Last Day to Save $500 for SANS Boston 2013

Intrusion Detection FAQ: Computer Associates RCO Option

Network Browsing

Computer Associates [CA] has several names for its remote control software [Remotely Possible, TNG Remote Control Option and ControlIT.

All of the CA remote control products have the same ability to scan an entire subnet for a host running their software. In the connect to remote screen you can enter the subnet you wish scanned by using either 0 or 255 as the last octet. The software will then provide a list of all hosts available.

fiqure 1

This product does the subnet search by sending a UPD packet to the broadcast address of a subnet and then waiting for a response. By by default the responding hosts send 2 packets back to the originating host. Attached at the end of this document are network traces showing the full details of how this program works. In general the source port appears to vary by host installation however the destination port is always set to 800 in the broadcast packet. In the reply packet the host appears to include its host name. This is not necessarily true. Within the software configuration there is a configuration setting so that you can have a custom host name appear in the network browse window.

To disable sending responses to this network broadcast you will need to modify the Windows Registry. Add the following DWORD value in the appropriate location based on your product based on the table below. After modifying the registry and rebooting the workstation/server it should no longer respond to the network browse requests.

  BrowseResponseTimes = 0

Product Registry Key Location:
RP/32 HKEY_LOCAL_MACHINE/Software/Avalan/RemotelyPossible32/Host
ControlIT HKEY_LOCAL_MACHINE/Software/ComputerAssociates/ControlIT/Host
RCO HKEY_LOCAL_MACHINE/Software/ComputerAssociates/RemoteControlOption/Host


A 30 evaluation copy of this software can be obtained from Computer Associates. Go to the following URL: http://www.cai.com/registration/cd_it_workgroup.htm and fill out the registration form and they will send you a CD with the software.

Software Security

After installing this product it is very important to verify the security settings. The default security settings for this product is to utilize its own proprietary security system which has a default login and password of "default". The default settings also do not have any logging enabled.

If you are running on a Windows workstation which is not a member of a NT domain you will need to use their Proprietary Security. Make sure you change the login id and password to something more secure.

If you are running on a Windows workstation which is a member of a NT domain you should configure the software to use the NT Group/Domain User Security. This will allow you to have the same security settings for this software that you use for logging into the network [this includes items like time restrictions and account intrusion lockouts]

fiqure 2

Software Logging

If you are running Windows 95/98 enable logging to a text file and make sure all options are checked off. If you are running Windows NT Workstation or Server make use of the External Log capability. This will allow you to set the software to log all entries to the NT Event Log. Again make sure all options are checked.

fiqure 3

An additional safety factor can be added in by not running the remote control software at startup on user workstations. In most cases the user of a workstation can always manually start the software when needed.

References:


TNG RCO Help File
http://www.cai.com/products/products_az.htm

http://www.cai.com/products/controlit.htm

http://support.cai.com/techbases/rp/40020.html

Network Traces:


Trace #1
Default broadcast to 255.255.255.255

Network Monitor trace Fri 02/25/00 17:52:16 c:\sans\rp-broadcast1.TXT

**********

Frame  Time  Src MAC Addr  Dst MAC Addr  Protocol Description 

Src Other Addr  Dst Other Addr  Type Other Addr



1  17:50:1 23LKV59  *BROADCAST  UDP IP Multicast: 

Src Port: Unknown, (2111);  Dst Port: Unknown (800)  23LKV59 255.255.255.255 IP



00000: 10 40 FF FF FF FF FF FF 80 06 29 AA F6 36 82 70 .@........)..6.p

00010: AA AA 03 00 00 00 08 00 45 00 00 38 B3 AC 00 00 ........E..8....

00020: 80 11 63 CB 0A 01 19 3D FF FF FF FF 08 3F 03 20 ..c....=.....?. 

