Jump to content
Search In
  • More options...
Find results that contain...
Find results in...


  • Content Count

  • Joined

  • Last visited


This user doesn't have any awards

About Tzomb1e

  • Title

Profile Information

  • Gender
  • Location
    42 65 68 69 6e 64 20 79 6f 75
  • Occupation
    Network Security Architect


  • CPU
    Intel Core i7-8700K Coffee Lake 6-Core
  • Motherboard
    Asus Prime Z370-A LGA 1151
  • RAM
    32 GB Corsair Vengeance RGB Pro DDR4 2933
  • GPU
    ASUS ROG GeForce GTX 1080 STRIX
  • Case
    NZXT s340 Elite Black/Blue
  • PSU
    EVGA SuperNOVA 850 G2 80+ Gold
  • Display(s)
    Dell 27" LED QHD GSync Monitor
  • Cooling
    Corsair Hydro Series H100i V2 240mm
  • Keyboard
    Logitech G613 Wireless Mechanical Gaming Keyboard
  • Mouse
    Logitech G900 Chaos Spectrum
  • Sound
    Creative Sound BlasterX AE-5, Razer Leviathan
  • Operating System
    Windows 10 Pro 64 Bit

Recent Profile Visitors

The recent visitors block is disabled and is not being shown to other users.

