Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations strongm on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

How to catch cracker within a LAN 1

Status
Not open for further replies.
finfrockg

finfrockg

MIS
Feb 19, 2001
13
US
I'm good at catching external attacks, using ACLs with syslog monitoring on WAN links, WireShark and Ethereal for tracking down bandwidth hogs and infected PCs.

But how do you monitor the activity of a single user who has nothing better to do than attempt to exploit servers, printers, switches on a LAN?

Is there any type of application that can be installed without the user knowing to log his activity?

Gary
 
Sort by date Sort by votes
assuming you know which user it is, and are merely looking for proof/confirmation, you could use a keylogger, although this obviously has legal ramifications.

Where I used to work, we needed permission from the head of IT Security, the head of IT, and the Head of HR, before we could go ahead.

------------------------------------------------------
Matt
Life is all shadows and dust.
Live it up with women and wine while you can
 
Upvote 0 Downvote
Have you thought of using Wireshark/Ethereal on the internal network as well? Easy to filter out events by IP.

Also, you should incorporate an internal alert "sensor" as well. This will give you an idea if users are inside the firewalls are doing bad things, but it also will give you an idea if an outside entity does get inside (one might not catch, but the other will).
 
Upvote 0 Downvote
Aye, a honeypot is nice to have. Managed switches with the ability to mirror ports are also very nice when it comes to monitoring things 'live'.

Carlsberg don't run I.T. departments, but if they did they'd probably be more fun.
 
Upvote 0 Downvote
Why not put ACL's in place to only allow this person access to internal servers only on ports that the server serves.

This prevents him from exploiting services that are not locked down and only allows connection to that server for its desired use.



Gb0mb

........99.9% User Error........
 
Upvote 0 Downvote
I like the ACL idea, but the location in question has 3com switches and the local admin doesn' manage the switch. I'm not familiar with 3com and if they have logging capabilities.

I think creating an ACL with the legitimate traffic defined, the allowing everything else, but with the log option active would create a nice syslog of the unauthorized traffic. After finding the unauthorized traffic, I can use Wire-Shark to create a filter and looking into the traffic in details
 
Upvote 0 Downvote
I am not sure what the 3comm switch would have for ACL's.

You could just apply them right to the port this user connects to, or the uplink port from the switch he is on. Then just mirror his port on that switch and you can see what he is doing.

A host based firewall on the server is always a good Idea. even if it is internal.

Gb0mb

........99.9% User Error........
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

K
  • Question
PABX SL1000 to add Ext Operator
Replies
0
Views
411
kennychin
K
idahomitel
  • Locked
  • Question
SX 200 cfna to operator
Replies
0
Views
365
idahomitel
idahomitel
T
  • Locked
  • Solved
Not able to log into my previous account, and there's no "Forget Password"
Replies
15
Views
1K
Chris Miller
Chris Miller
Mirzapur
  • Locked
  • Question
NEC SV9100 Trunk to Trunk Transferred call Not disconnecting issue
Replies
0
Views
487
Mirzapur
Mirzapur
AlKross
  • Question
Avaya
Replies
0
Views
117
AlKross
AlKross

Part and Inventory Search

Sponsor

Back
Top