User bypassing Interface
Page 1 of 2 12 LastLast
Results 1 to 10 of 13

Thread: User bypassing Interface

  1. #1
    Did someone said Pizza :) FanacooL's Avatar
    Join Date
    Oct 2004
    Location
    Karachi , Pakistan
    Posts
    466

    User bypassing Interface

    Hi Gals/Guys

    while monitoring my network traffic on server i came across few packets which were generated from my Outer interface (DSL) and was destined to one of the Internal user having IP 192.168.0.143. They were MSn packets as i was fiiltering the received packets for MSN traffic only. Well i couldnot see any MSN packet generated from that source only there were replies, this looks suspicious to me that there must be going on. I thought the user must have generated packets before i started capturing.

    Anyways then i run msn track on server, by default it started capturing on LAN Interface, i could see my internal users chatting and it was fine. But when i changed the interface to the External (DSL) one, I saw the same user (192.168.0.143 by the way she is pretty smart woman ), using MSN and chatting with a friend. Since she is not authorized to use MSN i have to fire my gun on her, but before doing this i must have her in my range as she is among senior Managers in the company. So what i want to know is ?

    1) How come i can't see her msn communication one Lan Interface of the server using Etherial while i can see others?

    2) If she is using HTTP port then ISA should logged it. If yes then what could be i looking for in the log?.

    3) IS she somehow by passing my Monitoring? If Yes then How?

    Although i know she is not an IT related person, and hasn't had any IT background, but still she is making us fool.

    Awaiting your replies.

    Cheers
    One machine can do the work of fifty ordinary men. No machine can do the work of one extraordinary man!

  2. #2
    Senior Member
    Join Date
    Sep 2003
    Posts
    101
    what port is the traffic comming into? i think default msn port is 6901. if it is comming in on another port she could just be forwarding it to an open port...say 80?

    She could also be running the service at home and just be calling in the info from there with her web brower or some other light weight program ( i have seen this done at high schools). i think this may be what she is doing because you say that you can only see her replies.
    chown -r us ./bases

  3. #3
    Senior Member BrainStop's Avatar
    Join Date
    Jan 2002
    Posts
    295
    Hi there,

    Doesn't MSN offer the option to use the http port rather than a dedicated port? Her messages may go out over port 80, although the return aims for the MSN port?

    Just a thought ....

    Cheers,

    BrainStop
    "To estimate the time it takes to do a task, estimate the time you think it should take, multiply by two, and change the unit of measure to the next highest unit. Thus we allocate two days for a one-hour task." -- Westheimer's Rule

  4. #4
    Did someone said Pizza :) FanacooL's Avatar
    Join Date
    Oct 2004
    Location
    Karachi , Pakistan
    Posts
    466
    Well is she is using port 80 then as i said she is going through the firewall (ISA Server) and i can't see any sort of activity or i mean log in ISA.

    I have seen the MSN in her system its older version 6.0 i think not sure will check it tomorrow. As i said i was capturing packets on internal Interface using Etherial, today i did the same thing on my DSL interface and there i can see her communication.

    One more thing when i run TCP/IP view on the server i can see her connected to server via WEB port 8080 and no other connection, i notice that during her communication on MSN so she is running it on http port but why i can't see her on my firewall.
    One machine can do the work of fifty ordinary men. No machine can do the work of one extraordinary man!

  5. #5
    Banned
    Join Date
    Apr 2003
    Posts
    1,146
    If you are seeing the 192.x.x.x IP on the external interface, and she is using 8080, do you suppose she is running a VPN-type tunnel to an external system. She probably has some kind of SSL/VPN host on the home box. This could be a problem if she is split-tunneling.

    Just my tuppence.

  6. #6
    Banned
    Join Date
    Jul 2004
    Posts
    297
    If its vpn wouldnt all the data be crypt after it left her computer until it reached its destination vpn server? sounds to me like she ran the MSN trouble shooter and it found a port and gateway to use. Thats my two cents, and probly about what its worth.

  7. #7
    Did someone said Pizza :) FanacooL's Avatar
    Join Date
    Oct 2004
    Location
    Karachi , Pakistan
    Posts
    466
    Well as far as VPN is concerned no way i don't think so she can do this. As an Admin i Just accessed her main hard drive to double check the version of MSN and found that she is using Windows Messenger that old one comes with XP i think.

    So still can't figure it out the thing but as soon as she connect her MSN i will post the log of captured packets for the refrence......
    One machine can do the work of fifty ordinary men. No machine can do the work of one extraordinary man!

  8. #8
    Banned
    Join Date
    Jul 2004
    Posts
    297
    you might capture the data on her nic and compare it to whats leaving the dsl. would it be possible her actual connection has some how been configured to use a dmz. i have seen quite a number of routers that use a seperate gateway address for this instead of having to assign the systems in the router itself. just as a example, your network has a standard gateway. 192.168.0.1 and a dmz gateway of 192.168.0.10 if her connection was set up with the dmz gate way you would not see the traffic when capturing the main gateway. just throwing some ideas out there. i find this quite interesting.

  9. #9
    Did someone said Pizza :) FanacooL's Avatar
    Join Date
    Oct 2004
    Location
    Karachi , Pakistan
    Posts
    466
    Just one quick thing which interface of server i should listen to i mean the DSL one or the internal network interface. Cause i can't directly run the Ethereral on her system and see whats going on out there.
    One machine can do the work of fifty ordinary men. No machine can do the work of one extraordinary man!

  10. #10
    Banned
    Join Date
    Jul 2004
    Posts
    297
    I would try listing to the each router / switch thats in the in the chain. start with the one closest to her system and work back to the dsl.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •