-
October 3rd, 2003, 04:26 AM
#1
Junior Member
Massive Attack
I am seeing a host on my network named massiveattack and it is broadcasting as a domain controller. I have done some digging on google and see references to a german hacker site that provides a crack tool named massiveattack - has anyone else run into this? If so what am I up against?
Thanks
-
October 3rd, 2003, 04:30 AM
#2
You mean like a computer on your network thats had its comp name changed to massive attack? Your best bet right now would be to stop all traffic to that IP. I assume your using a router so there should be a setting somewhere in there that will let you stop all traffic to a certain IP.
-
October 3rd, 2003, 04:38 AM
#3
Junior Member
yes - but I suspect that one of our users is doing this intentionally. The host in question has a dynamic address and I have the firewall pretty tight - I grabbed a mac address and will try using my switch management software to track down the physical machine but I have 6 floors and 130 workstations - and it could be a laptop.
I guess my question is - do you know what this tool does? Looks like it might be a keyboard logger of a firewall crack tool. I just want to know so that if/when I find out who is using it I can throw him out a window without concern.
-
October 3rd, 2003, 01:44 PM
#4
The person could be trying to masquerade as a PDC in order to gather username and password combinations to other systems. I would hope you have your systems setup to not allow self-promotion of PDC's.
You could also run a tool like enum, nbtstat, or nat to read the netbios information of the system in question. The naming or shares might provide more information about where the system is located. If you use anything like SMS, in the future, you could provide the systems location somewhere in the information available or even use the information you have to remote control their system (maybe you could even do something mean like make it use the 'bell' to keep beeping until you find it ).
Do you have remote admin access to it?
/nebulus
There is only one constant, one universal, it is the only real truth: causality. Action. Reaction. Cause and effect...There is no escape from it, we are forever slaves to it. Our only hope, our only peace is to understand it, to understand the 'why'. 'Why' is what separates us from them, you from me. 'Why' is the only real social power, without it you are powerless.
(Merovingian - Matrix Reloaded)
-
October 3rd, 2003, 06:07 PM
#5
Massive Attack is also the name of a band. If it is a laptop is is very possible that somebody named their machine the same name of their favorite band. Is it broadcasting as a domain controller, through WINS? Or as a master browser? If it is the segment master browser that is just normal activity.
-
October 3rd, 2003, 10:12 PM
#6
I know its well past being to late to help. but for future refferance:
net view >>all.txt
for /F "delims=\\" %%X IN (all.txt) do ping -n 1 %%X
arp -a |find "00-08-02-ff-17-ff "
here was the output:
C::\>arp -a | find "00-08-02-ff-17-ff "
10.0.1.7 00-08-02-ff-17-ff dynamic
i suppose i should mention this was run as a batch file
Bukhari:V3B48N826 “The Prophet said, ‘Isn’t the witness of a woman equal to half of that of a man?’ The women said, ‘Yes.’ He said, ‘This is because of the deficiency of a woman’s mind.’”
-
October 4th, 2003, 06:00 PM
#7
Member
lock the system in question down, wait for an end-user to call. Mystery uncovered!
DarkCarniv0l
I should clarify......With the presumption that the system in question "massive attack" is a system that can be managed remotely via the mmc snap-in. Use the \\massiveattack to manage, then lock the system down and wait for the call to come in.
DarkCarniv0l
\"The Only Kind Of Good Clown.... Is A Clown Gone Bad\"
-
October 4th, 2003, 10:13 PM
#8
hell if you use psloggedon from the pstoolkit it will tell you who (and when) is logged-on.
psloggedon \\<ip-addy>
Bukhari:V3B48N826 “The Prophet said, ‘Isn’t the witness of a woman equal to half of that of a man?’ The women said, ‘Yes.’ He said, ‘This is because of the deficiency of a woman’s mind.’”
-
October 7th, 2003, 02:26 PM
#9
Member
You could use also port security on your switches, maybe do a vlan implimentation. You could use Cisco Works LMS. for a quick fix though, i would employ port security. this would force user to use only 1 port. and when pc / laptop is switched on, hello... you found your person. also, if switches have rsm's you could use traffic/port filtering. this would further hamper the malicious user's attempt to "sniff" your packets or gain info .... btw, I am assuming that you are using cisco switches . Hope this helps?! please let me know. thanks.
HO$H Pagamisa. Pro Amour Ludi....
-
October 7th, 2003, 05:54 PM
#10
Senior Member
preatty inteasting... U can just close the connection... to that mashine every time it tryes to come online..... the user will Call the Admin : as I got from the thread this is U :.... u can goto his Pc ... to ""CHeck it "" U got ur man..
Posting Permissions
- You may not post new threads
- You may not post replies
- You may not post attachments
- You may not edit your posts
-
Forum Rules
|
|