[CLUE-Tech] Finding rogue IPs.
Adam Bultman
adamb at glaven.org
Thu Nov 21 12:35:19 MST 2002
> Ignore my last email since you aren't using managed switches. (I can read,
> really!) I would suggest doing something like a ping flood to the machine
> and following the pretty lights.
>
I'd suggest that too, but remember, it's a hub, so it's going to be
essentially broadcast.
As well, unless he knows where every single drop connected to the hub,
it's not as useful.
The only things I can really think of:
1. Nmap the host. See what OS it's running, what ports are open, etc. If
different groups of people use different OSes, you may be able to pinpoint
that, and use it as a thumbnail view.
- Depending on the OS, you could try to crash it... find who's
rebooting, or complaining of constant reboots...
2. Sniff for it's packets, watch what the host is doing.
- You might be able to see what it's doing - i.e. connecting to the NT
server, file sharing, etc, and you could go on the server and see who is
on the server, then distill who it is.
- You could sniff it's traffic,, then walk around looking for what it's
doing - i.e. surfing a particular site, you could just walk around looking
for the monitors (especially if you have a laptop and a WAP).
3. Send out an email for people who have recently rebooted (if it's DHCP)
or, see if someone different has plugged in and assigned themselves an IP.
4. Go to each workstation and ask. (sigh).
5. Block all traffic for that IP (remporarily) at the firewall or anywhere
else you can. See who complains, then complain to that person.
6. WRite a short script that re-assigns the server it's own IP every few
minutes. See who complains.
Obviously, these are all hacks. BUt I can think of nothing better.
Adam
--
Adam Bultman
adam at glaven.org
[ http://www.glaven.org ]
More information about the clue-tech
mailing list