On Tue, Nov 27, 2001 at 12:18:06PM -0800, Dee Harrod wrote:
How does spoofing work?
If I change the source address of my outbound packet,
how do I get the response? How does it get back to me?
If the spoofed source address is one you can't monitor, then it doesn't
get back to you. There
I'm running Snort 8 and have been seeing ALOT of this type of attack
aignatures. It looks like a false positive, but I'm not sure.
[**] [1:526:3] BAD TRAFFIC data in TCP SYN packet [**]
[Classification: Misc activity] [Priority: 3]
11/28-08:02:09.593643 216.25.228.229:2200-
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
-Original Message-
From: Dee Harrod [mailto:[EMAIL PROTECTED]]
Sent: Tuesday, November 27, 2001 12:18 PM
To: SecurityBasics
Subject: Spoofing question?
How does spoofing work?
If I change the source address of my outbound
I have been working on my SANS.org GIAC GSEC certification. They have one
of the best resources to explain IP spoofing and associated threats. Here
is a link to some of their public content.
http://www.sans.org/cgi-bin/htdig/htsearch?method=andconfig=htdigwords=ip+
spoofing
Hope that it helps.
Preventing incoming connections will do a lot to improve your security,
but by no means is it a total security solution. An attacker could use
a web scripting vulnerability or email trojan to fool your internal
machine into establishing a connection with him. There are other ways
through, but
yes, it can be loaded as a service, but you need to wrap it
wth SRVANY, part of nt resource kit,
or
Service Agent
http://playstation2.idv.tw/serviceagent/
this will do it, but also can do by hand, which i am not quite clear on how,
but does require recomplining of application to allow for
Well, all you said was correct, but maybe I explained badly. I was talking
about remote detection. Normally, tools as antisniff use special crafted
ethernet frames to detect promiscuous NICs. The problem appears when you
are not on the same segment as your target or even you aren't on the
You probably want to read the Microsoft documentation on how to lockdown
the server extensions
(http://www.microsoft.com/technet/treeview/default.asp?url=/TechNet/prodtechnol/sharepnt/maintain/security/stssecur.asp).
This link is actually for SharePoint Team Services but almost everything
also
Check out Ian Vitek's talk on IP spoofing and source routing for DefCon 8.
http://www.defcon.org/defcon-media-archives-defcon.html
But source routing is your simple answer... Assuming the target accepts
source routed packets (my systems don't ;).
Otherwise, you don't see what you get back,
Just because the ports are open it does not mean you have the trojans.
One of my boxes that is acting as a bastion host is reporting that it
runs two versions of finger and a gopher server among other things.
Do the simple 'telnet localhost port number' test and look at what's
there.
Hi all.
I would like to setup a VPN between my ISA Server (head office) and my
Netscreen 5XP (remote office).
I haven't had much experience in this area - and have scoured the web for
information helping me achieve this but have got nowhere. Has anyone out
there done what I am trying the
hello,
i have asked this in other bulliten boards but got no real response. does
anyone know of any good online documentation for DDNS/DHCP integration. i
have set up a DDNS-DHCP server on linux, and its working fine, but in order
to do that i had to search the net extensively to find enough
hi
you dont get a response. The real response goes to the spoofed address.
This type of spoofing is referred to as flying blind attack or one-way
attack.
http://www.fc.net/phrack/files/p48/p48-14.html check out this article in
phrack, this is a good explanation as to how this type of attack
ofcourse it is...
we call it SSL Tunnelling.
But the client must have support. Most of the clients these do have built-in
support for SSL.
Get openssl from www.openssl.com
if you are using linux, you may try sslwrap for actual tunelling
- Original Message -
From: Amoediun Trepcoze
well you can block off with an IPchains or IPtables rule
e.g
$IPCHAINS -A input -p tcp -s $REMOTENET -d $OUTERNET 12345 -j DENY
something like that depending on wether you have ipchains or iptables
-Original Message-
From: R. Toma [mailto:[EMAIL PROTECTED]]
Sent: Thursday, November
These Three trojans are the most famous of the trojans that i know of. my
suggestion would be to set up a firewall on your home LAN if you are running
linux i would be using ipchains for this.
one you may want to look into would be floppyFW for ease of use and speed in
setting it up.
here is
How to find/close processes/programs:
netstat -lpe. go to the far right of each of these listings, and kill
the listed PID. Take note of the program name also, and go rid your
machine of the offending 'warez.
On Wed, 2001-11-28 at 16:16, R. Toma wrote:
I scanned my homeserver for open ports
do this:
# lsof |grep -i TCP
so you find what program uses what port.
If you have debian and dont have lsof do this: # apt-get install lsof
luck :)
Ivan Hernandez
-Original Message-
From: R. Toma [mailto:[EMAIL PROTECTED]]
Sent: Wednesday, November 28, 2001 6:16 PM
To: [EMAIL PROTECTED]
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Snipped down to last paragraph
So it seems to me that if you use NAT/PAT, you don't
need a real firewall unless you're actually permitting
some kind of traffic to connect to something from the
outside.
Is that right?
- -- Dee
Hi Dee,
A lot of
How does spoofing work?
If I change the source address of my outbound packet,
how do I get the response? How does it get back to me?
-- Dee
Simply put it doesn't get back to you.
Spoofing usually is used with ICMP instead of TCP. ICMP doesn't require any
acknowledgement to perform
Hey,
I've not ever heard that the are *nix version netbus or something like
exist.
Just use lsof -i | egrep 12345|20034|31337 on your linux box to see
what program is using these port.
