Security Basics mailing list archives

RE: Network scanning

From: Tony Kava <securityfocus () pottcounty com>
Date: Tue, 12 Aug 2003 12:27:57 -0500

I've always been fond of arpwatch.  Arpwatch keeps a simple database of MAC
addresses and IP addresses associated with them.  It sends e-mail
notifications when a new device appears on the network and when the MAC
address associated with an IP address changes.  This tool does not require
anything special and can alert you to new computers on your network, users
changing IP addresses, and duplicate IP addresses.  It is better than
pinging all hosts because it is passive (no need to alert someone you are
looking for them), and you don't rely on a response to an ICMP echo (when
the host may not respond to them).  This, however, will not detect someone
who connects to your network without a bound IP address for the purpose of
sniffing the network.  However, in a switched network environment they
should not get much useful information anyway.  In addition, as stated by
White-Tiger, you can use your managed switches to watch for new links.

Arpwatch is distributed with RedHat Linux and probably other flavors as
well.

Useful Link: http://www.securityfocus.com/tools/142

--
Tony Kava
Network Administrator
Pottawattamie County, Iowa



-----Original Message-----
From: White-Tiger [mailto:white-tiger () rocketmail com]
Sent: Tuesday, 12 August, 2003 00:39
To: Simon; netsec novice; security-basics () securityfocus com
Subject: RE: Network scanning


If you are in a switched network... some switches support
snmp traps for link up/down.

if port 12 is unused... and you get a trap that is just
went UP... the bingo... someone is on.  also... you get set
it up so that if yoiu have a workstation with a link that
goes down/up/down/ or some pattern... your helpdesk can see
it... can call to make sure everything is ok... that way
you might catch standard user problems before they have to
call you.  what great customer service :)

looks good for you.

wt
--- Simon <simon () snosoft com> wrote:

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

One thing that you could do is use a tool that would send
an ICMP
packet to all possible addresses in your particular
network.  That
won't detect all connecting hosts, in particular if
someone jacks in
to sniff only, but that assumes that your network is hub
based.  If
your network is switch based then people will have a hard
time
logging in and sniffing without being detected as they'd
normally
have to ARP poison the switch or do something else that
would be
detectable.


So... the simple 99% answer is, ping all possible IP
addresses once,
if you get a response from an address thats not supposed
to be
there... well... then you'll know.  

Also, if you use DHCP then you could watch the DHCP log
for new
systems... thats not super difficult either. 



- -----Original Message-----
From: netsec novice [mailto:netsec9 () hotmail com]
Sent: Thursday, August 07, 2003 1:51 PM
To: security-basics () securityfocus com
Subject: Network scanning


Are there tools out there that would allow system
administrators to
be 
notified when a new workstation attaches to a network? 
I'm thinking
both 
wireless and ethernet in this case.  SNMP maybe?  I am in
a credit
union 
environment and my concern is that someone would be able
to steal an 
existing jack or a jack that is not physically protected
but live and
be 
able to capture traffic or do reconaissance.  We don't
have Wireless
access 
at this point but may look to it in the future.  My only
thought in
that 
case would be to encrypt all traffic since wireless
security is a bit
scary 
at this point.  Any ideas?

_________________________________________________________________

The new MSN 8: smart spam protection and 2 months FREE*  
http://join.msn.com/?page=features/junkmail


-

----------------------------------------------------------------------

- -----
-

----------------------------------------------------------------------

- ------

-----BEGIN PGP SIGNATURE-----
Version: PGPfreeware 6.5.8 for non-commercial use
<http://www.pgp.com>

iQA/AwUBPzc8mLR5YB3MHZrzEQIvJACfb4SAmdXUjJO/IIF8MUlD8ZW7eJoAoNwa

al4RKIPk0+/E12goPnm8nyZD
=RnNW
-----END PGP SIGNATURE-----

---------------------------------------------------------------------------

----------------------------------------------------------------------------



__________________________________
Do you Yahoo!?
Yahoo! SiteBuilder - Free, easy-to-use web site design software
http://sitebuilder.yahoo.com

---------------------------------------------------------------------------
----------------------------------------------------------------------------

---------------------------------------------------------------------------
----------------------------------------------------------------------------

Current thread:

Re: Network scanning, (continued)
- - Re: Network scanning Sebastian Schneider (Aug 08)
    - Re: Network scanning White-Tiger (Aug 11)
    - Re: Network scanning Sebastian Schneider (Aug 11)
    - RE: Network scanning Ethan (Aug 12)
    - Re: Network scanning Jeff Lumley (Aug 12)
- Re: Network scanning c_brauckmiller (Aug 08)
- RE: Network scanning Rory (Aug 08)
- Re: Network scanning White-Tiger (Aug 11)
  - Re: Network scanning Sebastian Schneider (Aug 11)
- RE: Network scanning CHRIS GRABENSTEIN (Aug 11)
- RE: Network scanning Tony Kava (Aug 12)
- RE: Network scanning K sPecial (Aug 13)
- RE: Network scanning Meidinger Chris (Aug 13)
  - Re: Network scanning Logan Rogers-Follis (Aug 14)
- Re: Network scanning K sPecial (Aug 14)