AntiOnline Spotlight: Unmasking Mystery Machines
May 20, 2005
There is nothing more disconcerting than a mysterious new machine with generous rights and privileges suddenly appearing on a network. Upon being alerted to the fact, one hopes that the damage hasn't already been done.
|
Employee or intruder? In this day and age, it pays be doubly sure. |
The world has become painfully aware of just how vulnerable data is in recent months, so a healthy dose of paranoia goes a long way in keeping your company out of the headlines (there is such a thing as bad publicity). Administrators can't influence what happens to backup tapes after they're carted off, but they can exert control on what systems are allowed access to their networks.
And their work isn't made any easier by tech savvy employees that sometimes take it upon themselves to bypass the IT department. While they make themselves at home, some poor IT worker is already thinking the worst and scrambling madly to set things right.
This week, we spotlight a thread based on a real-life scenario that involves an "intruder" and has all the earmarks of a disaster in the making.
Note: Any opinions expressed below are solely those of the individual posters on the AntiOnline forums.
This Week's Spotlight Thread:
Mystery Machine Invades Network?
AngelicKnight's workday gets off to an interesting start...
I came into the office today to find a note from my boss showing that a machine with the IP of 192.168.1.200, named "MUJPOLEDNIK" has joined our LAN rather mysteriously. We have no idea what or where this machine is, much less where it came from or how it joined the LAN!
So after having read a few handy AO tutorials, I finally got brave enough to bust out Nmap for some detective work for the first time. So I ran nmap -sS -O -v 192.168.1.200 and got this...
After tracking it down to a laptop, things take an unexpected twist for
AngelicKnight.
And it just gets stranger...
That laptop that the MAC belongs to is turned off, sitting safely in a cabinet right now.
Could this mean someone's cracked our WEP and spoofed the MAC as phishphreek80 mentioned then?
ZT3000 offers a step-by-step checklist that details how to get to the bottom of this.
You have a physical or logical map of your network, no?
Let's say you do, that means all managed switches and servers will show on the map as static IPs, the rest of the network, maybe excluding printers, are DHCP.
With that information in hand, simply "tracert" the IP. (I'd suggest a GUI program that does the same thing but tracert is free).
Then go to the next "static" IP reported in the tracert output and "tracert" again.
If it gets too confusing, tracert from another couple locations on your network as a type of "triangulation".
If all tracert's go thru the WAP, then exclude that MAC and see who complains.
OR:
In the mean time, you can use another laptop booted up with Knoppix STD CD (free download) to use Kismet to physically track the offender.
Using Network Stumbler (runs under windows for free) to walk the general area looking for offending device will only give you active APs (with their MAC ID), sometimes you get the peer-to-peer connections, other times not.
I'd also contact whoever had been using the laptop. It could be a former employee/technician who grabbed the data prior to leaving.
How did it all end?
Click here for the surprising conclusion, as well as member-submitted tips on preventing it from happening again.