[iwar] ATT@Home cable enumeration attack

From: Fred Cohen (fc@all.net)
Date: 2001-11-15 17:20:51


Return-Path: <sentto-279987-3894-1005873603-fc=all.net@returns.groups.yahoo.com>
Delivered-To: fc@all.net
Received: from 204.181.12.215 [204.181.12.215] by localhost with POP3 (fetchmail-5.7.4) for fc@localhost (single-drop); Thu, 15 Nov 2001 17:22:07 -0800 (PST)
Received: (qmail 26520 invoked by uid 510); 16 Nov 2001 01:18:50 -0000
Received: from n18.groups.yahoo.com (216.115.96.68) by all.net with SMTP; 16 Nov 2001 01:18:50 -0000
X-eGroups-Return: sentto-279987-3894-1005873603-fc=all.net@returns.groups.yahoo.com
Received: from [10.1.4.55] by n18.groups.yahoo.com with NNFMP; 16 Nov 2001 01:20:07 -0000
X-Sender: fc@red.all.net
X-Apparently-To: iwar@onelist.com
Received: (EGP: mail-8_0_0_1); 16 Nov 2001 01:20:03 -0000
Received: (qmail 89515 invoked from network); 16 Nov 2001 01:20:03 -0000
Received: from unknown (216.115.97.167) by m11.grp.snv.yahoo.com with QMQP; 16 Nov 2001 01:20:03 -0000
Received: from unknown (HELO red.all.net) (65.0.156.78) by mta1.grp.snv.yahoo.com with SMTP; 16 Nov 2001 01:20:02 -0000
Received: (from fc@localhost) by red.all.net (8.11.2/8.11.2) id fAG1Kpe06782 for iwar@onelist.com; Thu, 15 Nov 2001 17:20:51 -0800
Message-Id: <200111160120.fAG1Kpe06782@red.all.net>
To: iwar@onelist.com (Information Warfare Mailing List)
Organization: I'm not allowed to say
X-Mailer: don't even ask
X-Mailer: ELM [version 2.5 PL3]
From: Fred Cohen <fc@all.net>
X-Yahoo-Profile: fcallnet
Mailing-List: list iwar@yahoogroups.com; contact iwar-owner@yahoogroups.com
Delivered-To: mailing list iwar@yahoogroups.com
Precedence: bulk
List-Unsubscribe: <mailto:iwar-unsubscribe@yahoogroups.com>
Date: Thu, 15 Nov 2001 17:20:51 -0800 (PST)
Reply-To: iwar@yahoogroups.com
Subject: [iwar] ATT@Home cable enumeration attack
Content-Type: text/plain; charset=US-ASCII
Content-Transfer-Encoding: 7bit

AT&T/@Home has standardized on using DHCP for end-user workstation
configuration. This configuration is done via the standard DHCP 
implementation, but also is configured to send a string to the
DHCP server with the "hostname" of the client.

This hostname is adminstratively defined by AT&T and is a unique
customer number. An example is...

 cb666699-a.anytwn.il.home.com

Where the customer ID is cb666699-a in the subdomain of anytwn.il

What frightens me is that no PTR records are configured except for this
dynamic method. By scanning for PTR records, it is easy to determine
active IP addresses and focus attack efforts on those IPs only, speeding
up possible intrustions (imagine how much quicker it is if only
20,000 hosts are listening on a 24/8 subnet!)

This implementation, while not a true "vulnerability", is not quite a
"Best Practice".

-#0

------------------------ Yahoo! Groups Sponsor ---------------------~-->
Need new boots for winter? Looking for a perfect gift for your shoe loving friends?
Zappos.com is the perfect fit for all your shoe needs!
http://us.click.yahoo.com/3wM6yD/QrSDAA/ySSFAA/kgFolB/TM
---------------------------------------------------------------------~->

------------------
http://all.net/ 

Your use of Yahoo! Groups is subject to http://docs.yahoo.com/info/terms/ 



This archive was generated by hypermail 2.1.2 : 2001-12-31 20:59:59 PST