How to detect other people on your network

[irishBoiler]

I'm looking more for the theory on how to determine who is connected to your network at any time (ethernet and wifi). I'm a .NET developer, so I can write my own program, I just don't know how i'm supposed to detect who's on my network. Any ideas/suggestions/libraries to start with?

Thanks

 

[Eiolon]

Not a .NET developer, but I do have a batch file that uses NET VIEW to tell me who is/has been on and have it dump to a text file. Perhaps you could incorporate that command into your program.

 

[compslckr]

You can just look at the active dhcp leases, or run an nmap on your subnet. How much detail are you looking to get on each host?

zacmac:~ zac$ nmap -sP 192.168.0.1/24

Starting Nmap 5.21 ( http://nmap.org ) at 2011-02-05 15:56 EST
Nmap scan report for 192.168.0.1
Host is up (0.0031s latency).
Nmap scan report for 192.168.0.191
Host is up (0.099s latency).
Nmap scan report for 192.168.0.192
Host is up (0.00023s latency).
Nmap scan report for 192.168.0.196
Host is up (0.0027s latency).
Nmap scan report for 192.168.0.197
Host is up (0.074s latency).
Nmap scan report for 192.168.0.199
Host is up (0.092s latency).
Nmap done: 256 IP addresses (6 hosts up) scanned in 17.33 seconds
zacmac:~ zac$

 

[irishBoiler]

I'm looking for IP address, computer name. Ideally OS, mac address, user name logged in. Can you guys explain the nmap/net view thing a bit more. Are there ways around it etc?

Edit: Completely forgot to say I'm looking to put this on a windows server OS (probably 2003, maybe later 2008)

 

[compslckr]

nmap is very powerful. It can report MAC, OS, Manufacturer/make of hardware, open ports, etc.

nmap is available for Mac, Linux, and Windows. You can grep out the specific information your are looking for, it can also output to XML for easy parsing.

Here is another example of it running on sample network.

zacmac:~ zac$ sudo nmap -O 192.168.0.1/24
Password:

Starting Nmap 5.21 ( http://nmap.org ) at 2011-02-05 17:38 EST
Nmap scan report for 192.168.0.1
Host is up (0.0029s latency).
Not shown: 996 closed ports
PORT STATE SERVICE
80/tcp open http
4444/tcp open krb524
8099/tcp open unknown
20005/tcp open btx
MAC Address: 00:21:91E7:EB (D-Link)
Device type: print server|WAP
Running: D-Link embedded
OS details: D-Link DPR-1260 print server; or DGL-4300, DIR-625, or DIR-655 WAP
Network Distance: 1 hop

Nmap scan report for 192.168.0.191
Host is up (0.016s latency).
All 1000 scanned ports on 192.168.0.191 are closed
MAC Address: F0:B4:79:1A:EC:AE (Unknown)
Device type: phone|media device|general purpose|proxy server|specialized
Running: Apple iPhone OS 1.X|2.X|3.X, Apple Mac OS X 10.2.X|10.3.X|10.4.X|10.5.X, Blue Coat SGOS 5.X, FreeBSD 4.X|5.X, VMware ESX Server 3.X
Too many fingerprints match this host to give specific OS details
Network Distance: 1 hop

Nmap scan report for 192.168.0.192
Host is up (0.00016s latency).
Not shown: 500 closed ports, 499 filtered ports
PORT STATE SERVICE
3689/tcp open rendezvous
Device type: general purpose
Running: Apple Mac OS X 10.5.X
OS details: Apple Mac OS X 10.5 - 10.6.1 (Leopard - Snow Leopard) (Darwin 9.0.0 - 10.0.0)
Network Distance: 0 hops

Nmap scan report for 192.168.0.196
Host is up (0.0048s latency).
Not shown: 986 closed ports
PORT STATE SERVICE
80/tcp open http
135/tcp open msrpc
139/tcp open netbios-ssn
443/tcp open https
445/tcp open microsoft-ds
1025/tcp open NFS-or-IIS
1138/tcp open unknown
2869/tcp open unknown
3306/tcp open mysql
3389/tcp open ms-term-serv
5666/tcp open nrpe
7000/tcp open afs3-fileserver
8080/tcp open http-proxy
10243/tcp open unknown
MAC Address: 00:50:8D:B6:7A:94 (Abit Computer)
Device type: general purpose
Running: Microsoft Windows 2003
OS details: Microsoft Windows Server 2003 SP1 or SP2
Network Distance: 1 hop

Nmap scan report for 192.168.0.199
Host is up (0.015s latency).
Not shown: 996 closed ports
PORT STATE SERVICE
8080/tcp open http-proxy
8085/tcp open unknown
8086/tcp open unknown
8087/tcp open unknown
MAC Address: 00:0D:4B:6F:7F:A9 (Roku)
Device type: general purpose
Running: Linux 2.6.X
OS details: Linux 2.6.13 - 2.6.28
Network Distance: 1 hop

 

[Brak710]

If you want super easy, there is an app for iPhones/iPads called SubnetInsight.

Really useful for getting a quick run down of all devices on a network.

 

[irishBoiler]

@compslckr: That looks nice. Definitely seems like an established way to go. XML for easy parsing goodness. Thanks a lot.

@Brak710: Thanks i'll take a look. Looking for something a bit more compatible with other PCs. Although that could be helpful for some UI design help! haha

 

[compslckr]

nmap also has a GUI called zenmap if you want something a little more refined than the command line
http://nmap.org/zenmap/

Here is the documentation on xml output: http://nmap.org/book/man-output.html

This book is also a great reference: http://www.amazon.com/Nmap-Cookbook...2529/ref=sr_1_2?ie=UTF8&qid=1296954179&sr=8-2

 

[dropadrop]

You can just look at the active dhcp leases,

Not a very good idea if they assigned the ip manually.

or run an nmap on your subnet. How much detail are you looking to get on each host?

zacmac:~ zac$ nmap -sP 192.168.0.1/24

Starting Nmap 5.21 ( http://nmap.org ) at 2011-02-05 15:56 EST
Nmap scan report for 192.168.0.1
Host is up (0.0031s latency).
Nmap scan report for 192.168.0.191
Host is up (0.099s latency).
Nmap scan report for 192.168.0.192
Host is up (0.00023s latency).
Nmap scan report for 192.168.0.196
Host is up (0.0027s latency).
Nmap scan report for 192.168.0.197
Host is up (0.074s latency).
Nmap scan report for 192.168.0.199
Host is up (0.092s latency).
Nmap done: 256 IP addresses (6 hosts up) scanned in 17.33 seconds
zacmac:~ zac$

That would be better. The newer NMAP versions allow for storing the scan results to an xml file and running diffs between different scans. I made a very basic script for this which I run on a linux host from cron, scan our networks and get notified of firewall / service changes. From the diffs you can see if there are any new hosts on the network (though it will also trigger if known hosts are missing). Anyway, that should be pretty easy to use as a base where you can acknowledge old hosts and only be notified when there are new ones.

Of course neither of those will be of use if the user is just monitoring your network in promiscous mode as they won't even have an ip-address. So really you'd have to be monitoring for mac-addresses.

 

[nessus]

Not a very good idea if they assigned the ip manually.
So really you'd have to be monitoring for mac-addresses.

Only way to really see all machines connected on a network is to query the switches/WAPs for MAC address tables, and look for changes. If someone is sitting behind a hardware/software firewall with all unexpected incoming traffic blocked, a network scanner won't see them no matter what.

I suppose you could query all the machines on the network and get their arp tables as well, compile those together and discover a firewalled attacker was on the network and probing machines on the network. Any target machines it probed that replied over IP would have to have an arp entry for it.

The only way to find a passive machine attached and only sniffing broadcasts and firewalled would be to check the switch MAC tables.

 

[C7J0yc3]

I use a combination of nmap, bandwithD and Snort to look for extra people / malicious traffic on my network. Seems to work well so far.

 

[dropadrop]

Only way to really see all machines connected on a network is to query the switches/WAPs for MAC address tables, and look for changes. If someone is sitting behind a hardware/software firewall with all unexpected incoming traffic blocked, a network scanner won't see them no matter what.

I suppose you could query all the machines on the network and get their arp tables as well, compile those together and discover a firewalled attacker was on the network and probing machines on the network. Any target machines it probed that replied over IP would have to have an arp entry for it.

The only way to find a passive machine attached and only sniffing broadcasts and firewalled would be to check the switch MAC tables.

Arpwatch does that actually. It monitors what mac-addresses are on the network and alerts if there is a new one.

 

[compslckr]

Arpwatch does that actually. It monitors what mac-addresses are on the network and alerts if there is a new one.

Its pretty easy to pickup a connected MAC using airodump, then just spoof that mac and you will look like one of their PCs .

Your best bet is to either a) don't use wireless or b) setup some beefy security and lock down access. It is pretty easy to setup RADIUS/IAS which could offer another level of protection.