  1. My question is more out of curiosity...is it normal for people to walk around with music playing out of their closed laptops? I am not sure I have ever seen that...sitting and working on the laptop and letting music play, sure, but never carrying it around like a boombox! I know not everyone can afford bluetooth headsets, high end smart phones, or whatever else...I just thought I would ask! No judgement, just curiosity. Also, go with the SSD...not only will it be mostly unaffected by movement, but it will also speed things up for you.
  2. Investigations of any kind are normally my favorite part of the job, they tend to get passed a little further down the chain anymore however. This is the first one I have been able to take on myself in a while due to copious other projects. And that is more or less all it is: a windows device making noise that got my attention. Our field support team just acquired three greenies right out of school, I have already had my normal "this network is not your playground" talk and specifically asked them about this traffic but I do have my doubts. Fortunately I have some surprise posture assessments in their territories next week that will let me validate their stories, so we will see how things hold up.
  3. The forwarding interface does not have any virtual interfaces. The ingress interface does, though. Unfortunately I cannot share any of the logs. While they do not contain much other than the packet information that I am pulling from my sinkhole, which only has IP, MAC, and information from the DNS query, I am not allowed to share them. Sorry!
  4. I have the IPs, but the only MAC is from the forwarding gateway...which is the forwarding interface of our core router :D. Since it appears to be in a different broadcast domain, I lose the original MAC the second it is forwarded to another LAN segment. The traffic, at least from what the IDS/IPS, firewall, and my sinkhole has caught, has only been DNS queries that are not registering the device name with our DHCP. So the only information the logs give me is the RFC1918 address of the device and the site it is trying to resolve (which has all been normal windows traffic for Microsoft time and NSCI servers). The IP is almost useless since the subnet it is using does not exist in my environment.
  5. I have considered this, but the corporate policies are somewhat lax on what can be used on the network which makes this way too tricky for me to truly consider. Some of the scope options, like lease, I have already worked on. The devices in question were detected by our IPS/IDS and I have been monitoring their traffic across our edge firewall. While I can just block them logically, finding them physically would be best. With my lack of resources, I may just have to settle for the former...but one can dream!
  6. I did not consider a script, for some silly reason. I will work on that. Thanks! I have been trying to convince those that make choices to allow my team to push forward with 802.1x or ISE or really any NAC...but all they see is cost...and, like you said, the administrative overhead would lead to a larger headcount. Thankfully we do use the same vendor for our infrastructure equipment. They have not been properly cared for, however, and centralized management/logging has been hit or miss during setups.
  7. Thank you for the recommendations! That is one of the options I have been debating...since I cannot pin down the exact location that the traffic is coming from, it would involve more than 100 switches :D. I realize I am a bit limited on my options to begin with, but I just wanted to make sure I was not missing something simple. I appreciate the reply!
  8. I apologize if this belongs in another section...due to the issues, networking seemed most appropriate. I am currently searching for a couple unknown hosts on a network that consists of more than 60 subnets with almost as many physical locations. All remote locations connect back to the core with MPLS. Normally, I can follow the L3 or L2 information back through the infrastructure to discover the source. However, the hosts in question are using a network that does not exist within the architecture and can only be seen sending traffic to addresses that are very similar to my DNS servers. By similar, I mean they share the same last two octets, but not the first two. I was able to create routes to direct the DNS traffic towards a sink hole in order to capture the packets and see the contents of the requests...but this only yielded queries for windows time servers, NCSI servers, and other windows based system services without any host information. Since there is no preexisting network route (static or shared), there is no trail to follow back to the host. Any L2 information in the captured packets only show the MAC from the forwarding gateway, as expected from L2 logic. Unless my brain is misfiring, the host would have to be configured with a gateway that falls within it's IP subnet (especially for a windows host) in order to properly forward any non-lan requests to external networks. Since the network is not one that "exists" in the architecture, this leads to a bit of assumption that another router would have to be in place (not using NAT unless dynamic is being used since I have two different source addresses) in order for the hosts to send the traffic to its gateway, which can then send the traffic into my other networks assuming next hop information has been added (or the routing device is pulling a DHCP lease). Creating SPAN ports on the core infrastructure devices is not a possibility due to even the slightest risk of network degradation. A tap is possible, but I think I would end up with the same information from my pseudo honeypot/sinkhole. Anyone have any advice that would save me from touching every device at all 60 locations? I am going to dig through the leases to see if any hostnames might stand out, but this is still tedious. While I realize there are a million technologies for asset management that would assist with this, the company in question has never really cared about proper infrastructure maintenance and monitoring...which is why this is being done by hand.
  9. One of the benefits of them releasing this open-source is the ability of the community to find holes and security flaws with the design. There has already been an issue discovered when Ghidra is run in debug mode. When debug mode is enabled, Ghidra by default listens on all interfaces using port 18001. The flaw is easily fixed by changing one line of code.
  10. In all honesty, I am just curious what you are trying to achieve with this. As Mariushm said, I would just snag a couple nice ethernet or fiber cards for you computers and connect them with proper ethernet or fiber cabling.
  11. If it will function without a connection to their Cloud APIs, I would almost just toss a pfSense box in with a rule dropping traffic from those devices trying to leave the LAN. I know you said you have to use the ISP provided router/gateway, but you can have your LAN devices use the pfSense box as their primary gateway and then have the pfSense forward all WAN traffic to your ISP's router/gateway. This would allow the devices to communicate with you LAN without needing extra VLANs, and allow you to control what devices have WAN access. You can go the ACL route as well, I would just be concerned if the devices need to communicate back and forth from a LAN perspective. You could still have the LAN traffic with the ACL, you would just have to make sure you configure the layers of the ACL properly to permit traffic leaving the segmented VLAN only if the destination IP is still on your LAN.
  12. It is difficult to say for certain whether that would fix your issues or not. There are many factors with wireless performance (signal strength, band, interference, load, router/AP throughput, USB adapter throughput, etc, etc). However...any modern ethernet cable and router/switch should be able to provide you MUCH better throughput than 81kb/s. You also have to consider the type of service you are being provided from your ISP as well as what other traffic may be bottlenecking your connection. Your internal devices and connections cannot help your transfer speeds from outside of your network.
  13. Ultimately, subnetting would have been beneficial here. Instead of and, it would have been cleaner to use something like, depending on the amount of hosts needed anyway. If you need a full class C for each floor, then and You can still use your current addressing of course...it is just messy :D. Assuming the VLANs are already present, all you should need is a static route on the primary router telling it where to send the traffic.
  14. Are both the modem/router combo and the Linksys router configured to handle DHCP and DNS requests? Having two "servers" handling these requests can cause issues with hosts trying to acquire new IP leases and also in attempting to resolve server names. I would decide which device you want to be the default gateway for your environment and disable those functions on the other if you have not already done so.