00030: 00 24 7F A1 31 00 00 00 D9 27 02 00 52 50 20 31 .$&127;.1....'..RP 1

00040: 30 34 35 30 31 34 44 52 41 36 33 32 42 35 41 36 045014DRA632B5A6



**********



Frame  Time  Src MAC Addr  Dst MAC Addr  Protocol Description 

Src Other Addr  Dst Other Addr  Type Other Addr



2  17:50:1  CHUCK_S16 23LKV59  UDP 

Src Port: Unknown, (800);  Dst Port: Unknown (2111);  

Length = 19 ( CHUCK_S16 23LKV59 IP



00000: 18 40 00 06 29 AA F6 36 00 00 83 27 A3 EE AA AA .@..)..6...'....

00010: 03 00 00 00 08 00 45 00 00 27 35 97 00 00 80 11 ......E..'5.....

00020: BE 7D 0A 01 19 73 0A 01 19 3D 03 20 08 3F 00 13 .}...s...=. .?..

00030: 5F 4A 32 43 48 55 43 4B 5F 53 31 36 00 _J2CHUCK_S16. 



**********



Frame  Time  Src MAC Addr  Dst MAC Addr  Protocol Description 

Src Other Addr  Dst Other Addr  Type Other Addr

3  17:50:1  0000F68ABA8D 23LKV59  UDP 

Src Port: Unknown, (800);  Dst Port: Unknown (2111);  

Length = 18 ( 10.1.25.193 23LKV59 IP



00000: 18 40 00 06 29 AA F6 36 00 00 F6 8A BA 8D AA AA .@..)..6........

00010: 03 00 00 00 08 00 45 00 00 26 9C 4D 00 00 80 11 ......E..&.M....

00020: 57 7A 0A 01 19 C1 0A 01 19 3D 03 20 08 3F 00 12 Wz.......=. .?..

00030: 53 23 32 54 45 53 54 5F 4C 41 42 00 S#2TEST_LAB. 



**********



Frame  Time  Src MAC Addr  Dst MAC Addr  Protocol Description 

Src Other Addr  Dst Other Addr  Type Other Addr



4  17:50:1  CHUCK_S16 23LKV59  UDP 

Src Port: Unknown, (800);  Dst Port: Unknown (2111);  

Length = 19 ( CHUCK_S16 23LKV59 IP



00000: 18 40 00 06 29 AA F6 36 00 00 83 27 A3 EE AA AA .@..)..6...'....

00010: 03 00 00 00 08 00 45 00 00 27 36 97 00 00 80 11 ......E..'6.....

00020: BD 7D 0A 01 19 73 0A 01 19 3D 03 20 08 3F 00 13 .}...s...=. .?..

00030: 5F 4A 32 43 48 55 43 4B 5F 53 31 36 00 _J2CHUCK_S16. 



**********



Frame  Time  Src MAC Addr  Dst MAC Addr  Protocol  Description 

Src Other Addr  Dst Other Addr  Type Other Addr



5  17:50:1  0000F68ABA8D 23LKV59  UDP 

Src Port: Unknown, (800);  Dst Port: Unknown (2111);  

Length = 18 ( 10.1.25.193 23LKV59 IP



00000: 18 40 00 06 29 AA F6 36 00 00 F6 8A BA 8D AA AA .@..)..6........

00010: 03 00 00 00 08 00 45 00 00 26 9D 4D 00 00 80 11 ......E..&.M....

00020: 56 7A 0A 01 19 C1 0A 01 19 3D 03 20 08 3F 00 12 Vz.......=. .?..

00030: 53 23 32 54 45 53 54 5F 4C 41 42 00 S#2TEST_LAB.

Trace #2
Scanning another subnet using 255 as the last octet

**********



Frame  Time  Src MAC Addr  Dst MAC Addr  Protocol Description 

Src Other Addr  Dst Other Addr  Type Other Addr



1  1.280  23LKV59 Router2339C4  UDP 

Src Port: Unknown, (2111);  Dst Port: Unknown (800); 

Length = 36 ( 23LKV59 10.1.27.255 IP



00000: 10 40 00 06 3A 23 39 C4 00 06 29 AA F6 36 AA AA .@..:#9...)..6..

00010: 03 00 00 00 08 00 45 00 00 38 EC AC 00 00 80 11 ......E..8......

00020: 04 CB 0A 01 19 3D 0A 01 1B FF 08 3F 03 20 00 24 .....=.....?. .$

00030: 59 A1 31 00 00 00 D9 27 02 00 52 50 20 31 30 34 Y.1....'..RP 104

00040: 35 30 31 34 44 52 41 36 33 32 42 35 41 36 5014DRA632B5A6 



**********



Frame  Time  Src MAC Addr  Dst MAC Addr  Protocol Description 

Src Other Addr  Dst Other Addr  Type Other Addr



2  2.226  Router2339C4 23LKV59  UDP 

Src Port: Unknown, (800);  Dst Port: Unknown (2111); 

Length = 17 ( 10.1.27.180 23LKV59 IP



00000: 18 40 00 06 29 AA F6 36 00 06 3A 23 39 C4 AA AA .@..)..6..:#9...

00010: 03 00 00 00 08 00 45 00 00 25 45 12 00 00 7F 11 ......E..%E...&127;.

00020: AD C3 0A 01 1B B4 0A 01 19 3D 03 20 08 3F 00 11 .........=. .?..

00030: D0 96 32 42 48 30 30 30 30 41 00 ..2BH0000A. 



**********



Frame  Time  Src MAC Addr  Dst MAC Addr  Protocol Description 

Src Other Addr  Dst Other Addr  Type Other Addr



3  2.228  Router2339C4 23LKV59  UDP 

Src Port: Unknown, (800);  Dst Port: Unknown (2111);  

Length = 22 ( 10.1.27.140 23LKV59 IP



00000: 18 40 00 06 29 AA F6 36 00 06 3A 23 39 C4 AA AA .@..)..6..:#9...

00010: 03 00 00 00 08 00 45 00 00 2A F6 61 00 00 7F 11 ......E..*.a..&127;.

00020: FC 96 0A 01 1B 8C 0A 01 19 3D 03 20 08 3F 00 16 .........=. .?..

00030: B8 AC 32 54 4E 47 5F 53 48 49 50 5F 49 54 31 00 ..2TNG_SHIP_IT1.



**********



Frame  Time  Src MAC Addr  Dst MAC Addr  Protocol Description 

Src Other Addr  Dst Other Addr  Type Other Addr



4  2.229  Router2339C4 23LKV59  UDP 

Src Port: Unknown, (800);  Dst Port: Unknown (2111);  

Length = 21 ( 10.1.27.144 23LKV59 IP



00000: 18 40 00 06 29 AA F6 36 00 06 3A 23 39 C4 AA AA .@..)..6..:#9...

00010: 03 00 00 00 08 00 45 00 00 29 9D 80 00 00 7F 11 ......E..)....&127;.

00020: 55 75 0A 01 1B 90 0A 01 19 3D 03 20 08 3F 00 15 Uu.......=. .?..

00030: CB D2 32 55 53 44 5F 41 4D 4F 5F 45 4E 54 00 ..2USD_AMO_ENT. 



**********



Frame  Time  Src MAC Addr  Dst MAC Addr  Protocol Description 

Src Other Addr  Dst Other Addr  Type Other Addr



5  2.233  Router2339C4  23LKV59  UDP 

Src Port: Unknown, (800);  Dst Port: Unknown (2111); 

Length = 24 ( 10.1.27.145 23LKV59 IP



00000: 18 40 00 06 29 AA F6 36 00 06 3A 23 39 C4 AA AA .@..)..6..:#9...

00010: 03 00 00 00 08 00 45 00 00 2C 7A F1 00 00 7F 11 ......E..,z...&127;.

00020: 78 00 0A 01 1B 91 0A 01 19 3D 03 20 08 3F 00 18 x........=. .?..

00030: 75 6C 32 50 43 46 43 5F 41 53 49 41 5F 54 50 44 ul2PCFC_ASIA_TPD

00040: 43 00 C. 



