Massive Attack

[gregg]

I am seeing a host on my network named massiveattack and it is broadcasting as a domain controller. I have done some digging on google and see references to a german hacker site that provides a crack tool named massiveattack - has anyone else run into this? If so what am I up against?

Thanks

[cheyenne1212]

You mean like a computer on your network thats had its comp name changed to massive attack? Your best bet right now would be to stop all traffic to that IP. I assume your using a router so there should be a setting somewhere in there that will let you stop all traffic to a certain IP.

[gregg]

yes - but I suspect that one of our users is doing this intentionally. The host in question has a dynamic address and I have the firewall pretty tight - I grabbed a mac address and will try using my switch management software to track down the physical machine but I have 6 floors and 130 workstations - and it could be a laptop.

I guess my question is - do you know what this tool does? Looks like it might be a keyboard logger of a firewall crack tool. I just want to know so that if/when I find out who is using it I can throw him out a window without concern.

[nebulus200]

The person could be trying to masquerade as a PDC in order to gather username and password combinations to other systems. I would hope you have your systems setup to not allow self-promotion of PDC's.

You could also run a tool like enum, nbtstat, or nat to read the netbios information of the system in question. The naming or shares might provide more information about where the system is located. If you use anything like SMS, in the future, you could provide the systems location somewhere in the information available or even use the information you have to remote control their system (maybe you could even do something mean like make it use the 'bell' to keep beeping until you find it ).

Do you have remote admin access to it?

/nebulus

[mohaughn]

Massive Attack is also the name of a band. If it is a laptop is is very possible that somebody named their machine the same name of their favorite band. Is it broadcasting as a domain controller, through WINS? Or as a master browser? If it is the segment master browser that is just normal activity.

[Tedob1]

I know its well past being to late to help. but for future refferance:

net view >>all.txt
for /F "delims=\\" %%X IN (all.txt) do ping -n 1 %%X
arp -a |find "00-08-02-ff-17-ff "

here was the output:

C::\>arp -a | find "00-08-02-ff-17-ff "
10.0.1.7 00-08-02-ff-17-ff dynamic


i suppose i should mention this was run as a batch file

[DarkCarniv0l]

lock the system in question down, wait for an end-user to call. Mystery uncovered!

DarkCarniv0l

I should clarify......With the presumption that the system in question "massive attack" is a system that can be managed remotely via the mmc snap-in. Use the \\massiveattack to manage, then lock the system down and wait for the call to come in.

DarkCarniv0l

[Tedob1]

hell if you use psloggedon from the pstoolkit it will tell you who (and when) is logged-on.

psloggedon \\<ip-addy>

[S1lv3rW3bSurf3r]

You could use also port security on your switches, maybe do a vlan implimentation. You could use Cisco Works LMS. for a quick fix though, i would employ port security. this would force user to use only 1 port. and when pc / laptop is switched on, hello... you found your person. also, if switches have rsm's you could use traffic/port filtering. this would further hamper the malicious user's attempt to "sniff" your packets or gain info .... btw, I am assuming that you are using cisco switches . Hope this helps?! please let me know. thanks.

[maxim_86ualb2]

preatty inteasting... U can just close the connection... to that mashine every time it tryes to come online..... the user will Call the Admin : as I got from the thread this is U :.... u can goto his Pc ... to ""CHeck it "" U got ur man..