Re: Hacker on internal net: DHCP

I'm noticing this same thing on my network since recently adding M$
Windows Server 2003 in our network... I've been searching the net high
and low for a reason why these DHCP leases are made and have found
nothing. Is there any new info I'm missing?

Here's the bogus MAC's I'm seeingin our DHCP lease reports:

MACHINE | IP | MAC | LEASE BEGIN | LEASE
END
detective 192.168.0.119 45:3b:13:0d:89:0a 14:47:45 02/23/2005 14:48:45
02/23/2005
detective 192.168.0.117 e9:eb:b3:a6:db:3c 14:47:29 02/23/2005 14:48:29
02/23/2005
detective 192.168.0.118 4d:c8:43:bb:8b:a6 14:47:37 02/23/2005 14:48:37
02/23/2005


WTF?? I hate M$!!!!! Any reason for why my logs are getting spammed
would be appreciated. When we do a company security audit, I'd prefer
not to answer "uhh I dunno".

-Scott

Ivyhurst@gmail.com

On Tue, 22 Mar 2005 07:32:27 -0800, Ivyhurst wrote:
>
> I'm noticing this same thing on my network since recently adding M$
> Windows Server 2003 in our network... I've been searching the net high
> and low for a reason why these DHCP leases are made and have found
> nothing. Is there any new info I'm missing?
>
> Here's the bogus MAC's I'm seeingin our DHCP lease reports:
>
> MACHINE | IP | MAC | LEASE BEGIN | LEASE
> END
> detective 192.168.0.119 45:3b:13:0d:89:0a 14:47:45 02/23/2005 14:48:45
> 02/23/2005
> detective 192.168.0.117 e9:eb:b3:a6:db:3c 14:47:29 02/23/2005 14:48:29
> 02/23/2005
> detective 192.168.0.118 4d:c8:43:bb:8b:a6 14:47:37 02/23/2005 14:48:37
> 02/23/2005
>
>
> WTF?? I hate M$!!!!! Any reason for why my logs are getting spammed
> would be appreciated. When we do a company security audit, I'd prefer
> not to answer "uhh I dunno".

If your server only has one NIC, then you would only see one entry IF your
server was setup for DHCP instead of a fixed IP. If you are seeing unknown
leases in your DHCP then you've got machines accessing your network that
you don't know about, the server has little to do with it.

How about ethernet printers, print servers, laptops from insiders,
unsecured wireless connections, rogue Access Points installed by users,
etc....


--

remove 999 in order to email me

wrote:

> I'm noticing this same thing on my network since recently adding M$
> Windows Server 2003 in our network... I've been searching the net high
> and low for a reason why these DHCP leases are made and have found
> nothing. Is there any new info I'm missing?
>
> Here's the bogus MAC's I'm seeingin our DHCP lease reports:
>
> MACHINE | IP | MAC | LEASE BEGIN | LEASE
> END
> detective 192.168.0.119 45:3b:13:0d:89:0a 14:47:45 02/23/2005 14:48:45
> 02/23/2005
> detective 192.168.0.117 e9:eb:b3:a6:db:3c 14:47:29 02/23/2005 14:48:29
> 02/23/2005
> detective 192.168.0.118 4d:c8:43:bb:8b:a6 14:47:37 02/23/2005 14:48:37
> 02/23/2005
>
>
> WTF?? I hate M$!!!!! Any reason for why my logs are getting spammed
> would be appreciated. When we do a company security audit, I'd prefer
> not to answer "uhh I dunno".
>
> -Scott

Here is what you should do. Depending on your equipment, log into your
switches and search for the MAC addresses. The switch will see them on one
of the ports. Form there it is easy to find out what is going on. Have you
checked for a wireless access point. I would...

Michael J. Pelletier wrote:

> wrote:
>

>> WTF?? I hate M$!!!!! Any reason for why my logs are getting spammed
>> would be appreciated. When we do a company security audit, I'd prefer
>> not to answer "uhh I dunno".
>>
>> -Scott

....oh and you are right, Microsuck Winblows does suck!

On Tue, 22 Mar 2005 19:43:07 -0800, Michael J. Pelletier wrote:
>
> Michael J. Pelletier wrote:
>
>> wrote:
>>
>
>>> WTF?? I hate M$!!!!! Any reason for why my logs are getting spammed
>>> would be appreciated. When we do a company security audit, I'd prefer
>>> not to answer "uhh I dunno".
>>>
>>> -Scott
>
> ...oh and you are right, Microsuck Winblows does suck!

