Find and document unauthorized device

[Chaoscorpz]

Hello,

I have a user whom is jacking in an unauthorized laptop/device into my network. We have a good idea of who it is, but need to provide evidence of the occurrences. This user is particularly troublesome as he has used his technical knowledge to undermine/discredit my IT department with administration. Time to spank a user.

What I need is to trace it down to a specific port on my switch-gear, and from there, a specific wall plate/location. If I could also glean any extra info out of the device that would be great as well. I've been given authorization from upper management to conduct a quiet investigation and have been assured it will be pursued with HR.

The user either unplugs one of the normal company PC's and users that jack, or has found an active one. The user gets an IP from my DHCP server, and goes on his merry way with the network.

I can tell that this is an unauthorized device since the device name does not follow my standard conventions, and the MAC address traces out to a different manufacturer than we use (from the DHCP server log).

This is what I have to work with:
Complete admin/root level access to everything on out network.
Windows 2000 DHCP servers
Windows 2000 Servers
Core switch gear is Cisco 3750's
Other Switch gear Cisco 3550's, and 3Com SuperStack III's
Cisco PIX firewalls for Internet access.

My skill set:
Familiar with MS servers & desktops.
Some UNIX/Linux knowledge.
Some 3Com experience
Some Cisco experience.
Determination to bust him.


I am, willing to drop dedicated appliance PCs to nail this user down. I've built dedicated appliance PCs before for use as firewalls, routers, print servers, etc.

To cover my bases I've dropped this into a couple of related forums.



Any ideas?

Thanks in advance,

IT

 

[eyec]

you already have the answer to your problem - his MAC address.

track the traffic from the suspect machine and use your server logs to detail that MAC addresses activity on your network.

push comes to shove use a sniffer to capture even more details.

if your computer users policies forbid this activity you may want to ask your legal department about confiscating the rogue laptop to check for illegal or unethical use/transfer of company data.

 

[PalmTest]

@Chaoscorpz,

One very useful (free!) tool to use is cammer.
This is a perl script from Tobias Oetiker (the maker of MRTG).
You can find the script at:

http://people.ee.ethz.ch/~oetiker/webtools/mrtg/pub/contrib/

Cammer is a perl script which will search through your Switch for IP adresses and relate them, via your Router, to MAC addresses on your Switchports.

Read the cammer.readme.txt for the complete story.


I have made a batch script on my Windows Server which reads all my User switches. With this script I can hunt down a suspicious MAC address (provided by a Security Officer).
When the script is executed repeatetly, and the result is redirected (appended) to a file, you might even trace if the MAC address switches active network ports, or if a different MAC address is used on the same port.
When I know on which port the MAC address is, I setup a SPAN port (3Com calls it Roving Analysis) and hookup a Laptop in the patch cabinet.
The user doesn't know that I trace all his networking traffic (using Ethereal, Packetyzer or Network Monitor).
Analysis of the network capture might reveal which actions the user has taken and/or which IP addresses the user has connected to.
Up to a certain level I am able to recreate the Websites the user has visited. HTTPS and SSL are encrypted so these sites remain (within Ethereal) hidden.

When the Security Officer is confronting the user with this results, the user knows he is being watched and usualy stops his nasty activities.

When things get really nasty I can hand over the traces to a forensic specialist for a more detailed report, but we never came this far (yet).

 

[m4ilm4n]

As a side note - cammer.pl requires the SNMP_Session.pm perl module, which is part of MRTG. Good find, can't wait to try it.

Also, once you set up the port monitor/span in the switch you can run some of Dug Song's stuff (like dsniff, et al) and actually display in real time what the perp is doing; e.g. if they're surfing you can have the web pages show up on your monitoring system's browser as they're opening in the perp's browser (packet mirroring).