Return-Path: <sentto-279987-3894-1005873603-fc=all.net@returns.groups.yahoo.com> Delivered-To: fc@all.net Received: from 204.181.12.215 [204.181.12.215] by localhost with POP3 (fetchmail-5.7.4) for fc@localhost (single-drop); Thu, 15 Nov 2001 17:22:07 -0800 (PST) Received: (qmail 26520 invoked by uid 510); 16 Nov 2001 01:18:50 -0000 Received: from n18.groups.yahoo.com (216.115.96.68) by all.net with SMTP; 16 Nov 2001 01:18:50 -0000 X-eGroups-Return: sentto-279987-3894-1005873603-fc=all.net@returns.groups.yahoo.com Received: from [10.1.4.55] by n18.groups.yahoo.com with NNFMP; 16 Nov 2001 01:20:07 -0000 X-Sender: fc@red.all.net X-Apparently-To: iwar@onelist.com Received: (EGP: mail-8_0_0_1); 16 Nov 2001 01:20:03 -0000 Received: (qmail 89515 invoked from network); 16 Nov 2001 01:20:03 -0000 Received: from unknown (216.115.97.167) by m11.grp.snv.yahoo.com with QMQP; 16 Nov 2001 01:20:03 -0000 Received: from unknown (HELO red.all.net) (65.0.156.78) by mta1.grp.snv.yahoo.com with SMTP; 16 Nov 2001 01:20:02 -0000 Received: (from fc@localhost) by red.all.net (8.11.2/8.11.2) id fAG1Kpe06782 for iwar@onelist.com; Thu, 15 Nov 2001 17:20:51 -0800 Message-Id: <200111160120.fAG1Kpe06782@red.all.net> To: iwar@onelist.com (Information Warfare Mailing List) Organization: I'm not allowed to say X-Mailer: don't even ask X-Mailer: ELM [version 2.5 PL3] From: Fred Cohen <fc@all.net> X-Yahoo-Profile: fcallnet Mailing-List: list iwar@yahoogroups.com; contact iwar-owner@yahoogroups.com Delivered-To: mailing list iwar@yahoogroups.com Precedence: bulk List-Unsubscribe: <mailto:iwar-unsubscribe@yahoogroups.com> Date: Thu, 15 Nov 2001 17:20:51 -0800 (PST) Reply-To: iwar@yahoogroups.com Subject: [iwar] ATT@Home cable enumeration attack Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit AT&T/@Home has standardized on using DHCP for end-user workstation configuration. This configuration is done via the standard DHCP implementation, but also is configured to send a string to the DHCP server with the "hostname" of the client. This hostname is adminstratively defined by AT&T and is a unique customer number. An example is... cb666699-a.anytwn.il.home.com Where the customer ID is cb666699-a in the subdomain of anytwn.il What frightens me is that no PTR records are configured except for this dynamic method. By scanning for PTR records, it is easy to determine active IP addresses and focus attack efforts on those IPs only, speeding up possible intrustions (imagine how much quicker it is if only 20,000 hosts are listening on a 24/8 subnet!) This implementation, while not a true "vulnerability", is not quite a "Best Practice". -#0 ------------------------ Yahoo! Groups Sponsor ---------------------~--> Need new boots for winter? Looking for a perfect gift for your shoe loving friends? Zappos.com is the perfect fit for all your shoe needs! http://us.click.yahoo.com/3wM6yD/QrSDAA/ySSFAA/kgFolB/TM ---------------------------------------------------------------------~-> ------------------ http://all.net/ Your use of Yahoo! Groups is subject to http://docs.yahoo.com/info/terms/
This archive was generated by hypermail 2.1.2 : 2001-12-31 20:59:59 PST