Page 2 of 3 FirstFirst 123 LastLast
Results 11 to 20 of 30

Thread: Securing network against sniffing

  1. #11
    Junior Member
    Join Date
    Jul 2007
    Posts
    56

    Default

    Quote Originally Posted by streaker69 View Post
    If your concern is about internal users, using unauthorized software, ie sniffers, then employ a PC auditing package. Have a IT policy that states that only software that is purchased and installed by IT may be used on company PC's. When your auditing software turns up such stuff, bust their ass.

    If someone is using a personal PC on the corporate LAN, and I don't know many companies that allow such things, then you have another issue. In that case, you could whitelist MAC addresses that are allowed on the LAN, and when a MAC address shows up that isn't allowed you could receive an alert telling you where the device is located and from there, appropriate action could be taken.
    Thanks for the replies.
    The laptops and PCs number in 1000s. We have a Squid proxy, DHCP and Symantec antivirus . With such a high no. of users its almost impossible to go through log files that amount to a GB just in few weeks. Blocking MAC address is an option but with new laptops being brought in almost every month it becomes difficult.
    Also if intruder keeps on changing his MAC, this isn't of much use.
    Can you guys suggest any software (except Snort) that can do this kind of work?
    Apart from that, is there really any way to stop the passwords from being transmitted in plain text? Preferably at the user end. Even if some solution stops this in a small but critical subnet, my work will be done.
    [FONT="System"][COLOR="DarkSlateBlue"][B]I am not arrogant, just better than you.[/B][/COLOR][/FONT]

  2. #12
    Member
    Join Date
    Nov 2007
    Posts
    220

    Default

    We have a client that runs two networks.

    First is corporate, no un-auth PCs, and a restricted proxy. Tie this down with enforced transparent proxy and domain/username LDAP authentication? (so only machines joined to domain can authenticate)

    Second is a wireless one, WEP, no proxy, just straight out, this is for personal computers, used for lunch hour and bit of personal stuff etc.

    Give them the choice, a second network with less restrictions, and they may choose to leave the corporate lan?
    wtf?

  3. #13
    Senior Member streaker69's Avatar
    Join Date
    Jan 2010
    Location
    Virginville, BlueBall, Bird In Hand, Intercourse, Paradise, PA
    Posts
    3,535

    Default

    Quote Originally Posted by snake eyes View Post
    Thanks for the replies.
    The laptops and PCs number in 1000s. We have a Squid proxy, DHCP and Symantec antivirus . With such a high no. of users its almost impossible to go through log files that amount to a GB just in few weeks. Blocking MAC address is an option but with new laptops being brought in almost every month it becomes difficult.
    Also if intruder keeps on changing his MAC, this isn't of much use.
    Can you guys suggest any software (except Snort) that can do this kind of work?
    Apart from that, is there really any way to stop the passwords from being transmitted in plain text? Preferably at the user end. Even if some solution stops this in a small but critical subnet, my work will be done.
    If you're using the latest version of Symantec EndPoint Protection, then you can configure it to whitelist known applications.

    If you're using a Windows Domain, then you can GPO what the users can and cannot do on their machines, right down to limiting applications that can be installed. If they can't install anything then there is no sniffing.

    If you're a company of that size, I would expect that you'd have a fairly strict Computer Usage Policy approved by HR. If you find someone violating that policy they should be reported and appropriate action should be taken. Normally it only takes a couple of people to be made an example of regarding those policies and the rest just fall in line.
    A third party security audit is the IT equivalent of a colonoscopy. It's long, intrusive, very uncomfortable, and when it's done, you'll have seen things you really didn't want to see, and you'll never forget that you've had one.

  4. #14
    Member PeppersGhost's Avatar
    Join Date
    Jan 2008
    Posts
    204

    Default

    Quote Originally Posted by snake eyes View Post
    Is there anything that I can do to make the network secure against this?
    The answer is no.

  5. #15
    Junior Member
    Join Date
    Jul 2007
    Posts
    56

    Default

    Tell you wht, I checked this thing on my home internet connction and same thing happens there too. I let etttercap run for 3-4 hours and I had a list of nearly 30 passwords. Email, 1 shopping site, 1 railway ticket booking site, 2 matrimony and adult friendship sites among others

    I cant force my stupid ISP to change the security system.
    Connection in my house comes via a cat5 cable connected to some kind . There is mac address binding, so that a particular IP is bound to a single mac address only


    Code:
             nmap -v  -sV 10.130.193.1      (--------> Gateway)
    
