Page 1 of 2 12 LastLast
Results 1 to 10 of 11

Thread: once more ...Windows experts... help

  1. #1

    once more ...Windows experts... help

    Is there any way to test which incoming ports are blocked at the gateway from the inside of the network. If the inside is configured w/ non-routable IP's you cannot effectively scan a connectivity to a particular host on the inside because the firewall can have a certain services running for some clients and not for other clients. I'm familiar w/ some techniques of scanning through firewalls but I don't think these would be successful in case of my network. I'm more worried about the unauthorized users on the inside... hence the question at the beginning. Some of you may remember my earlier post... Basically I have a problem user who is surfing the net on company time. I've seen his print cues and he's printed netcat tutorials and such. He isn't completely in the dark... if you know what I mean. So far I've haven’t done anything to stop this activity because I'm not familiar w/ NT & win2k network environment. So I'll ask again. How can I block his browsing. In Linux I'll just make rule-set in chains to block 80, but what can I do in windows natively. We don't have the money to buy firewall so that's out of the question. I know he WILL tunnel the traffic through his home computer if I will block port 80 through some other socket. If I can capture this traffic I can prove that he's doing it deliberately. But for me, the biggest problem is that I don’t know how does windows do this natively. Is it by blocking raw socket at the kernel level (like *nix) or is it by using netbios in some way. Please help or point me to a good tutorial.

    Thanx for your time.

  2. #2
    Master-Jedi-Pimps0r & Moderator thehorse13's Avatar
    Join Date
    Dec 2002
    Location
    Washington D.C. area
    Posts
    2,885
    If you don't have a firewall, then why not just install a keylogger on his machine. That will give you all the proof you need without scanning a single port.
    Our scars have the power to remind us that our past was real. -- Hannibal Lecter.
    Talent is God given. Be humble. Fame is man-given. Be grateful. Conceit is self-given. Be careful. -- John Wooden

  3. #3
    Member
    Join Date
    Mar 2003
    Posts
    74
    Here's a Good one I do use-> SYGATE PERSONAL FW

    U CAN READ ITS HELP FILES AND DECIDE YR OWN, DOWNLOAD IT.
    http://smb.sygate.com/support/documents/spf/default.htm
    (-:IF U R A HACKER TRY TO BE ON POINT,IT SAVES TIME:-)

  4. #4
    Master-Jedi-Pimps0r & Moderator thehorse13's Avatar
    Join Date
    Dec 2002
    Location
    Washington D.C. area
    Posts
    2,885
    RITESH,

    A personal firewall will not help him solve his problem. He would need a true firewall to accomplish what he really wants to. Because he cannot afford a real firewall ( I know, I know, IPTABLES, etc.) he can install a keylogger locally instead of trying to much around with a sniffer, which he has previoisly stated he is not familiar with.
    Our scars have the power to remind us that our past was real. -- Hannibal Lecter.
    Talent is God given. Be humble. Fame is man-given. Be grateful. Conceit is self-given. Be careful. -- John Wooden

  5. #5
    AO Ancient: Team Leader
    Join Date
    Oct 2002
    Posts
    5,197
    Unhappy: This is an administrative issue to be quite honest. If the user insists on learning about Hacking tools, (yes call them hacking tools to his supervisor and point out that if he uses them on your system the results could be.... <enter the worst thing that could happen as far as his supervisor is concerned here>..... and if he uses them on another entity then the liability could cripple the company.......), which is not part of his job then he deserves to be fired. He is using company property on company time and that should be against your code of personnel practices...... If it isn't, write it in and have all employees sign that they have received the update.

    Now, if you need proof of his nefarious activities go and get PureSecure and download the trial. Install it on a PC attatched to a hub that his machine is also attached to, (so you can see his traffic). Write a rule like this in the rules file:

    alert tcp xxx.xxx.xxx.xxx any -> any any (msg: "Moron's Traffic"; Flags: S; classtype: Bad-unknown; )

    where xxx.xxx.xxx.xxx is his IP address.....

    This will capture every connection he makes. Pursecure will reverse DNS it for you so you can see the web sites etc. that are being visited and also anything he is doing inside your network. A week or two of that traffic and you'll have everything you need to nail his "thingies" to his supervisors desk........
    Don\'t SYN us.... We\'ll SYN you.....
    \"A nation that draws too broad a difference between its scholars and its warriors will have its thinking done by cowards, and its fighting done by fools.\" - Thucydides

  6. #6
    Senior Member
    Join Date
    May 2003
    Posts
    115
    how bout putting something like ntop to monitor the lan activity. or how bout setting up smoothwall. even with this type of filtering, you need to be specific about proxy avoidence system or put a small proxy server...

    -w0rm3y

  7. #7
    Dead Man Walking
    Join Date
    Jan 2003
    Posts
    810
    Ive got to go with tiger shark on this one. Go to the boss. If that doesnt work go to the big boss. Explain to them that this guy is seriously wasting company resources. Not only is he tying up bandwidth but the paper and ink he is printing those tutorials doesnt come for free. Key log his ass then take the reports to somebody that can terminate his employment.

  8. #8
    Master-Jedi-Pimps0r & Moderator thehorse13's Avatar
    Join Date
    Dec 2002
    Location
    Washington D.C. area
    Posts
    2,885
    Wow, another PureSecure fan....

    Yeah, that's a cool product but this guy may be in a switched environment. I'm not sure if it will work in that type of setup. Hell if Unhappy was technical enough, I'd tell him to grab ettercap and be done with it.

    Also, I agree, this is more of a management issue. Especially when you find NetCat docs on the printer. That alone would cause a house to fall on the guy if he were working here.

    I find keyloggers *very* useful in situations like this. *Evil Grin*
    Our scars have the power to remind us that our past was real. -- Hannibal Lecter.
    Talent is God given. Be humble. Fame is man-given. Be grateful. Conceit is self-given. Be careful. -- John Wooden

  9. #9
    Senior since the 3 dot era
    Join Date
    Nov 2001
    Posts
    1,542
    UnhappyStar_7 I agree with Tiger Shark. Log and see if it conflicts with AUP
    You said you are not familiar with Win2K/NT so you are perhaps with *nix
    If you are, set up a simple linux box, install ethereal
    from www.ethereal.com and filter out the traffic from that specific host. Output to a file and there's your proof.
    a good tutorial on:
    http://www.cs.uh.edu/~jsteach/cosc43.../ethereal.html

  10. #10
    Senior Member
    Join Date
    Oct 2001
    Posts
    385
    you said you do not have the money for a true firewall, but how about a pc with just processor/MoBo, RAM, small HDD (no more than 15 GB), and two network cards (no monitor, mouse, etc)?(or just have one lying around). If you do, set it up as a linux proxy on his net with address logging and iptables/ipchains (whichever you prefer). Could be used as a "threat" box -- It becomes known around the office for its purpose, and when they see it hooked up to their net, they know they're being watched. btw, since you would only use a small HDD, have it mail the logs to you regularly so it doesn't fill up.

    A keylogger, as said before, would be quite useful, also.
    Preliminary operational tests were inconclusive (the dang thing blew up)

    \"Ask not what the kernel can do for you, ask what you can do for the kernel!\"

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •