how to find hidden host within LAN

Chuck chuck.carson at gmail.com
Sun Nov 25 18:25:19 UTC 2007 

If you know the MAC you should be able to drill down and find which
switch it is connected to. Hopefully whoever wired your building had
enough brain cells to create a logical mapping of network ports around
the building to a numbered patch panel port. Then just trace the
cable, find out which network port its connected to, then go find and
smash the workstation in question. If you don't have such a mapping,
take the time/money now to get one in place, it will save you
countless headaches in the future. (its a two person job and you need
a pair of network testers and some easy way to communicate throughout
your office while doing it -- we bought little cheap motorolla 2-way
radio's but cell phones would work)

btw: its easy to spoof a mac address so that "iptables -A INPUT -m mac
--mac-source 00:01:00:33:00:01 -j DROP" will not stop it. (its not a
weakness of iptables but a weakness of IP itself)

I had a similiar situation where a hardware dev had brought in a
wireless router so he could move his laptop around his work area w/o
being bothered with cabling. Well of course the idiot had no clue on
securing wireless so some users in the adjacent office were using his
wide open wireless gateway to download/browse the web without being
forced thru their local proxy server - which was monitoring web access
(which at this point in the wireless game nothing is secure,
encryption may protect your _traffic_ but not your network)  When
consumption of our DS3 starting skyrocketing, I knew something was
amiss.

-CC


On Nov 25, 2007 7:27 AM, Madan Thapa <madan.feedback at gmail.com> wrote:
> You can track them..or restrict them with expesive technologies.. like
> intelligent switches etc.
>
> However.. if you want the easier way..  you can do the following.....
>
> Assuming all node are windows PCs .... goto each pc on your lan.. (assuming
> it is wired )
>
> C:\>ipconfig  -all | findstr "Physical" > 1.txt
>
> It will list the Mac Address of the PC.
>
> The mac address in windows will look like ..
> 00-01-00-33-00-01
>
>
>
> You can block the host using too much traffic with iptables..
>
> # iptables -A INPUT -m mac --mac-source 00:01:00:33:00:01 -j DROP
>
>
> notice the : (colon) instead of - (minus symbol ) in mac address
> representation
>
>
>
>
>
>
>
>
>
>
>
> On Nov 25, 2007 8:09 PM, desant1 at tin.it <desant1 at tin.it> wrote:
>
> > Hi everybody
> > I'm using RH ES4 with iptables as gateway/firewall for my
> > LAN.
> > In the last week i notice in the iptables logs that a host within
> > my lan is doing a lot of traffic.
> > The destination/source address of the
> > packets and the used port suggest that this host is using peerToPeer
> > application (emule or similar).
> > The problem is that i'm not able to
> > identify this host within my LAN:
> > I can see his IP address (192.168.x.
> > y) and i can find his mac address througth ARP, but i can't ping it and
> > there is no host within my lan with this Mac address.
> > I can't
> > traceroute it.
> > Can someone help me to find this hidden host?
> >
> > --
> > redhat-list mailing list
> > unsubscribe mailto:redhat-list-request at redhat.com?subject=unsubscribe
> > https://www.redhat.com/mailman/listinfo/redhat-list
> >
> --
> redhat-list mailing list
> unsubscribe mailto:redhat-list-request at redhat.com?subject=unsubscribe
> https://www.redhat.com/mailman/listinfo/redhat-list
>

More information about the redhat-list mailing list