    Starting Nmap 4.50 ( http://insecure.org ) at 2008-11-22 13:21 GMT
    Initiating ARP Ping Scan at 13:21
    Scanning 10.130.193.1 [1 port]
    Completed ARP Ping Scan at 13:21, 0.01s elapsed (1 total hosts)
    Initiating Parallel DNS resolution of 1 host. at 13:21
    Completed Parallel DNS resolution of 1 host. at 13:21, 2.62s elapsed
    Initiating SYN Stealth Scan at 13:21
    Scanning 10.130.193.1 [1711 ports]
    Completed SYN Stealth Scan at 13:21, 8.39s elapsed (1711 total ports)
    Initiating Service scan at 13:21
    SCRIPT ENGINE: Initiating script scanning.
    Host 10.130.193.1 appears to be up ... good.
    Interesting ports on 10.130.193.1:
    Not shown: 1710 filtered ports
    PORT    STATE  SERVICE VERSION
    113/tcp closed auth
    MAC Address: 00:09:0F:30:B7:0C (Fortinet)
    
    Read data files from: /usr/local/share/nmap
    Service detection performed. Please report any incorrect results at http://insecure.org/nmap/submit/ .
    Nmap done: 1 IP address (1 host up) scanned in 11.314 seconds
               Raw packets sent: 3423 (150.610KB) | Rcvd: 3 (134B)
    This is really scary. I change my passowrds every 2-3 months. But even that precaution is useless now.
    [FONT="System"][COLOR="DarkSlateBlue"][B]I am not arrogant, just better than you.[/B][/COLOR][/FONT]

  6. #16
    Junior Member Amlord1's Avatar
    Join Date
    Nov 2008
    Posts
    78

    Default

    Quote Originally Posted by streaker69 View Post
    If your concern is about internal users, using unauthorized software, ie sniffers, then employ a PC auditing package. Have a IT policy that states that only software that is purchased and installed by IT may be used on company PC's. When your auditing software turns up such stuff, bust their ass.

    If someone is using a personal PC on the corporate LAN, and I don't know many companies that allow such things, then you have another issue. In that case, you could whitelist MAC addresses that are allowed on the LAN, and when a MAC address shows up that isn't allowed you could receive an alert telling you where the device is located and from there, appropriate action could be taken.
    Or, you could use some old school software, (netcat) and put a backdoor on their computer, Go in later and put a keg logger; then you can see EVERYONE who they are stealing from. Just make sure you have permission from the network admin, if that isn't you.Any unauthorized computer on a network should be fair game, especially since such actions can be considered surveillance.
    Originally Posted by pureh@te
    You may think its stupid but when you are posting online sometimes spelling, grammar and thought put into the content of your posts is the only thing people have to measure you by and to determine the level of seriousness they should give you. So with that in mind I'd say "Yes" its pretty important.

  7. #17
    Senior Member streaker69's Avatar
    Join Date
    Jan 2010
    Location
    Virginville, BlueBall, Bird In Hand, Intercourse, Paradise, PA
    Posts
    3,535

    Default

    Quote Originally Posted by Amlord1 View Post
    Or, you could use some old school software, (netcat) and put a backdoor on their computer, Go in later and put a keg logger; then you can see EVERYONE who they are stealing from. Just make sure you have permission from the network admin, if that isn't you.Any unauthorized computer on a network should be fair game, especially since such actions can be considered surveillance.
    I'm sure that works if your network is in a frat house.
    A third party security audit is the IT equivalent of a colonoscopy. It's long, intrusive, very uncomfortable, and when it's done, you'll have seen things you really didn't want to see, and you'll never forget that you've had one.

  8. #18
    Junior Member Amlord1's Avatar
    Join Date
    Nov 2008
    Posts
    78

    Default

    Quote Originally Posted by terminal86 View Post
    Are you serious?
    Congratulations to your organisation..
    lol, terminal86 is right... There is no such thing as a secure wireless encryption.. Some just take longer than others...
    Originally Posted by pureh@te
    You may think its stupid but when you are posting online sometimes spelling, grammar and thought put into the content of your posts is the only thing people have to measure you by and to determine the level of seriousness they should give you. So with that in mind I'd say "Yes" its pretty important.

  9. #19
    Junior Member Amlord1's Avatar
    Join Date
    Nov 2008
    Posts
    78

    Default

    Quote Originally Posted by streaker69 View Post
    I'm sure that works if your network is in a frat house.
    lol, As I have said before I'm still an amateur at this. So I appreciate constructive (or humorous) criticism.
    Originally Posted by pureh@te
    You may think its stupid but when you are posting online sometimes spelling, grammar and thought put into the content of your posts is the only thing people have to measure you by and to determine the level of seriousness they should give you. So with that in mind I'd say "Yes" its pretty important.

  10. #20
    Junior Member
    Join Date
    Jan 2010
    Posts
    46

    Default

    Someone might be familiar with this....

    I was at a hotel once and I was connected to the wifi with my laptop. I tried to assign myself a static IP address and i got an error due to an IP conflict. I ran a program that scanned the subnet and for some reason, all of the IP addresses were taken by the same device. I am assuming it was the same device because all of the IPs had the same MAC address. The only IPs that did not have the same MAC were the ones that had been assigned to devices via DHCP.

    I don't know what it was that the hotel was using to do that, but it definitely improved their security. Assuming that trying to run ettercap would stop all traffic and not allow for any MITM attacks.

Page 2 of 3 FirstFirst 123 LastLast

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •