How do I chase down who is doing a multicast?
Hi All,
How do I chase down who is doing a multicast (224.0.0.252) on my local network. My Windows Security log is gobsmacked with the following: Network Information: Direction: Inbound Source Address: 224.0.0.252 Source Port: 5355 Destination Address: 192.168.202.215 Destination Port: 52860 Protocol: 17 This gets me no whe # nmap -A -T4 -Pn 224.0.0.252 Starting Nmap 7.60 ( https://nmap.org ) at 2018-04-06 16:22 PDT Nmap done: 1 IP address (0 hosts up) scanned in 0.85 seconds My firewall shows no traffic outbound to 224.0.0.252 Many thanks, -T |
How do I chase down who is doing a multicast?
T wrote:
5355 Based on that port number: https://en.wikipedia.org/wiki/Link-L...ame_Resolution which also has a hyperlink to: https://technet.microsoft.com/library/bb878128 Seems that every host running the DNS client is going to use LLMNR. I suspect if you disable LLMNR that sharing services could get impacted. http://www.pciqsatalk.com/2016/03/di...r-netbios.html Are you allowing rogue hosts to enter your intranet, like letting users bring their own laptops into work to connect directly to the corporate network instead of into a DMZ'ed subnet? LLMNR traffic is not routable (because it is a local link protocol); that is, it cannot pass across routers, so the problem is not with external hacking into your intranet. https://tools.ietf.org/rfc/rfc4795.txt So do you trust the hosts permitted to physically connect to the same subnet within your intranet? |
How do I chase down who is doing a multicast?
On 04/06/2018 04:42 PM, VanguardLH wrote:
T wrote: 5355 Based on that port number: https://en.wikipedia.org/wiki/Link-L...ame_Resolution which also has a hyperlink to: https://technet.microsoft.com/library/bb878128 Seems that every host running the DNS client is going to use LLMNR. I suspect if you disable LLMNR that sharing services could get impacted. http://www.pciqsatalk.com/2016/03/di...r-netbios.html Are you allowing rogue hosts to enter your intranet, like letting users bring their own laptops into work to connect directly to the corporate network instead of into a DMZ'ed subnet? LLMNR traffic is not routable (because it is a local link protocol); that is, it cannot pass across routers, so the problem is not with external hacking into your intranet. https://tools.ietf.org/rfc/rfc4795.txt So do you trust the hosts permitted to physically connect to the same subnet within your intranet? Good Lord Vanguard! I have been google'ing my ass over all this for hours before asking for help. You hit it out of the ball park. And give me a way to figure the next out out myself. Wow! Impressive! Anyway, to answer your question, this network leg is their general office and not a high security Point of Sale (POS) leg. They are allowed to bring "certain" devices, with permission, and run them on this leg. (They are under threat of death of doing that on the POS legs.) I did an arp scan and everyone is legit. Just the usual suspects. The traffic on multicast traffic on port 5355 is so prodigious that my File Integrity Monitoring (FIM) software server is crashing trying to log the tidal was of notices placed in the client's security logs. Thank you! -T |
How do I chase down who is doing a multicast?
Hi Vanguard,
At this point I am thinking you know everything, so please forgive this question: Do you know how to convert this to a .reg file? Many thanks, -T To disable LLMNR: 1) winR gpedit.msc 2) Local Computer Policy -- Computer Configuration -- Administrative Templates -- Network -- DNS Client 3) Click on “Turn Off Multicast Name Resolution” and set it to “Enabled” |
How do I chase down who is doing a multicast?
