LinuxQuestions.org
Did you know LQ has a Linux Hardware Compatibility List?
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices

Reply
 
Search this Thread
Old 07-30-2009, 01:47 AM   #16
catkin
LQ 5k Club
 
Registered: Dec 2008
Location: Tamil Nadu, India
Distribution: Servers: Debian Squeeze and Wheezy. Desktop: Slackware64 14.0. Netbook: Slackware 13.37
Posts: 8,546
Blog Entries: 28

Rep: Reputation: 1176Reputation: 1176Reputation: 1176Reputation: 1176Reputation: 1176Reputation: 1176Reputation: 1176Reputation: 1176Reputation: 1176

Quote:
Originally Posted by crackpipe View Post
What I don't understand is catkin's comment. It seems that if a host is granted DHCP interaction, some port has to be open to allow DHCP, and so it has to be detectable on the LAN. Further, it appears that a malicious squatter on the LAN that did not have an IP assigned by the router would seem to be unable to monitor traffic on the LAN. That is, could a stealth node attach itself to the LAN, not receive an IP, open its NIC to promiscuous mode, sniff all traffic, and take away information? If so, how do we detect such a squatting laptop, in addition to DHCP hosts? Does this make sense?
Of course it must open the necessary ports to get the DHCP lease but it could stealth all ports after that.

Edit:

The second scenario, of simply connecting to the LAN with network adapter in promiscuous mode and sniffing all packets would only be effective if it were not connected to a switch. A switch would only send IP packets associated with the computer's MAC address.

Thus network probes would not find a stealthed computer that had got an IP by DHCP and the stealthed computer would only be detectable by appearance in the DHCP servers lease list or by analysing all traffic looking for traffic to an IP that ought not be in use. To circumvent this, a malicious person could simply configure an IP address without using DHCP, hoping it is unused. Their chances of success would be <number of IP addresses on the LAN used> divided by <number of IP addresses in the LAN range>, probably a little better guessing that local conventions tend to use the top and bottom of the range for particular purposes, e.g servers at the bottom and network devices at the top.

Last edited by catkin; 07-30-2009 at 02:01 AM.
 
Old 07-30-2009, 03:40 AM   #17
jschiwal
Guru
 
Registered: Aug 2001
Location: Fargo, ND
Distribution: SuSE AMD64
Posts: 15,733

Rep: Reputation: 654Reputation: 654Reputation: 654Reputation: 654Reputation: 654Reputation: 654
My home router allows assigning IP addresses to MAC addresses. I used this so that each host always gets the same IP address and so I don't need to re-edit the /etc/hosts file on each host. I found that avahi resolution of hostname.local worked but was way too slow.

One could also use dnsmasq to maintain hostname/ip addresses. It uses it's own /etc/hosts file as the database for dns requests for hosts on the lan. It also includes a dhcp server. This would allow your to maintain a single hosts file.
 
Old 07-31-2009, 10:36 AM   #18
crackpipe
Member
 
Registered: Nov 2005
Distribution: Slackware, Zenwalk, Debian
Posts: 35

Original Poster
Rep: Reputation: 15
Quote:
Originally Posted by catkin View Post
Of course it must open the necessary ports to get the DHCP lease but it could stealth all ports after that.

Thus network probes would not find a stealthed computer that had got an IP by DHCP and the stealthed computer would only be detectable by appearance in the DHCP servers lease list or by analysing all traffic looking for traffic to an IP that ought not be in use. To circumvent this, a malicious person could simply configure an IP address without using DHCP, hoping it is unused. Their chances of success would be <number of IP addresses on the LAN used> divided by <number of IP addresses in the LAN range>, probably a little better guessing that local conventions tend to use the top and bottom of the range for particular purposes, e.g servers at the bottom and network devices at the top.
Thanks. I didn't know a system could grant itself an available IP and effectively join without approval of the router sending it one. It looks like it's a good idea to configure my router to grant/deny IP addresses by MAC, as suggested by jschwial. A script would also be useful. Configure the router to do periodic logging of its clients table, and have the script check these logs to notify me in a terminal if a non-approved MAC is somehow on the clients list? When purchasing new systems or retiring old systems, I can add or remove MACs from an approved MAC list, it appears. Perhaps this will work...hmmm... Also will keep my eyes open here for other solutions; putting a lot of MAC information out there by logging, by an access list in the router, etc., might create vulnerabilities itself, apparently.

Last edited by crackpipe; 07-31-2009 at 10:52 AM. Reason: clarification
 
Old 08-04-2009, 03:51 AM   #19
archtoad6
Senior Member
 
Registered: Oct 2004
Location: Houston, TX (usa)
Distribution: MEPIS, Debian, Knoppix,
Posts: 4,727
Blog Entries: 15

Rep: Reputation: 231Reputation: 231Reputation: 231
Just came across a reference to nmblookup in another thread, would
Code:
nmblookup '*'
be of any use to you?
 
Old 08-05-2009, 04:53 PM   #20
tekhead2
Member
 
Registered: Apr 2004
Distribution: slackware/FreeBSD/Vector
Posts: 291

Rep: Reputation: 52
If your really that concerned have you considered running a packetfence server?

http://www.packetfence.org
 
  


Reply

Tags
dhcp, lan


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
discover all hosts in ipv6 subnet and their addresses ineya Linux - Networking 5 12-13-2008 05:21 AM
Same subnet, but running specific clients through a separate gateway? atrain Linux - Networking 12 02-05-2008 11:29 AM
cannot dhcp discover after updating kernel, hangs on inetd precision Debian 0 06-04-2006 09:58 PM
ADSL DHCP A-OK, but Mandrake 10.1 to be DHCP for other subnet is a problem turnbui Linux - Networking 2 08-20-2005 09:34 AM
Problem with DHCP discover mavinac Linux - Networking 1 04-28-2005 07:27 AM


All times are GMT -5. The time now is 07:17 PM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration