Massive Attack
Page 1 of 2 12 LastLast
Results 1 to 10 of 11

Thread: Massive Attack

  1. #1
    Junior Member
    Join Date
    Oct 2003
    Posts
    2

    Massive Attack

    I am seeing a host on my network named massiveattack and it is broadcasting as a domain controller. I have done some digging on google and see references to a german hacker site that provides a crack tool named massiveattack - has anyone else run into this? If so what am I up against?

    Thanks

  2. #2
    Senior Member
    Join Date
    Feb 2003
    Location
    Memphis, TN
    Posts
    3,747
    You mean like a computer on your network thats had its comp name changed to massive attack? Your best bet right now would be to stop all traffic to that IP. I assume your using a router so there should be a setting somewhere in there that will let you stop all traffic to a certain IP.
    =

  3. #3
    Junior Member
    Join Date
    Oct 2003
    Posts
    2
    yes - but I suspect that one of our users is doing this intentionally. The host in question has a dynamic address and I have the firewall pretty tight - I grabbed a mac address and will try using my switch management software to track down the physical machine but I have 6 floors and 130 workstations - and it could be a laptop.

    I guess my question is - do you know what this tool does? Looks like it might be a keyboard logger of a firewall crack tool. I just want to know so that if/when I find out who is using it I can throw him out a window without concern.

  4. #4
    Jaded Network Admin nebulus200's Avatar
    Join Date
    Jun 2002
    Posts
    1,356
    The person could be trying to masquerade as a PDC in order to gather username and password combinations to other systems. I would hope you have your systems setup to not allow self-promotion of PDC's.

    You could also run a tool like enum, nbtstat, or nat to read the netbios information of the system in question. The naming or shares might provide more information about where the system is located. If you use anything like SMS, in the future, you could provide the systems location somewhere in the information available or even use the information you have to remote control their system (maybe you could even do something mean like make it use the 'bell' to keep beeping until you find it ).

    Do you have remote admin access to it?

    /nebulus
    There is only one constant, one universal, it is the only real truth: causality. Action. Reaction. Cause and effect...There is no escape from it, we are forever slaves to it. Our only hope, our only peace is to understand it, to understand the 'why'. 'Why' is what separates us from them, you from me. 'Why' is the only real social power, without it you are powerless.

    (Merovingian - Matrix Reloaded)

  5. #5
    Senior Member
    Join Date
    Oct 2001
    Posts
    748
    Massive Attack is also the name of a band. If it is a laptop is is very possible that somebody named their machine the same name of their favorite band. Is it broadcasting as a domain controller, through WINS? Or as a master browser? If it is the segment master browser that is just normal activity.

  6. #6
    Senior Member
    Join Date
    Nov 2001
    Posts
    4,786
    I know its well past being to late to help. but for future refferance:

    net view >>all.txt
    for /F "delims=\\" %%X IN (all.txt) do ping -n 1 %%X
    arp -a |find "00-08-02-ff-17-ff "

    here was the output:

    C::\>arp -a | find "00-08-02-ff-17-ff "
    10.0.1.7 00-08-02-ff-17-ff dynamic


    i suppose i should mention this was run as a batch file
    Bukhari:V3B48N826 “The Prophet said, ‘Isn’t the witness of a woman equal to half of that of a man?’ The women said, ‘Yes.’ He said, ‘This is because of the deficiency of a woman’s mind.’”

  7. #7
    Member
    Join Date
    Aug 2003
    Posts
    37
    lock the system in question down, wait for an end-user to call. Mystery uncovered!

    DarkCarniv0l

    I should clarify......With the presumption that the system in question "massive attack" is a system that can be managed remotely via the mmc snap-in. Use the \\massiveattack to manage, then lock the system down and wait for the call to come in.

    DarkCarniv0l
    \"The Only Kind Of Good Clown.... Is A Clown Gone Bad\"

  8. #8
    Senior Member
    Join Date
    Nov 2001
    Posts
    4,786
    hell if you use psloggedon from the pstoolkit it will tell you who (and when) is logged-on.

    psloggedon \\<ip-addy>
    Bukhari:V3B48N826 “The Prophet said, ‘Isn’t the witness of a woman equal to half of that of a man?’ The women said, ‘Yes.’ He said, ‘This is because of the deficiency of a woman’s mind.’”

  9. #9
    Member
    Join Date
    Oct 2003
    Posts
    62
    You could use also port security on your switches, maybe do a vlan implimentation. You could use Cisco Works LMS. for a quick fix though, i would employ port security. this would force user to use only 1 port. and when pc / laptop is switched on, hello... you found your person. also, if switches have rsm's you could use traffic/port filtering. this would further hamper the malicious user's attempt to "sniff" your packets or gain info .... btw, I am assuming that you are using cisco switches . Hope this helps?! please let me know. thanks.
    HO$H Pagamisa. Pro Amour Ludi....

  10. #10
    Senior Member
    Join Date
    Oct 2003
    Posts
    107
    preatty inteasting... U can just close the connection... to that mashine every time it tryes to come online..... the user will Call the Admin : as I got from the thread this is U :.... u can goto his Pc ... to ""CHeck it "" U got ur man..

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  

 Security News

     Patches

       Security Trends

         How-To

           Buying Guides