T wrote:
At this point I am thinking you know everything, so please forgive this question: Nah, I'm just arrogant enough to think that I know everything. My family celebrates when I'm wrong and swear when I'm [always] right. Do you know how to convert this to a .reg file? To disable LLMNR: 1) winR gpedit.msc 2) Local Computer Policy -- Computer Configuration -- Administrative Templates -- Network -- DNS Client 3) Click on Turn Off Multicast Name Resolution and set it to Enabled Unfortunately I'm at home almost all the time I'm on Usenet and my home desktop PC is running a Home edition of Windows 7 x64. No gpedit.msc there; however, all polices are registry entries. In the past, I remember Microsoft providing an Excel spreadsheet of policy settings and their equivalent registry locations. So did the search: https://www.google.com/search?q=micr...+sprea dsheet which found: https://www.microsoft.com/en-us/down....aspx?id=25250 I download the .xlsx file, opened it, and searched on "multicast". The "Turn off multicast name resolution" setting was the first hit. It tells you the registry key and data item you have to change its value along with lots of descriptions. Once you figure out the registry and add the data item (if absent) to your desired value, export that registry key to have a .reg file to stow away for later reuse. |
How do I chase down who is doing a multicast?
On 2018-04-06 21:09, VanguardLH wrote:
Unfortunately I'm at home almost all the time I'm on Usenet and my home desktop PC is running a Home edition of Windows 7 x64. No gpedit.msc there; however, all polices are registry entries. In the past, I remember Microsoft providing an Excel spreadsheet of policy settings and their equivalent registry locations. So did the search: https://www.google.com/search?q=micr...+sprea dsheet which found: https://www.microsoft.com/en-us/down....aspx?id=25250 I download the .xlsx file, opened it, and searched on "multicast". The "Turn off multicast name resolution" setting was the first hit. It tells you the registry key and data item you have to change its value along with lots of descriptions. Once you figure out the registry and add the data item (if absent) to your desired value, export that registry key to have a .reg file to stow away for later reuse. Wow, this can come in Handy; Thanks! -- ! _\|/_ Sylvain / ! (o o) Member:David-Suzuki-Fdn/EFF/Red+Cross/SPCA/Planetary-Society oO-( )-Oo Windows error 21 It'll never work, really! |
How do I chase down who is doing a multicast?
On 04/06/2018 06:09 PM, VanguardLH wrote:
T wrote: At this point I am thinking you know everything, so please forgive this question: Nah, I'm just arrogant enough to think that I know everything. My family celebrates when I'm wrong and swear when I'm [always] right. My wife is right about 90% of the time. Whenever she is right, it is "so what else is new?" Whenever I am right, it is strutting and ticker tape time. Do you know how to convert this to a .reg file? To disable LLMNR: 1) winR gpedit.msc 2) Local Computer Policy -- Computer Configuration -- Administrative Templates -- Network -- DNS Client 3) Click on Turn Off Multicast Name Resolution and set it to Enabled Unfortunately I'm at home almost all the time I'm on Usenet and my home desktop PC is running a Home edition of Windows 7 x64. No gpedit.msc there; however, all polices are registry entries. In the past, I remember Microsoft providing an Excel spreadsheet of policy settings and their equivalent registry locations. So did the search: https://www.google.com/search?q=micr...+sprea dsheet which found: https://www.microsoft.com/en-us/down....aspx?id=25250 I download the .xlsx file, opened it, and searched on "multicast". The "Turn off multicast name resolution" setting was the first hit. It tells you the registry key and data item you have to change its value along with lots of descriptions. Once you figure out the registry and add the data item (if absent) to your desired value, export that registry key to have a .reg file to stow away for later reuse. Wow! You did it again. I LOVE THAT SPREADSHEET !!!! (I converted it to .ODX. Chuckle.) THANK YOU!!!! Windows Registry Editor Version 5.00 ; Disable Link Local Multicast Name Resolution (LLMNR) ; Note the double negative: "enable" turn LLMNR off ; dword:00000000 is enabled (turns LLMNR off) ; dword:00000001 is disabled (turns LLMNR back on) ; completely missing is "not configured" ; [-HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Win dows NT\DNSClient] ; note: you need to reboot to take effect [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Win dows NT\DNSClient] "EnableMulticast"=dword:00000000 |
All times are GMT +1. The time now is 03:33 PM. |
Powered by vBulletin® Version 3.6.4
Copyright ©2000 - 2024, Jelsoft Enterprises Ltd.
Copyright © 2004 - 2006 PCbanter
Comments are property of their posters