Rogue PCs or devices

[puzOpia]

<_< I was recently (unofficially) named as the Network Security guy at work. The other day I found a rogue pc on my network. I know I can find it's MAC address in my router tables and find out what port and what switch it's plugged in to. I would like to know, however, if there is anything else I can do if I cannot physically go there. Since I don't have admin rights to the box (probably someones personal laptop) all I can do is scan it and try to connect with password guesses. Is there any app that can help me remotely connect to it, remote control it or shut it down? Maybe it would make a cool segment for the show...

[Sparda]

If it is some ones personal laptop you would be braking the law by trying to fix it with out the owners permission. I suggest you turn off the port on the switch then wait until some one complains it's not working. Tell them they can't plug there personal laptop in to the network if it so happens to be a personal computer, else fix the computer.

[pritchard9]

Sparda is right mate. Don't want some guy fuming, calling you "hacker" and stuff. Won't go down well with colleagues (how the heck do you spell that word?!) and most certainly won't go down well with your boss.

[Mat]

It could be worth investigating RADIUS authentication at the switches, this would mean that computers other than ones you have authorised, would not get a network connection when plugged in.

[puzOpia]

Well, just to be clear Sparda, they were not actually asking me to fix the computer. They were just connecting to a network they were not supposed to be connecting to. Secondly, my boss asked me to try to identify who it belonged to and block it's access. Yes I can shut down that port for starters but they could just move to another one. I would like to gather more info and maybe block access to the MAC address. Hmm, maybe I can block that at the switch....

[digip]

You can filter MAC addresses on the switch with port-security. I think you would have to do it for all interfaces you want security on though.

I havent used it yet(still in the beginning of my ccna class) but I think you can use the Cisco Security Manager to set up shared ACL's and block it from there.

[digininja]

I'd find out which port it was on then walk round and unplug it. Why mess around with tech solutions when a physical one is probably a lot quicker.

[Deveant]

There is many of ways to stop this, physical or digital, trying to connect to the users PC is probably the worst / Hardest.

Follow digininja's suggestion and trace it physically back to the user, or just ban the MAC from either your servers or switches, even to the point of re-routing his traffic.

You want to know who it is? well ask yourself what are they doing? Going to websites, signing into Email accounts or social sites, then its easy to track down who they are.

[digip]

Wouldn't you have to try and follow the cable to the desk from the switch to physcailly unplug it? How large is the network? Wouldn't tracing it back to the physical desk be a bit hard if say things run over/under/through walls, etc. Unless you have a diagram of the nwetwork with locations of where each port connects to the endpoints, how will you easily find the physical device?

What you can do is turn port-security on for that port on the switch, then set the sticky to 1 mac address(assuming the device plugged in is the correct device and not the rouge machine). If they try to insert a new device on that connection, you can set the security option to trap or block it, and once they put the original back in, then it turns the port back on based on the mac address. If anything, turn it on for that one port and block the rouge mac address to begin with. Then wait to see if they call because they are having network problems, they will give themself away.

[Mat]

Wouldn't you have to try and follow the cable to the desk from the switch to physcailly unplug it? How large is the network? Wouldn't tracing it back to the physical desk be a bit hard if say things run over/under/through walls, etc.

The network here has a cabinet with patch panels that are connected to the sockets in the rooms, and patch leads connect those to the switches. The only tracing needed would be to trace the cable from the switch cabinet, to the patch cabinet next to it. The patch panels are numbered and that number matched the number on the socket in the offices. Finding a physical device somewhere in this building from knowing only the switch port would be easy.

I've no idea if the OP is configured in this way, but I'd imagine it to be standard.

[digip]

The network here has a cabinet with patch panels that are connected to the sockets in the rooms, and patch leads connect those to the switches. The only tracing needed would be to trace the cable from the switch cabinet, to the patch cabinet next to it. The patch panels are numbered and that number matched the number on the socket in the offices. Finding a physical device somewhere in this building from knowing only the switch port would be easy.

I've no idea if the OP is configured in this way, but I'd imagine it to be standard.

I wasnt thinking to disconnect it at the switch(which would work), I was thinking disconnecting it at the end users pc wherever they may be sitting in the building.

