982 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: OT finding station trying to become MasterBrowser [7:58701]
Along with MAC tracing, using CDP to id next-hop switches, etc. you can also try to us something like psloggedon (or psshutdown if you have something of a mean-streak) from sysinternals.com. OR - if your domain is logging successful logins, maybe you could look through them to see who is logging in from that machine. ... get the user's name, send them a friendly request to modify their system accordingly. Or, if their policies permit, you could always sniff traffic from their IP looking for login names. May require some SPANning or 'traffic engineering' to get their packets to you ... (sorry the first couple weren't more 'network oriented' answers :)) Please let us know what you find / how you find it ... Thanks! TJ -Original Message- From: Priscilla Oppenheimer [mailto:[EMAIL PROTECTED]] Sent: Friday, December 06, 2002 1:23 PM To: [EMAIL PROTECTED] Subject: OT finding station trying to become MasterBrowser [7:58701] I don't think there's any answer to this, but I thought I would check. How can I find the physical location of a system if I know the following: NetBIOS name, IP address, MAC Address, and the Domain it is attached too. I have a system that is trying to become the Master Browser and I've discovered all of the above information. The problem is, it's a large flat network, so the IP address comes from a huge pool and doesn't help identify a network segment. The NetBIOS name isn't helpful and the vendor code in the MAC address is shared by almost all the systems. Any utilities that you know of that could help find this station? It's a city-wide school system and driving around from school to school isn't practical, although it is a rather small city... :-) Any info would be great. Thanks. Priscilla ** The information in this email is confidential and may be legally privileged. Access to this email by anyone other than the intended addressee is unauthorized. If you are not the intended recipient of this message, any review, disclosure, copying, distribution, retention, or any action taken or omitted to be taken in reliance on it is prohibited and may be unlawful. If you are not the intended recipient, please reply to or forward a copy of this message to the sender and delete the message, any attachments, and any copies thereof from your system. ** Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=58717t=58701 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]