PCbanter

PCbanter (http://www.pcbanter.net/index.php)
-   Windows 7 Forum (http://www.pcbanter.net/forumdisplay.php?f=48)
-   -   How do I chase down who is doing a multicast? (http://www.pcbanter.net/showthread.php?t=1103575)

T April 7th 18 12:25 AM

How do I chase down who is doing a multicast?
 
Hi All,

How do I chase down who is doing a multicast (224.0.0.252) on
my local network.

My Windows Security log is gobsmacked with the following:

Network Information:
Direction: Inbound
Source Address: 224.0.0.252
Source Port: 5355
Destination Address: 192.168.202.215
Destination Port: 52860
Protocol: 17

This gets me no whe

# nmap -A -T4 -Pn 224.0.0.252

Starting Nmap 7.60 ( https://nmap.org ) at 2018-04-06 16:22 PDT
Nmap done: 1 IP address (0 hosts up) scanned in 0.85 seconds


My firewall shows no traffic outbound to 224.0.0.252


Many thanks,
-T

VanguardLH[_2_] April 7th 18 12:42 AM

How do I chase down who is doing a multicast?
 
T wrote:

5355


Based on that port number:

https://en.wikipedia.org/wiki/Link-L...ame_Resolution

which also has a hyperlink to:

https://technet.microsoft.com/library/bb878128

Seems that every host running the DNS client is going to use LLMNR. I
suspect if you disable LLMNR that sharing services could get impacted.

http://www.pciqsatalk.com/2016/03/di...r-netbios.html

Are you allowing rogue hosts to enter your intranet, like letting users
bring their own laptops into work to connect directly to the corporate
network instead of into a DMZ'ed subnet? LLMNR traffic is not routable
(because it is a local link protocol); that is, it cannot pass across
routers, so the problem is not with external hacking into your intranet.

https://tools.ietf.org/rfc/rfc4795.txt

So do you trust the hosts permitted to physically connect to the same
subnet within your intranet?

T April 7th 18 01:10 AM

How do I chase down who is doing a multicast?
 
On 04/06/2018 04:42 PM, VanguardLH wrote:
T wrote:

5355


Based on that port number:

https://en.wikipedia.org/wiki/Link-L...ame_Resolution

which also has a hyperlink to:

https://technet.microsoft.com/library/bb878128

Seems that every host running the DNS client is going to use LLMNR. I
suspect if you disable LLMNR that sharing services could get impacted.

http://www.pciqsatalk.com/2016/03/di...r-netbios.html

Are you allowing rogue hosts to enter your intranet, like letting users
bring their own laptops into work to connect directly to the corporate
network instead of into a DMZ'ed subnet? LLMNR traffic is not routable
(because it is a local link protocol); that is, it cannot pass across
routers, so the problem is not with external hacking into your intranet.

https://tools.ietf.org/rfc/rfc4795.txt

So do you trust the hosts permitted to physically connect to the same
subnet within your intranet?


Good Lord Vanguard! I have been google'ing my ass over
all this for hours before asking for help. You hit it
out of the ball park. And give me a way to figure the next
out out myself. Wow! Impressive!

Anyway, to answer your question, this network leg is their
general office and not a high security Point of Sale (POS)
leg. They are allowed to bring "certain" devices, with
permission, and run them on this leg. (They are
under threat of death of doing that on the POS legs.)

I did an arp scan and everyone is legit. Just the usual
suspects.

The traffic on multicast traffic on port 5355 is so
prodigious that my File Integrity Monitoring (FIM) software
server is crashing trying to log the tidal was of notices
placed in the client's security logs.

Thank you!
-T



T April 7th 18 01:38 AM

How do I chase down who is doing a multicast?
 
Hi Vanguard,

At this point I am thinking you know everything, so please forgive
this question:

Do you know how to convert this to a .reg file?


Many thanks,
-T


To disable LLMNR:

1) winR gpedit.msc

2) Local Computer Policy
-- Computer Configuration
-- Administrative Templates
-- Network
-- DNS Client

3) Click on “Turn Off Multicast Name Resolution” and set it to
“Enabled”



VanguardLH[_2_] April 7th 18 02:09 AM

How do I chase down who is doing a multicast?
 
T wrote:

At this point I am thinking you know everything, so please forgive
this question:


Nah, I'm just arrogant enough to think that I know everything. My
family celebrates when I'm wrong and swear when I'm [always] right.

Do you know how to convert this to a .reg file?