If you start unplugging people at the switch itself, you may as well disable the interface on the switch instead which can be done without having to unplug and replug cables. That kind of defeats the use of the switch though, and you still need to find who it is at the other end, because they may just get up and walk over to another machine and swap out their cable to use another workstations ethernet connection, then the process starts all over again. Another thing people do sometimes is bring in outside routers as well, so you walk by there desk and they have two machines on the network now, their office workstation, and whatever other machine they bring in, like their personal laptop or whatever.

I'd say find out who it is before going much further to prevent any breach of the network security. Who knows what they are doing. They could spread a virus, or copy company files, etc. Not a good scenario for the new "Network Security guy at work". Get the correct machine back into the network and then set up some security on that switch to block against this in the future.

I know that if anyone at my work got caught doing something like this, they would be fired on the spot. Most places won't tolerate someone doing that, just for the security reasons alone.

[puzOpia]

Thanks for the suggestions guys. We're tracking down the switch it is connected to as we speak. The segment he's connected to is the majority of our PCs (about 400) but our switches are very well named, once we find it, it will be very easy to pinpoint the location. Also, I am going to set a reservation on our DHCP server for his MAC to something bogus like 0.0.0.0. That should cause some heartache for him in the future.

[taiyed14]

Thanks for the suggestions guys. We're tracking down the switch it is connected to as we speak. The segment he's connected to is the majority of our PCs (about 400) but our switches are very well named, once we find it, it will be very easy to pinpoint the location. Also, I am going to set a reservation on our DHCP server for his MAC to something bogus like 0.0.0.0. That should cause some heartache for him in the future.

sounds like a good solution, as long as he doesn't spoof his MAC. :P (somehow i doubt it)

[digininja]

Thanks for the suggestions guys. We're tracking down the switch it is connected to as we speak. The segment he's connected to is the majority of our PCs (about 400) but our switches are very well named, once we find it, it will be very easy to pinpoint the location. Also, I am going to set a reservation on our DHCP server for his MAC to something bogus like 0.0.0.0. That should cause some heartache for him in the future.

If it is more important to find and discipline him then don't do that or he will lose his connection and disconnect so you'll never find him. If all you want is him off then do that and forget about it.

[puzOpia]

OK, get this everyone. It was my BOSS! He had pc that he "wiped" and started loading XP on it. I asked him why he gave it such a weird name. It was nothing like our normal pc naming convention. He claims it must have been automatically assigned. (yeah, ok). Anyway, crisis averted. Thought you guys might like to hear what happened.

BTW: the pc name was DANIELLE-HRDUXY. Sorry but I've never seen a windows install give a name anything like that.

[Sparda]

That's how the Windows installer names things, uses the name of the person who is the 'owner' with some random characters at the end.

[shonen]

lmfao Thats not the first story I have heard of where the culprit turns out to be the boss *shakes head*.

[puzOpia]

Yeah, but he claims he didn't put in any info yet (owner, user name, etc)

(Sighs and shakes head)

[The Sorrow]

wow....i dont know what to say to this story...its absolutely halarious

[3w`Sparky]

I Run a script on our DHCP Server at work I use Grep to exclude Printers and Naming Convension PC's & Servers it will then export whats left into a webpage that anyone can monitor.

the idea with this is not to stop "MR Hacker" as they are mostlightly not going to be obtaining DHCP unless there crap!

it's really to stop Mr Stupid with 800 viruse's and a floppy full of worm's.

the webpage throws up a nice little sound alerting us (Processes every 5 mins)

if they don't release there address then it sits on the webpage with there hostname until the lease expire's in our case 8Day's

it shows IP: 10.10.10.25 Hostname:Fred

this is a crude way of keeping an eye on the network but it works and when that rouge Device is spotted, we shutdown the port (that bit is still a manual process) also even if the PC is firewalled the useful info is from the DHCP server which means you still see that it connected.

net send to the pc in question it's normally enabled unless someone's stopped the messenger service.

(require's you to state the domain too tho)

one more thing , using a txt file I got off the net you can do a find on the first part of the mac address from DHCP in notepad or alike and it will match the vendor's code so if you can't workout what port it's plugged into you can atleast get an idea of what brand of device your looking for. . . .