--
ÎÒÒª¸üºÃµÄÉú»î
Yiming Gong
Senior System Administrator
China Telcom
[EMAIL PROTECTED]
At Wednesday, 28 November 2001, R. Toma [EMAIL PROTECTED] wrote:
I scanned my homeserver for open ports and I found that I have the
ports:
12345 NetBus
20034 NetBus Pro
31337 BackOriffice
open. Now, are these the famous trojans? I have linux, aren't they
programmed for a MS platform? How can
Most trojans can be programmed to use any port number the attacker wants.
What you need to do if figure out which programs on your pc are running
these open ports. In NT you can use a program called fport from the command
prompt to map ports to services/apps.
Hey, Linux people, what can you use
I have been tasked with finding a way to supply secure PDAs to a Marketing Team. These
devices will contain extremely sensitive information and I have recommended that the
current state of the PDA art means that these devices cannot be properly secured but
have been overruled!
Am I right?
In-Reply-To: [EMAIL PROTECTED]
I'd suggest that you run netstat locally on the
box to first verify the results of this external
scan, and then if the ports are still open, run
the 'lsof' command to see what process is using
those ports.
I scanned my homeserver for open ports and I
found
Len,
I would add only one thing
Attacking any box that does not belong to you (random or otherwise)
without the express permission of the owner is not an acceptable practice.
Charlie
leon wrote:
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Hi,
Here are my thoughts:
First off you
i am trying to give access to an internal server to an outside agency and
am having problems getting an inside server redirected from the outside.
does anone have any ideas, have aleady tied the checkpoint database.
thanks.
Patrick,
They bought the Operations Manager code base not App Manager, NetIQ still
owns that product.
cheers,
rob
- Original Message -
From: Patrick S. Harper [EMAIL PROTECTED]
To: 'Robert Nottoli' [EMAIL PROTECTED]; [EMAIL PROTECTED];
[EMAIL PROTECTED]
Sent: Wednesday, November 28,
On Tue, 27 Nov 2001, Dee Harrod wrote:
How does spoofing work?
First, you need to understand how the two IP transport layer protocols,
TCP and UDP, operate. I'll defer to Stevens' excellent book TCP/IP
Illustrated, Vol. 1. Everyone involved in TCP/IP networking and
programming should own
I would recommend UNIX System Administration Handbook (aka the purple
book) as a pretty invaluable resource.
-Ryan
On Wed, 28 Nov 2001, tony toni wrote:
Folks,
I recently was assigned the project of developing security standards for our
Unix environment. We have about 400 unix box's
Try putting the command line to start it (something like c:\program
files\zonealarm directory\zonealarm program.exe) in your registry:
click on run - type regedit - click OK - browse to
HKEY_LOCAL_MACHINE-SOFTWARE-Microsoft-Windows-CurrentVersion-Run
and make a new entry there. (This is where
Thanks for your help, and I fully realise that in the man page there is an
entry about running Snort in Daemon mode. The point is that I didn't KNOW
that 'Daemon' mode was the same as 'running in the background' - as far I as
knew daemons were programs that monitored ports.
So, sorry about that.
Hi all,
This is probably a really stupid question but it has me stumped.
I am using Windows 2000 SP2 and a licensed version of LC3. Whenever I try
to use the network sniffer function it displays two choices as the network
adapter. Both are shown as UNKNOWN. The first one points to
that depends how sensitive is the envirenoment your are working in, the
person who compromised a host (has root) can of course look at the outgoing
mail spool and intercept mail, it will take someone some time to break into
yahoo, and you can encrypt it, if you feel like it - that depends on the
I have same version running on 40 assorted W2k desktops / laptops with no
detectable problems.
-Original Message-
From: Spigelman, David [mailto:[EMAIL PROTECTED]]
Sent: 28 November 2001 17:57
To: 'Philip Freed'; [EMAIL PROTECTED]
Cc: Richard Cotterell
Subject: RE: WIN2K Ports 32000
1. I wouldn't trust yahoo mail for security, but that's up to you
2. I guess it depends on his positioning between yourself and yahoo, if he can sniff
traffic traversing the network you
are on or not
3. Doesn't matter if you never get it. otherwise, exactly what would you encrypt, the
fact that
R. Toma wrote:
I scanned my homeserver for open ports and I found that I have the ports:
12345 NetBus
20034 NetBus Pro
31337 BackOriffice
open. Now, are these the famous trojans? I have linux, aren't they
programmed for a MS platform? How can I close these ports
PLEASE!!!
I've used Tiny Personal Firewall for some time. But one of our sys admins
has told me that it's not too stable on Win2K systems (our new standard),
and he's looking for an alternative.
Has anyone else experienced problems running TPF under W2K?
One of the best firewall i've never tested on
Tidbit #1: After disclosing so much information about your client, you
might check with them to see if they are still indeed your client. When
posting to newlists, don't offer up so much information that will allow
others to make a concerted effort to hack your systems, or the systems of
Couple of thoughts off the top of my head:
1) The router itself may have vulnerabilities - see
the relatively recent incidents with the Alcatel
routers, and the 3Com DSL routers, an older one with
Zyxel Prestige routers, the @Home cable modem
enumerations
2) What about if you get hit with a
http://mail.lokmail.com/
Kongar
With Anonymizer.com I can't access my yahoo mail I have to use a FREE
service because I can't pay ( I live in a country where BANKS are still
prehistoric ...MasterCards are a dream ..to pay money on the internet is a
halucination ...!)
I am
41 matches
Mail list logo