Results 1 to 10 of 10

Thread: Guarding against Spoofed/Decoy IP (Nmap)

  1. #1
    Junior Member
    Join Date
    Jan 2005
    Posts
    8

    Guarding against Spoofed/Decoy IP (Nmap)

    Hi

    I'm a student aiding the school's Network Administrator in carrying out unpaid pen-testings (since i'm uncertified) and this is a good chance for me to do the practical aspects of penetrations/network. Been doing research for roughly 2months and i've gained quite abit of insights through reading, private studying and testings internally.

    Just a simple question, This is a Nmap (Decoy) Question and maybe Snort in mind.

    I've been reading through how Cisco Routers have NetFlow and CEF to defend against Spoofed IP. Don't really know its effectiveness since we don't know the mechanism of NetFlow or CEF.

    I've come across articles mentioning that the only way to trace back is to go to the lower layers to discover the attackers IP/MAC. I was wondering are there any tools online to complement/allow network administrators to look for the MAC Address which packets are originating from the network i'm performing the scan on?


    Thanks

  2. #2
    Senior Member
    Join Date
    Aug 2002
    Posts
    115
    Hm, from what I gather, not sure if I am reading you correctly. It sounds to me as if you could use ethereal with port mirroring on your 'main' switch/router and set up filters to pull/extract the mac addys from raw streams. An easy well documented task to tell you the truth.

    Check out ethereal, it will give you the macs you are seeking. www.ethereal.com
    Civilization. The death of dreams.

  3. #3
    Junior Member
    Join Date
    Jan 2005
    Posts
    8
    Okay.

    But ethereal does not work on typical corporate network architectures. Please correct me if i'm wrong, Ethereal sniffs data when incoming or outgoing data is running. But in a switch environment ethereal definitely don't run well.

    and certainly not going to install ethereal on every single dmz servers.

  4. #4
    Master-Jedi-Pimps0r & Moderator thehorse13's Avatar
    Join Date
    Dec 2002
    Location
    Washington D.C. area
    Posts
    2,885
    You're wrong. See spanning ports on Cisco switches, also known as mirroring on other manufacturer's gear. This is standard practice for sniffing traffic on a switched segment. Going a step farther, if you hook up ethereal at an upstream router/switch, you'll see more traffic than you'll know what to do with.


    PS

    Idle scanning is not perfect when it comes to hiding. See my NMAP tutorials on this site.

    --Th13
    Our scars have the power to remind us that our past was real. -- Hannibal Lecter.
    Talent is God given. Be humble. Fame is man-given. Be grateful. Conceit is self-given. Be careful. -- John Wooden

  5. #5
    AO Senior Cow-beller
    Moderator
    zencoder's Avatar
    Join Date
    Dec 2004
    Location
    Mountain standard tribe.
    Posts
    1,177
    ethereal is mentioned, I assume, because it is easier for the less technical to employ. I'm not saying you're not technical, I'm saying snort is a bitch and her ugly stepsister to work with if you don't know anything about it. Ethereal is relatively painless to setup and get running scarecely a clue.

    Th13's statement is 100%. This is standard operating procedure at most org's that monitor traffic in the DMZ and/or through their externally facing devices. (And if you work for a company that has a firewall/dmz and DOESN'T monitor traffic, please let me know. We'll be on site with our sales rep in a day or two!) One port is spanned (mirrored) to basically copy all traffic to/from all interfaces on the switch to it also. You plug your sniffer (thus the name 'snort') into this port, and start storing data. A LOT of data, usually.

    You can also pay a lot of money for a ridiculous little device called a SINC (Sync? Sink?) Basically, its a tiny hub that you plug in betweek an upstream line and the wan port, and it pushes alll traffic to a second port for a sniffer to record. It's esentially a small hub, with a few differences.
    "Data is not necessarily information. Information does not necessarily lead to knowledge. And knowledge is not always sufficient to discover truth and breed wisdom." --Spaf
    Anyone who is capable of getting themselves made president should on no account be allowed to do the job. --Douglas Adams (1952-2001)
    "...people find it far easier to forgive others for being wrong than being right." - Albus Percival Wulfric Brian Dumbledore

  6. #6
    Senior Member
    Join Date
    Aug 2002
    Posts
    115
    thehorse13 is right, just try it on your gateway and you will catch more traffic than you know what to do with. Very system intensive if you are realtime.

    You do need to take advantage of the port mirroring feature though. Plus if you are on a gateway it matters not that you have 60000 switches below, all that traffic has to hit the gateway. Well all outbound traffic. And if that is the case then setup your 'sniffer' consoles at the 'smart' switches (mirror that too).

    I know this works fairly well because I have implemented it as a consultant. Not the whole sight picture in itself but a large portion. Not sure about the team of people you will need to 'sift' through the packets, but then again, if you set up the ethereal filters to suit your needs you shouldn't have to.
    Civilization. The death of dreams.

  7. #7
    in refrence to zencoders about the hub, does anybody know of any, im pretty interested in that sounds pretty kool. ethereal has a easy setup, ive also used cain, has a sniffer build in, just google it.

  8. #8
    Junior Member
    Join Date
    Jan 2005
    Posts
    8
    The network infra has actually packeteer packetshaper running on the external interface monitoring packets running through.

    In this thread, I'm pretty much concern about the circumstances running Nmap during Pen-Testing. Are there dedicated equipments to look after legit IPs running inside the internal network and fend off the bogon spoofs?

  9. #9
    Master-Jedi-Pimps0r & Moderator thehorse13's Avatar
    Join Date
    Dec 2002
    Location
    Washington D.C. area
    Posts
    2,885
    Yes. It's called an IDS/IPS.


    ISS makes a commercial version. Snort makes an open source version and the list goes on from there. These are the two I commonly use. If you are broke, you can use poor man's ACLs on switches and routers to try to accomplish this, that is, if your gear is capable, however, the results will not be nearly as nice as a dedicated IDS/IPS solution.
    Our scars have the power to remind us that our past was real. -- Hannibal Lecter.
    Talent is God given. Be humble. Fame is man-given. Be grateful. Conceit is self-given. Be careful. -- John Wooden

  10. #10
    OFF TOPIC:
    i am not very much into the topic u are talking but i do have one tool which i think will do the job for you
    try out
    NETCAT or CRYPT CAT
    these tools also can spoof ip's (read in a magzine,nvr used them)
    i hope it was help ful

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •