.

My "action" today

<<

Determ

Newbie
Newbie

Posts: 23

Joined: Tue Jul 13, 2010 1:20 am

Post Mon Aug 30, 2010 9:11 am

My "action" today

Last week we had a problem with web browsing. Since I made static ARP entry on few machines I knew that it is the same symptom like someone doing ARP poisoning. I started wireshark which showed massive activity on destination port 137 from one internal IP adress (machine).

So for the weekend I made my computer vulnerable for ARP attack and set up XARP on it. Today when I was working, XARP started with continious alarm. I opened wireshark to locate IP address (it was the same as last week). Then I started NMAP to identify computer brand and OS. Firstly I was sure, someone started C&A. So I went to the office where this computer was in use. It wasn't C&A; computer from a young girl obviously has a lot of malware. I made netstat -an but didn't go checking IPs. Later I want to deliberately get ARP attack with this computer, but it didn't show up. Only massive knocking on 137/138. I will make fresh install of OS at that computer.

So this is it. Have you been in situation were someone used C&A and you detected it?
Last edited by Determ on Mon Aug 30, 2010 11:29 am, edited 1 time in total.
<<

zeroflaw

User avatar

Full Member
Full Member

Posts: 208

Joined: Fri Feb 12, 2010 10:41 am

Location: Holland, Den Helder

Post Mon Aug 30, 2010 1:10 pm

Re: My "action" today

I've used it on my home network. Brothers started complaining about lag and stuff, was kinda funny :P  Also tried it in the CISCO labs at college once but no one noticed it.
ZF

Return to Incident Response

Who is online

Users browsing this forum: No registered users and 0 guests

.
Powered by phpBB® Forum Software © phpBB Group.
Designed by ST Software