**********



Frame  Time  Src MAC Addr  Dst MAC Addr  Protocol Description 

Src Other Addr  Dst Other Addr  Type Other Addr

6  2.236  Router2325C4  23LKV59  UDP 

Src Port: Unknown, (800);  Dst Port: Unknown (2111);  

Length = 23 ( 10.12.7.230 23LKV59 IP



00000: 18 40 00 06 29 AA F6 36 00 06 3A 23 25 C4 AA AA .@..)..6..:#%...

00010: 03 00 00 00 08 00 45 00 00 2B 78 B3 00 00 7F 11 ......E..+x...&127;.

00020: 8D DF 0A 0C 07 E6 0A 01 19 3D 03 20 08 3F 00 17 .........=. .?..

00030: A3 32 32 43 4F 52 50 4F 52 41 54 45 5F 50 44 43 .22CORPORATE_PDC

00040: 00 . 



**********



Frame  Time  Src MAC Addr  Dst MAC Addr  Protocol Description 

Src Other Addr  Dst Other Addr  Type Other Addr

7  2.270  Router2339C4  23LKV59  UDP 

Src Port: Unknown, (800);  Dst Port: Unknown (2111);  

Length = 16 ( 10.1.27.131 23LKV59 IP



00000: 18 40 00 06 29 AA F6 36 00 06 3A 23 39 C4 AA AA .@..)..6..:#9...

00010: 03 00 00 00 08 00 45 00 00 24 30 E9 00 00 7F 11 ......E..$0...&127;.

00020: C2 1E 0A 01 1B 83 0A 01 19 3D 03 20 08 3F 00 10 .........=. .?..

00030: 91 CD 32 44 4F 4D 49 4E 4F 00 ..2DOMINO. 



**********



Frame  Time  Src MAC Addr  Dst MAC Addr  Protocol Description 

Src Other Addr  Dst Other Addr  Type Other Addr



8  2.661  Router2339C4  23LKV59  UDP 

Src Port: Unknown, (800);  Dst Port: Unknown (2111); 

Length = 16 ( 10.1.27.131 23LKV59 IP



00000: 18 40 00 06 29 AA F6 36 00 06 3A 23 39 C4 AA AA .@..)..6..:#9...

00010: 03 00 00 00 08 00 45 00 00 24 35 E9 00 00 7F 11 ......E..$5...&127;.

00020: BD 1E 0A 01 1B 83 0A 01 19 3D 03 20 08 3F 00 10 .........=. .?..

00030: 91 CD 32 44 4F 4D 49 4E 4F 00 ..2DOMINO. 



**********



Frame  Time  Src MAC Addr  Dst MAC Addr  Protocol Description 

Src Other Addr  Dst Other Addr  Type Other Addr



9  2.914  Router2339C4  23LKV59  UDP 

Src Port: Unknown, (800);  Dst Port: Unknown (2111); 

Length = 24 ( 10.1.27.145 23LKV59 IP



00000: 18 40 00 06 29 AA F6 36 00 06 3A 23 39 C4 AA AA .@..)..6..:#9...

00010: 03 00 00 00 08 00 45 00 00 2C 7C F1 00 00 7F 11 ......E..,|...&127;.

00020: 76 00 0A 01 1B 91 0A 01 19 3D 03 20 08 3F 00 18 v........=. .?..

00030: 75 6C 32 50 43 46 43 5F 41 53 49 41 5F 54 50 44 ul2PCFC_ASIA_TPD

00040: 43 00 C. 



**********



Frame  Time  Src MAC Addr  Dst MAC Addr  Protocol Description 

Src Other Addr  Dst Other Addr  Type Other Addr



10  2.917  Router2339C4  23LKV59  UDP 

Src Port: Unknown, (800);  Dst Port: Unknown (2111); 

Length = 17 ( 10.1.27.180 23LKV59 IP



00000: 18 40 00 06 29 AA F6 36 00 06 3A 23 39 C4 AA AA .@..)..6..:#9...

00010: 03 00 00 00 08 00 45 00 00 25 46 12 00 00 7F 11 ......E..%F...&127;.

00020: AC C3 0A 01 1B B4 0A 01 19 3D 03 20 08 3F 00 11 .........=. .?..

