Re: how to find hidden host within LAN



If you know the MAC you should be able to drill down and find which
switch it is connected to. Hopefully whoever wired your building had
enough brain cells to create a logical mapping of network ports around
the building to a numbered patch panel port. Then just trace the
cable, find out which network port its connected to, then go find and
smash the workstation in question. If you don't have such a mapping,
take the time/money now to get one in place, it will save you
countless headaches in the future. (its a two person job and you need
a pair of network testers and some easy way to communicate throughout
your office while doing it -- we bought little cheap motorolla 2-way
radio's but cell phones would work)

btw: its easy to spoof a mac address so that "iptables -A INPUT -m mac
--mac-source 00:01:00:33:00:01 -j DROP" will not stop it. (its not a
weakness of iptables but a weakness of IP itself)

I had a similiar situation where a hardware dev had brought in a
wireless router so he could move his laptop around his work area w/o
being bothered with cabling. Well of course the idiot had no clue on
securing wireless so some users in the adjacent office were using his
wide open wireless gateway to download/browse the web without being
forced thru their local proxy server - which was monitoring web access
(which at this point in the wireless game nothing is secure,
encryption may protect your _traffic_ but not your network) When
consumption of our DS3 starting skyrocketing, I knew something was
amiss.

-CC


On Nov 25, 2007 7:27 AM, Madan Thapa <madan.feedback@xxxxxxxxx> wrote:
You can track them..or restrict them with expesive technologies.. like
intelligent switches etc.

However.. if you want the easier way.. you can do the following.....

Assuming all node are windows PCs .... goto each pc on your lan.. (assuming
it is wired )

C:\>ipconfig -all | findstr "Physical" > 1.txt

It will list the Mac Address of the PC.

The mac address in windows will look like ..
00-01-00-33-00-01



You can block the host using too much traffic with iptables..

# iptables -A INPUT -m mac --mac-source 00:01:00:33:00:01 -j DROP


notice the : (colon) instead of - (minus symbol ) in mac address
representation











On Nov 25, 2007 8:09 PM, desant1@xxxxxx <desant1@xxxxxx> wrote:

Hi everybody
I'm using RH ES4 with iptables as gateway/firewall for my
LAN.
In the last week i notice in the iptables logs that a host within
my lan is doing a lot of traffic.
The destination/source address of the
packets and the used port suggest that this host is using peerToPeer
application (emule or similar).
The problem is that i'm not able to
identify this host within my LAN:
I can see his IP address (192.168.x.
y) and i can find his mac address througth ARP, but i can't ping it and
there is no host within my lan with this Mac address.
I can't
traceroute it.
Can someone help me to find this hidden host?

--
redhat-list mailing list
unsubscribe mailto:redhat-list-request@xxxxxxxxxx?subject=unsubscribe
https://www.redhat.com/mailman/listinfo/redhat-list

--
redhat-list mailing list
unsubscribe mailto:redhat-list-request@xxxxxxxxxx?subject=unsubscribe
https://www.redhat.com/mailman/listinfo/redhat-list


--
redhat-list mailing list
unsubscribe mailto:redhat-list-request@xxxxxxxxxx?subject=unsubscribe
https://www.redhat.com/mailman/listinfo/redhat-list