Discussion:
How do I chase down who is doing a multicast?
(too old to reply)
T
2018-04-06 23:25:26 UTC
Permalink
Hi All,

How do I chase down who is doing a multicast (224.0.0.252) on
my local network.

My Windows Security log is gobsmacked with the following:

Network Information:
Direction: Inbound
Source Address: 224.0.0.252
Source Port: 5355
Destination Address: 192.168.202.215
Destination Port: 52860
Protocol: 17

This gets me no where:

# nmap -A -T4 -Pn 224.0.0.252

Starting Nmap 7.60 ( https://nmap.org ) at 2018-04-06 16:22 PDT
Nmap done: 1 IP address (0 hosts up) scanned in 0.85 seconds


My firewall shows no traffic outbound to 224.0.0.252


Many thanks,
-T
VanguardLH
2018-04-06 23:42:34 UTC
Permalink
5355
Based on that port number:

https://en.wikipedia.org/wiki/Link-Local_Multicast_Name_Resolution

which also has a hyperlink to:

https://technet.microsoft.com/library/bb878128

Seems that every host running the DNS client is going to use LLMNR. I
suspect if you disable LLMNR that sharing services could get impacted.

http://www.pciqsatalk.com/2016/03/disable-lmnr-netbios.html

Are you allowing rogue hosts to enter your intranet, like letting users
bring their own laptops into work to connect directly to the corporate
network instead of into a DMZ'ed subnet? LLMNR traffic is not routable
(because it is a local link protocol); that is, it cannot pass across
routers, so the problem is not with external hacking into your intranet.

https://tools.ietf.org/rfc/rfc4795.txt

So do you trust the hosts permitted to physically connect to the same
subnet within your intranet?
T
2018-04-07 00:10:20 UTC
Permalink
Post by VanguardLH
5355
https://en.wikipedia.org/wiki/Link-Local_Multicast_Name_Resolution
https://technet.microsoft.com/library/bb878128
Seems that every host running the DNS client is going to use LLMNR. I
suspect if you disable LLMNR that sharing services could get impacted.
http://www.pciqsatalk.com/2016/03/disable-lmnr-netbios.html
Are you allowing rogue hosts to enter your intranet, like letting users
bring their own laptops into work to connect directly to the corporate
network instead of into a DMZ'ed subnet? LLMNR traffic is not routable
(because it is a local link protocol); that is, it cannot pass across
routers, so the problem is not with external hacking into your intranet.
https://tools.ietf.org/rfc/rfc4795.txt
So do you trust the hosts permitted to physically connect to the same
subnet within your intranet?
Good Lord Vanguard! I have been google'ing my ass over
all this for hours before asking for help. You hit it
out of the ball park. And give me a way to figure the next
out out myself. Wow! Impressive!

Anyway, to answer your question, this network leg is their
general office and not a high security Point of Sale (POS)
leg. They are allowed to bring "certain" devices, with
permission, and run them on this leg. (They are
under threat of death of doing that on the POS legs.)

I did an arp scan and everyone is legit. Just the usual
suspects.

The traffic on multicast traffic on port 5355 is so
prodigious that my File Integrity Monitoring (FIM) software
server is crashing trying to log the tidal was of notices
placed in the client's security logs.

Thank you!
-T
T
2018-04-07 00:38:41 UTC
Permalink
Hi Vanguard,

At this point I am thinking you know everything, so please forgive
this question:

Do you know how to convert this to a .reg file?


Many thanks,
-T


To disable LLMNR:

1) <win><R> gpedit.msc

2) Local Computer Policy
--> Computer Configuration
--> Administrative Templates
--> Network
--> DNS Client

3) Click on “Turn Off Multicast Name Resolution” and set it to
“Enabled”
VanguardLH
2018-04-07 01:09:38 UTC
Permalink
Post by T
At this point I am thinking you know everything, so please forgive
Nah, I'm just arrogant enough to think that I know everything. My
family celebrates when I'm wrong and swear when I'm [always] right.
Post by T
Do you know how to convert this to a .reg file?
1) <win><R> gpedit.msc
2) Local Computer Policy
--> Computer Configuration
--> Administrative Templates
--> Network
--> DNS Client
3) Click on “Turn Off Multicast Name Resolution” and set it to
“Enabled”
Unfortunately I'm at home almost all the time I'm on Usenet and my home
desktop PC is running a Home edition of Windows 7 x64. No gpedit.msc
there; however, all polices are registry entries. In the past, I
remember Microsoft providing an Excel spreadsheet of policy settings and
their equivalent registry locations. So did the search:

https://www.google.com/search?q=microsoft+windows+policies+registry+spreadsheet

which found:

https://www.microsoft.com/en-us/download/details.aspx?id=25250

I download the .xlsx file, opened it, and searched on "multicast". The
"Turn off multicast name resolution" setting was the first hit. It
tells you the registry key and data item you have to change its value
along with lots of descriptions. Once you figure out the registry and
add the data item (if absent) to your desired value, export that
registry key to have a .reg file to stow away for later reuse.
B00ze
2018-04-07 02:28:28 UTC
Permalink
Post by VanguardLH
Unfortunately I'm at home almost all the time I'm on Usenet and my home
desktop PC is running a Home edition of Windows 7 x64. No gpedit.msc
there; however, all polices are registry entries. In the past, I
remember Microsoft providing an Excel spreadsheet of policy settings and
https://www.google.com/search?q=microsoft+windows+policies+registry+spreadsheet
https://www.microsoft.com/en-us/download/details.aspx?id=25250
I download the .xlsx file, opened it, and searched on "multicast". The
"Turn off multicast name resolution" setting was the first hit. It
tells you the registry key and data item you have to change its value
along with lots of descriptions. Once you figure out the registry and
add the data item (if absent) to your desired value, export that
registry key to have a .reg file to stow away for later reuse.
Wow, this can come in Handy; Thanks!
--
! _\|/_ Sylvain / ***@hotmail.com
! (o o) Member:David-Suzuki-Fdn/EFF/Red+Cross/SPCA/Planetary-Society
oO-( )-Oo Windows error 21 It'll never work, really!
T
2018-04-07 02:33:35 UTC
Permalink
Post by VanguardLH
Post by T
At this point I am thinking you know everything, so please forgive
Nah, I'm just arrogant enough to think that I know everything. My
family celebrates when I'm wrong and swear when I'm [always] right.
My wife is right about 90% of the time. Whenever she is right,
it is "so what else is new?" Whenever I am right, it is strutting
and ticker tape time.
Post by VanguardLH
Post by T
Do you know how to convert this to a .reg file?
1) <win><R> gpedit.msc
2) Local Computer Policy
--> Computer Configuration
--> Administrative Templates
--> Network
--> DNS Client
3) Click on “Turn Off Multicast Name Resolution” and set it to
“Enabled”
Unfortunately I'm at home almost all the time I'm on Usenet and my home
desktop PC is running a Home edition of Windows 7 x64. No gpedit.msc
there; however, all polices are registry entries. In the past, I
remember Microsoft providing an Excel spreadsheet of policy settings and
https://www.google.com/search?q=microsoft+windows+policies+registry+spreadsheet
https://www.microsoft.com/en-us/download/details.aspx?id=25250
I download the .xlsx file, opened it, and searched on "multicast". The
"Turn off multicast name resolution" setting was the first hit. It
tells you the registry key and data item you have to change its value
along with lots of descriptions. Once you figure out the registry and
add the data item (if absent) to your desired value, export that
registry key to have a .reg file to stow away for later reuse.
Wow! You did it again. I LOVE THAT SPREADSHEET !!!! (I converted
it to .ODX. Chuckle.)

THANK YOU!!!!


Windows Registry Editor Version 5.00

; Disable Link Local Multicast Name Resolution (LLMNR)
; Note the double negative: "enable" turn LLMNR off

; dword:00000000 is enabled (turns LLMNR off)
; dword:00000001 is disabled (turns LLMNR back on)
; completely missing is "not configured"
; [-HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\DNSClient]

; note: you need to reboot to take effect

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\DNSClient]
"EnableMulticast"=dword:00000000
Good Guy
2018-04-07 02:53:11 UTC
Permalink
Post by T
Hi All,
-T
Rogue trader is back with his nonsensical post; As always he is here
asking if there is a new way to trick customers;!!!!!!!!!
Post by T
/--- This email has been checked for viruses by
Windows Defender software.
//https://www.microsoft.com/en-gb/windows/comprehensive-security/
--
With over 600 million devices now running Windows 10, customer
satisfaction is higher than any previous version of windows.
Loading...