00030: D0 96 32 42 48 30 30 30 30 41 00 ..2BH0000A. 



**********



Frame  Time  Src MAC Addr  Dst MAC Addr  Protocol Description 

Src Other Addr  Dst Other Addr  Type Other Addr

11  3.228  Router2339C4  23LKV59  UDP 

Src Port: Unknown, (800);  Dst Port: Unknown (2111); 

Length = 22 ( 10.1.27.140 23LKV59 IP



00000: 18 40 00 06 29 AA F6 36 00 06 3A 23 39 C4 AA AA .@..)..6..:#9...

00010: 03 00 00 00 08 00 45 00 00 2A F7 61 00 00 7F 11 ......E..*.a..&127;.

00020: FB 96 0A 01 1B 8C 0A 01 19 3D 03 20 08 3F 00 16 .........=. .?..

00030: B8 AC 32 54 4E 47 5F 53 48 49 50 5F 49 54 31 00 ..2TNG_SHIP_IT1.



**********



Frame  Time  Src MAC Addr  Dst MAC Addr  Protocol Description 

Src Other Addr  Dst Other Addr  Type Other Addr



12  3.245  Router2339C4  23LKV59  UDP 

Src Port: Unknown, (800);  Dst Port: Unknown (2111); 

Length = 21 ( 10.1.27.144 23LKV59 IP



00000: 18 40 00 06 29 AA F6 36 00 06 3A 23 39 C4 AA AA .@..)..6..:#9...

00010: 03 00 00 00 08 00 45 00 00 29 A0 80 00 00 7F 11 ......E..)....&127;.

00020: 52 75 0A 01 1B 90 0A 01 19 3D 03 20 08 3F 00 15 Ru.......=. .?..

00030: CB D2 32 55 53 44 5F 41 4D 4F 5F 45 4E 54 00 ..2USD_AMO_ENT. 



**********



Frame  Time  Src MAC Addr  Dst MAC Addr  Protocol Description 

Src Other Addr  Dst Other Addr  Type Other Addr



13  3.252  Router2325C4  23LKV59  UDP 

Src Port: Unknown, (800);  Dst Port: Unknown (2111); 

Length = 23 ( 10.12.7.230 23LKV59 IP



00000: 18 40 00 06 29 AA F6 36 00 06 3A 23 25 C4 AA AA .@..)..6..:#%...

00010: 03 00 00 00 08 00 45 00 00 2B 79 B3 00 00 7F 11 ......E..+y...&127;.

00020: 8C DF 0A 0C 07 E6 0A 01 19 3D 03 20 08 3F 00 17 .........=. .?..

00030: A3 32 32 43 4F 52 50 4F 52 41 54 45 5F 50 44 43 .22CORPORATE_PDC

00040: 00 . 



**********


top^

Consistently some of the best training available. It is apparent that SANS updates their course content and SANS instructors are established experts in the field.
-Ryan Macfarlane, FBI

Network Security 2013 - Las Vegas

Latest Whitepapers

Web Application Injection Vulnerabilities: A Web App's Security Nemesis?
By Erik Couture

Electronic Medical Records: Success Requires an Information Security Culture
By Thomas Roberts

Analyzing Polycom® Video Conference Traffic
By Chris Cain

Latest Tweets

#windowssecurity "Windows Security Course: Las Vegas in Sept [...]
June 7, 2013 - 5:47 AM

New Blog Post: Windows Memory Analysis In-Depth - Discount C [...]
June 7, 2013 - 12:37 AM

Save $500 through 6/12 on important cybersecurity courses at [...]
June 6, 2013 - 10:05 PM

Contact Us

(301) 654-SANS (7267)
Mon-Fri 9am - 8pm EST/EDT
info@sans.org

"It has really been an eye opener concerning the depth of security training & awareness that SANS has to offer."
- Michael Hall, Drivesavers

"This has been a great way to get working knowledge that would have taken years of experience to learn."
- Josh Carlson, Nelnet

"The perfect balance of theory and hands-on experience."
- James D. Perry II, University of Tennessee