Nice, two trolls. His problem has nothing to do with Microsoft, but I
suspect that neither of you know enough about Windows or Linux to
understand that either.

In article <nZW%d.6503$>, Leythos wrote:
>On Tue, 22 Mar 2005 07:32:27 -0800, Ivyhurst wrote:

>> Here's the bogus MAC's I'm seeingin our DHCP lease reports:
>>
>> MACHINE | IP | MAC | LEASE BEGIN | LEASE
END
>> detective 192.168.0.119 45:3b:13:0d:89:0a 14:47:45 02/23/2005 14:48:45
02/23/2005
>> detective 192.168.0.117 e9:eb:b3:a6:db:3c 14:47:29 02/23/2005 14:48:29
02/23/2005
>> detective 192.168.0.118 4d:c8:43:bb:8b:a6 14:47:37 02/23/2005 14:48:37
02/23/2005

Two observations - is it normal for time to jump around like that? The
middle reported lease is clearly out of sequence, in time as well as
the IP address.

Second - those MAC addresses are total bullshit. Neither Xerox (before 1986)
nor IEEE (since 1/01/1986) ever assigned those addresses to any manufacturer.
There are in fact precisely 12 OUIs that don't begin with a zero. They are:

[compton ~]$ zgrep '^[1-F][0-F]-[0-F]' MACaddresses.gz | cut -d' ' -f1 | column
10-00-00 11-00-AA AA-00-00 AA-00-03
10-00-5A 80-00-10 AA-00-01 AA-00-04
10-00-E8 A0-6A-00 AA-00-02 AC-DE-48
[compton ~]$

Further, the first octet is "odd" (as opposed to "even"), making those
addresses multicast (see RFC1112 section 6.4 first paragraph) rather than
physical addresses. I'm not referring to multicast in the idea of IP
addresses in the 224.0.0.0/4 range, but at raw Ethernet packets destined
for more than one physical station.

>> When we do a company security audit, I'd prefer not to answer "uhh I
>> dunno".

Obviously, there is no security if there isn't physical security. That
starts with the appropriate company policies about visiting hardware, and
about unauthorized putzing around with company hardware. Secondly, the
lease dates are four weeks old. You really want to pay closer attention
to them.

Those are RFC1918 addresses, and there are nearly 18 million of them
available. Thus, the original rational for using DHCP (not enough
addresses for the hardware that may be connected) has long since lapsed.
The other reason for using DHCP is the perceived ease of setting up systems.
However, every official document relating to DHCP (take RFC2131 as one
example) has ALWAYS stated that the protocol is not secure. Configuring
the DHCP server to hand out specific IP addresses to specific MAC addresses
is slightly more secure, but if you are going to go to the trouble of setting
that up, it's a lot more secure to statically configure the systems and be
done with it.

>If your server only has one NIC, then you would only see one entry IF your
>server was setup for DHCP instead of a fixed IP.

I've also never heard about leases only a minute long. It's certainly
possible, but whoever configured the server that's handing out leases
that short clearly doesn't understand the overhead it generates.

>How about ethernet printers, print servers, laptops from insiders,
>unsecured wireless connections, rogue Access Points installed by users,
>etc....

As noted above, the MAC addresses are false. Visiting computers or
unsecured access points are something to look for, but another concern is
who has 'root' or administrative rights on existing hardware. If everyone
and his/her dog/cat/gerbil has those rights, there simply can't be any
security on the net.

Old guy

Leythos wrote:

> On Tue, 22 Mar 2005 19:43:07 -0800, Michael J. Pelletier wrote:
>>
>> Michael J. Pelletier wrote:
>>
>>> wrote:
>>>
>>
>>>> WTF?? I hate M$!!!!! Any reason for why my logs are getting spammed
>>>> would be appreciated. When we do a company security audit, I'd prefer
>>>> not to answer "uhh I dunno".
>>>>
>>>> -Scott
>>
>> ...oh and you are right, Microsuck Winblows does suck!
>
> Nice, two trolls. His problem has nothing to do with Microsoft, but I
> suspect that neither of you know enough about Windows or Linux to
> understand that either.

The only troll here is you. Secondly, if you had anything of a technical
solution to add please do. Third, no ****, his problem is not necessarily
related to any version or type of Operating systems. You just understood
that? Your a real sharp guy...

He added a comment I agreed. If you do not like taht TFB...deal with it.
Crawl back in your hole...


