[prev in list] [next in list] [prev in thread] [next in thread] 

List:       ntsecurity
Subject:    Re: [NTSEC] Get rid of 139 PORT! <& other topics>
From:       Kevin Houston <khouston () onel ! com>
Date:       2000-03-01 8:39:47
[Download RAW message or body]


TO UNSUBSCRIBE: email "unsubscribe ntsecurity" to majordomo@iss.net
Contact ntsecurity-owner@iss.net for help with any problems!
---------------------------------------------------------------------------

Oren Novotny wrote:
> =

> <PGP references removed because the message has been modified>
> =

> Below is a forward of a message that I sent to Bugtraq a while ago.
> =

> >Create a new TCP Mapping listening on Port 139 and redirecting it to 1=
27.0.0.1 port 1.  The OOB can=92t do =

> >damage on port 1.  Check the option that forces it to listen, even whe=
n In use.
> =

> You can use Wingate 1.3.17 to do that, I think that Wingate 2.0 can do =
it too,
> but I don't use version 2.0, so I don't know for sure

We are using Win gate version 2.0.  TCP Mappings work fine.  I
think this is a great workaround for all of the 137 139 UDP port
attacks.  In fact, any exploit/attack that relies on a specific
port can be "fixed" (read worked around).  =


I'm wondering on the intelligence of setting up a machine
(running NT) as cracker bait and configuring Win gate (or some
other firewall product) to forward all the possible exploit ports
to the cracker bait machine, then tell all of the other machines
in the domain not to trust the cracker bait machine.

The general idea is that most crackers would try to hit and run
if they can't get in right away, but if they have a machine to
play around with, they may stay long enough for you to get a good
idea of who they are, where they are from, etc. etc.  Some simple
exploits should be left open, (like anon FTP pointing to the c:\
drive as it's root)  Interesting (and false) E-mail could be left
on the machine (perhaps talking about nonexistent machines on a
bogus internal network)  =


large encrypted files with interesting titles could be left
laying around.  I guess I'd call this the monkey trap approach
to  Security.  Give the cracker something to play with so they
keep coming back again and again.  Then perhaps you can build
enough evidence to prosecute.


Any comments on this approach, =


Specific Questions:
1) Can a machine be locked out of your network to the extent
required?
2) Is there a good logging/trip-wire program for NT
3) has anyone tried this before?

Sincerly

Kevin Houston

[prev in list] [next in list] [prev in thread] [next in thread]