To disable LLMNR:
1) winR gpedit.msc
2) Local Computer Policy
-- Computer Configuration
-- Administrative Templates
-- Network
-- DNS Client
3) Click on Turn Off Multicast Name Resolution and set it to
Enabled


Unfortunately I'm at home almost all the time I'm on Usenet and my home
desktop PC is running a Home edition of Windows 7 x64. No gpedit.msc
there; however, all polices are registry entries. In the past, I
remember Microsoft providing an Excel spreadsheet of policy settings and
their equivalent registry locations. So did the search:

https://www.google.com/search?q=micr...+sprea dsheet

which found:

https://www.microsoft.com/en-us/down....aspx?id=25250

I download the .xlsx file, opened it, and searched on "multicast". The
"Turn off multicast name resolution" setting was the first hit. It
tells you the registry key and data item you have to change its value
along with lots of descriptions. Once you figure out the registry and
add the data item (if absent) to your desired value, export that
registry key to have a .reg file to stow away for later reuse.

B00ze April 7th 18 03:28 AM

How do I chase down who is doing a multicast?
 
On 2018-04-06 21:09, VanguardLH wrote:

Unfortunately I'm at home almost all the time I'm on Usenet and my home
desktop PC is running a Home edition of Windows 7 x64. No gpedit.msc
there; however, all polices are registry entries. In the past, I
remember Microsoft providing an Excel spreadsheet of policy settings and
their equivalent registry locations. So did the search:

https://www.google.com/search?q=micr...+sprea dsheet

which found:

https://www.microsoft.com/en-us/down....aspx?id=25250

I download the .xlsx file, opened it, and searched on "multicast". The
"Turn off multicast name resolution" setting was the first hit. It
tells you the registry key and data item you have to change its value
along with lots of descriptions. Once you figure out the registry and
add the data item (if absent) to your desired value, export that
registry key to have a .reg file to stow away for later reuse.


Wow, this can come in Handy; Thanks!

--
! _\|/_ Sylvain /
! (o o) Member:David-Suzuki-Fdn/EFF/Red+Cross/SPCA/Planetary-Society
oO-( )-Oo Windows error 21 It'll never work, really!


T April 7th 18 03:33 AM

How do I chase down who is doing a multicast?
 
On 04/06/2018 06:09 PM, VanguardLH wrote:
T wrote:

At this point I am thinking you know everything, so please forgive
this question:


Nah, I'm just arrogant enough to think that I know everything. My
family celebrates when I'm wrong and swear when I'm [always] right.


My wife is right about 90% of the time. Whenever she is right,
it is "so what else is new?" Whenever I am right, it is strutting
and ticker tape time.


Do you know how to convert this to a .reg file?

To disable LLMNR:
1) winR gpedit.msc
2) Local Computer Policy
-- Computer Configuration
-- Administrative Templates
-- Network
-- DNS Client
3) Click on Turn Off Multicast Name Resolution and set it to
Enabled


Unfortunately I'm at home almost all the time I'm on Usenet and my home
desktop PC is running a Home edition of Windows 7 x64. No gpedit.msc
there; however, all polices are registry entries. In the past, I
remember Microsoft providing an Excel spreadsheet of policy settings and
their equivalent registry locations. So did the search:

https://www.google.com/search?q=micr...+sprea dsheet

which found:

https://www.microsoft.com/en-us/down....aspx?id=25250

I download the .xlsx file, opened it, and searched on "multicast". The
"Turn off multicast name resolution" setting was the first hit. It
tells you the registry key and data item you have to change its value
along with lots of descriptions. Once you figure out the registry and
add the data item (if absent) to your desired value, export that
registry key to have a .reg file to stow away for later reuse.


Wow! You did it again. I LOVE THAT SPREADSHEET !!!! (I converted
it to .ODX. Chuckle.)

THANK YOU!!!!


Windows Registry Editor Version 5.00

; Disable Link Local Multicast Name Resolution (LLMNR)
; Note the double negative: "enable" turn LLMNR off

; dword:00000000 is enabled (turns LLMNR off)
; dword:00000001 is disabled (turns LLMNR back on)
; completely missing is "not configured"
; [-HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Win dows NT\DNSClient]

; note: you need to reboot to take effect

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Win dows NT\DNSClient]
"EnableMulticast"=dword:00000000




All times are GMT +1. The time now is 10:01 AM.

Powered by vBulletin® Version 3.6.4
Copyright ©2000 - 2024, Jelsoft Enterprises Ltd.
Copyright © 2004 - 2006 PCbanter
Comments are property of their posters