Historically for Microsoft's multiple-user operating systems (e.g. Windows NT and Windows 2K), those messages are in the event log, not a console alert. Did you check there? -----Burton -----Original Message----- From: Curt Wilson [mailto:cwsecgeekat_private] Sent: Friday, December 14, 2001 3:37 AM To: vuln-devat_private Subject: Win XP IP address hijack? I was doing some experimentation in my home lab recently and came across something I thought was interesting. I would enjoy any comments on this potential issue, which may be known already but is a new one for me. I was running a desktop with Win XP pro using a static IP address. I booted up a laptop running Win98 with a duplicate IP address; the duplicate IP address message appeared on the 98 box and the 98 interface was disabled. XP connectivitiy worked as normal. (this is standard operation so far). I shut down the win98 box. Next, I booted a RedHat 7.0 system using the same static IP address. XP lost it's IP, showing 0.0.0.0, did not display any message about this, and the Linux box hummed away happily, receiving connections destined for that IP. Perhaps the RH system implements it's ARP/duplicate IP address check in a different manner that is not recognized by XP, at least in this particular instance. I did not test this with any other version of windows but, having never tried this particular scenario, I was wondering if this is normal operation? If this is of any interest I'll grab a sniff of the traffic. Secgeek
This archive was generated by hypermail 2b30 : Fri Dec 14 2001 - 14:48:23 PST