If all previous ideas do not work, try running NetMon or any other
"sniffer" on the Domain master browser. It will receive a browser
announce frame sooner or later. The frame will tell you which browser
supplied the name. Doing strings searches in a large trace could be an
issue. Some sniffers are better at it then others. Then follow the
browser chain until you find the one that is on the same subnet as the
"offender". That will give the IP address of the system that send the
browser announce frame.
Somewhat painful process, so use it as a last resort. I had to use it
when nothing else worked.
Thank you, Tony.
Tony Gordon, Windows 2000 MCSE
tony.gordon (at) hewitt (dot) com [email concealed]
Windows Server Infrastructure
Phone: 847.295.5000 x14534
Fax: 847.295.8877
Hewitt Associates
gary_palmer (at) attbi (dot) com [email concealed]
11/12/2002 03:13 PM
To: focus-ms (at) securityfocus (dot) com [email concealed]
cc:
Subject: Unknown workgroup in Microsoft Windows Network
Recently a new workgroup name appeared in our organizations "Network
Neighborhood > Microsoft Windows Network" The workgroup or domain is
called "Gotcha." Not a particularly pleasing name for a workgroup.
Having verified that no staff members have plugged in new hardware
recently,
and verifying that there are no unauthorized logins to our wireless
network,
I'm somewhat at a loss to explain this. I found information on an SMB hack
that, as a side-effect causes a rogue workgroup to show up in Network
Neighborhood in order to sniff cleartext passwords from Windows 95
machines,
but our firewall blocks ports 137 and 139, and there's nothing unusual in
the
firewall logs.
My question is this--what's the best way to track down an IP address
associated with a domain or workgroup listing in Network Neighborhood. Is
this
possible? This would at least give me an idea of where on the physical
network
this is coming from. Does anyone have recommendations on tracing this
problem?
"sniffer" on the Domain master browser. It will receive a browser
announce frame sooner or later. The frame will tell you which browser
supplied the name. Doing strings searches in a large trace could be an
issue. Some sniffers are better at it then others. Then follow the
browser chain until you find the one that is on the same subnet as the
"offender". That will give the IP address of the system that send the
browser announce frame.
Somewhat painful process, so use it as a last resort. I had to use it
when nothing else worked.
Thank you, Tony.
Tony Gordon, Windows 2000 MCSE
tony.gordon (at) hewitt (dot) com [email concealed]
Windows Server Infrastructure
Phone: 847.295.5000 x14534
Fax: 847.295.8877
Hewitt Associates
gary_palmer (at) attbi (dot) com [email concealed]
11/12/2002 03:13 PM
To: focus-ms (at) securityfocus (dot) com [email concealed]
cc:
Subject: Unknown workgroup in Microsoft Windows Network
Recently a new workgroup name appeared in our organizations "Network
Neighborhood > Microsoft Windows Network" The workgroup or domain is
called "Gotcha." Not a particularly pleasing name for a workgroup.
Having verified that no staff members have plugged in new hardware
recently,
and verifying that there are no unauthorized logins to our wireless
network,
I'm somewhat at a loss to explain this. I found information on an SMB hack
that, as a side-effect causes a rogue workgroup to show up in Network
Neighborhood in order to sniff cleartext passwords from Windows 95
machines,
but our firewall blocks ports 137 and 139, and there's nothing unusual in
the
firewall logs.
My question is this--what's the best way to track down an IP address
associated with a domain or workgroup listing in Network Neighborhood. Is
this
possible? This would at least give me an idea of where on the physical
network
this is coming from. Does anyone have recommendations on tracing this
problem?
Thank you,
Gary
--
gpalmer (at) attbi (dot) com [email concealed]
[ reply ]