Domain: ntsecurity.nu
Stories and comments across the archive that link to ntsecurity.nu.
Comments · 11
-
Re:I see it more like a proof that
The only fragility I'm aware of is this easily avoidable situation:
http://www.ntsecurity.nu/onmymind/2006/2006-09-02.html
Maybe the forensic toolkits are just naive.
-
bah
Pay for mac changing software for windows? Are you for real?
http://ntsecurity.nu/toolbox/etherchange/ -
Re:You have no real alternative
As long as you're using the school's network, you have to abide by the school's policies.
There are alternatives though.
At my school the IT department recently decided to disallow "all illegal p2p" use under penalty of being permanently banned from the network. This is being carried out by someone just shutting down the port of anyone who trips the schools IDS (snort) or a second system that detects several p2p programs. Needless to say there are tons of false positives.
After numerous written and face to face requests for clarification of the nonexistant policy, attempts to explain legitimate uses, requests to know specifically what we where doing that was illegal, and even asking for a refund on our tuition fee, it became apparent that the IT department just doesn't care.
So for better or worse a number of other ways to circumvent or change these restictions where found:
Prevent them from identifying your traffic. This can be done by setting having friends at other schools set up proxies. These include socks with "ssh -g" on http://cygwin.com/ along with socks-cap or tsocks, individual ssh tunnels, or vpn.
If they cite excessive bandwith caused by p2p make your point by having everyone use a lot of legitimate bandwith with http://porntoolkit.sourceforge.net/
for example.
Here they got frustrated with not being able to identify traffic, so they just started shutting off people for excessive bandwith. The solution to this is to use onion routing like http://www.infoanarchy.org/wiki/index.php/Tor or a similar method within the schools network so that the load of bandwith leaving or entering the network is distributed evenly between many people. I couldn't find too many solutions for this that I liked too much, but a couple hundred lines of python did the job.
Finally, especially if the blocking is being done by hand, you can do some less nice stuff ranging from overloading thier logs with thousands of palse positives to filling the lan with random mac addresses and doing banned stuff with spoofed IPs. This, however, is probobly a bad idea and rather script kiddiesh.
Additionally you may be able to unblock yourself with "ifconfig hw ether NEW_MAC_ADDRESS_HERE" on linux or http://ntsecurity.nu/toolbox/etherchange/ on windows.
So there are alternatives to just living with it if all reasoning and begging with your school goes nowhere. And remember, if all else fails there's always usenet over ssl! Good luck. -
Re:Simple!
Everybody is forgetting each and every ethernet adapter has a unique serial number/address, called the MAC address. It would be very easy to prove/disprove you were the one or not by that address.
Google "etherchange" and see what you get... Here is the first hit... MAC addresses don't prove diddley... -
Re:Umm....
setowner lets you assign arbitary owners (via the Backup Operators' ability to set owners for restoring backups). It can be useful. IIRC, Norton thinks it's a trojan or something...
-
PromiscDetectThe Netcraft article noted that checking to see if your network adapter is in promiscuous mode is a good way to tell if your machine has a sniffer running on it. Unfortunately, they did not mention how one can go about doing this.
If you're using Linux, just runifconfig -a
and look for the string "PROMISC".
If, however, you're using Windows, you need to get a utility called PromicDetect. Run it from a command prompt. If it indicates the Directed, Multicast and Broadcast filters are active, then you're probably OK.
Source: Computerworld -
Re:hehe, wasn't me..
there is software to change your mac address we learned about it in networking class in fact, while waiting for me to be able to respond (fast typer) I noticed pegr posted a link to it [ntsecurity.nu]
-
Re:hehe, wasn't me..
Or change your MAC address on your windows box with this utility.
-
think of it this way....If you're the type of NT admin who is going to take the trouble to trick the OS fingerprint of your NT box, you're SURE AS HELL going to be consciencous enough to take reasonable steps to avoid getting k1dd13 hacked in the first place.
You've probably already read through the NSA security guide, hardened the OS, DELETED (not just disabled) the guest account, etc.
In which case, most of the k1dd13 hacks won't affect you... -
Re:Is MS-Proxy really refusing to route? (url fix)
The first link in the above paragraph should be this
Jim -
Re:Is MS-Proxy really refusing to route?