--
news.west.cox.net

wrote:

> I'm noticing this same thing on my network since recently adding M$
> Windows Server 2003 in our network... I've been searching the net high
> and low for a reason why these DHCP leases are made and have found
> nothing. Is there any new info I'm missing?
>
> Here's the bogus MAC's I'm seeingin our DHCP lease reports:
>
> MACHINE | IP | MAC | LEASE BEGIN | LEASE
> END
> detective 192.168.0.119 45:3b:13:0d:89:0a 14:47:45 02/23/2005 14:48:45
> 02/23/2005
> detective 192.168.0.117 e9:eb:b3:a6:db:3c 14:47:29 02/23/2005 14:48:29
> 02/23/2005
> detective 192.168.0.118 4d:c8:43:bb:8b:a6 14:47:37 02/23/2005 14:48:37
> 02/23/2005
>
>
> WTF?? I hate M$!!!!! Any reason for why my logs are getting spammed
> would be appreciated. When we do a company security audit, I'd prefer
> not to answer "uhh I dunno".
>
> -Scott


I just remembered something. About a year ago I was going through our DHCP,
Red Hat 9 with ISC DHCPd, servers log when I cam across something similar.
By logging into your switches I traced it down to an old crappy switch. It
had been installed at a site some 5 or 6 years ago and had been forgotten
since. I can not remember the manufacturer but, the switch had been
configured to act like a dhcp proxy. So, it would send out dhcp requests on
behalf of the pcs attached to it. Not sure if that helps or not....but it
is something to look at.

--
news.west.cox.net

wrote:

>I'm noticing this same thing on my network since recently adding M$
>Windows Server 2003 in our network... I've been searching the net high
>and low for a reason why these DHCP leases are made and have found
>nothing. Is there any new info I'm missing?

The "Network Discovery Wizard" part of Server 2003 is the answer.
Only Lord Gates knows why.

>Here's the bogus MAC's I'm seeingin our DHCP lease reports:
>
>MACHINE | IP | MAC | LEASE BEGIN | LEASE
>END
>detective 192.168.0.119 45:3b:13:0d:89:0a 14:47:45 02/23/2005 14:48:45
>02/23/2005
>detective 192.168.0.117 e9:eb:b3:a6:db:3c 14:47:29 02/23/2005 14:48:29
>02/23/2005
>detective 192.168.0.118 4d:c8:43:bb:8b:a6 14:47:37 02/23/2005 14:48:37
>02/23/2005
>
>
>WTF?? I hate M$!!!!! Any reason for why my logs are getting spammed
>would be appreciated. When we do a company security audit, I'd prefer
>not to answer "uhh I dunno".
>
>-Scott

For more info, look at:
http://groups-beta.google.com/group/...887a6b60da3faa

On Wed, 23 Mar 2005 18:35:43 -0800, Michael Pelletier wrote:
>
> Leythos wrote:
>
>> On Tue, 22 Mar 2005 19:43:07 -0800, Michael J. Pelletier wrote:
>>>
>>> Michael J. Pelletier wrote:
>>>
>>>> wrote:
>>>>
>>>
>>>>> WTF?? I hate M$!!!!! Any reason for why my logs are getting spammed
>>>>> would be appreciated. When we do a company security audit, I'd prefer
>>>>> not to answer "uhh I dunno".
>>>>>
>>>>> -Scott
>>>
>>> ...oh and you are right, Microsuck Winblows does suck!
>>
>> Nice, two trolls. His problem has nothing to do with Microsoft, but I
>> suspect that neither of you know enough about Windows or Linux to
>> understand that either.
>
> The only troll here is you. Secondly, if you had anything of a technical
> solution to add please do. Third, no ****, his problem is not necessarily
> related to any version or type of Operating systems. You just understood
> that? Your a real sharp guy...

BS, his flame was directed as MS and has nothing to do with MS, it was a
jab at MS and was sent as a flame. That's as much a trolling as it gets.
If you don't like it, then stfu, the added comment was also a trolling, if
you can't see that then you need to learn a little more about Usenet.

> He added a comment I agreed. If you do not like taht TFB...deal with it.
> Crawl back in your hole...

And both comments were full of sh|t, there is nothing wrong with a
properly configured MS Server on quality hardware, only the terminally
ignorant would say there is, or some lamer troll. I run both Linux and
Widnows, been designing Win based commercial solutions for over a decade,
and non-commercial ones longer than that, never had a problem with them.
My Windows stations are as stable as my Linux stations.

If you had said something technical, other than troll bait, you might not
have been perceived as a troll, but you're just making the case for
actually being one now.

--

remove 999 in order to email me