How to find everyone in the network
[The note was published in the Sandbox, decided to move it to the blog]
So, we have: a subsidiary, even two, with a dozen technical engineers, an office subnet of class C , a lot of equipment and the absence of a system administrator (to be exact, he comes and decides only critical issues). In the appendage questions like:
- Listen, and how to determine the network address of this piece of iron (a piece of hardware is presented in an industrial design), without resetting the settings? Who set up I do not know, but once she worked for us, in which subnet - I do not know either.
- Do you know by any chance what address we have on the DVSR? Yes, we have this, yes, we set, but no one remembers.
- And what are our addresses are not busy from 64 to 80?
- (incoming admin call) Your mail server was down in the morning because someone occupied its IP. Judging by the logs, that computer had MAC xx: xx: xx: xx: xx: xx, can you tell me what it was?
')
And for this, they bother me to sleep during the day! It is urgent to find a solution, you can even inelegant, but fast and effective.
So let's get started. Let's start with the fact that I have no admin access to any server or router. But then there is one powerful vytsigannaya machine, which settled Ubuntu Linux. So everything will live on it, and the result of the work will be available on a local web server.
To close the problem from the technical side, you just need to know what devices appeared on the network (MAC addresses), what IP they occupied, to be aware of if a new device with IP from office subnets (10.0.0.0/24 and 62.85) appears on the network. xx.0 / 28 (DMZ + demo)).
You can either passively listen to the network and collect all MAC addresses, or for the same purpose, use active scanning and write all new information to the log. The second option seemed to me more simple and interesting.
1) Install arp-scan :
2) Let's write a small script that will create 2 files: a list of computers that are active on the network now, and a list of all detected MAC / IP combinations during the script operation (cumulative) and upload them to the internal web. In addition, he will notify the system administrator of all new devices on the network; for sending mail, we use the sSMTP utility.
We get a fairly informative list of all IPs and all MACs that have ever used these IPs, with an indication of the network interface vendors.
Since arp-scan uses very low-level access, both he and the entire script work only with administrator rights.
3) Add the script to the crontab (I chose the hourly drawdown):
Everything, now we have up-to-date and automatically (!) Updated information about active devices in the network (the scan source will not be shown):
In addition, in the mailbox there is a log when for the first time some interface was lit up in the network.
By the way, such statistics are quite useful for novice admins who try to filter access to the Internet and keep track of traffic only by the IP addresses of the machines, and the curious users quietly change their IP and create what they want. Now, these "mind games" will be documented.
We drink coffee more ...
So, we have: a subsidiary, even two, with a dozen technical engineers, an office subnet of class C , a lot of equipment and the absence of a system administrator (to be exact, he comes and decides only critical issues). In the appendage questions like:
- Listen, and how to determine the network address of this piece of iron (a piece of hardware is presented in an industrial design), without resetting the settings? Who set up I do not know, but once she worked for us, in which subnet - I do not know either.
- Do you know by any chance what address we have on the DVSR? Yes, we have this, yes, we set, but no one remembers.
- And what are our addresses are not busy from 64 to 80?
- (incoming admin call) Your mail server was down in the morning because someone occupied its IP. Judging by the logs, that computer had MAC xx: xx: xx: xx: xx: xx, can you tell me what it was?
')
And for this, they bother me to sleep during the day! It is urgent to find a solution, you can even inelegant, but fast and effective.
So let's get started. Let's start with the fact that I have no admin access to any server or router. But then there is one powerful vytsigannaya machine, which settled Ubuntu Linux. So everything will live on it, and the result of the work will be available on a local web server.
To close the problem from the technical side, you just need to know what devices appeared on the network (MAC addresses), what IP they occupied, to be aware of if a new device with IP from office subnets (10.0.0.0/24 and 62.85) appears on the network. xx.0 / 28 (DMZ + demo)).
You can either passively listen to the network and collect all MAC addresses, or for the same purpose, use active scanning and write all new information to the log. The second option seemed to me more simple and interesting.
1) Install arp-scan :
$ sudo apt-get install arp-scan
2) Let's write a small script that will create 2 files: a list of computers that are active on the network now, and a list of all detected MAC / IP combinations during the script operation (cumulative) and upload them to the internal web. In addition, he will notify the system administrator of all new devices on the network; for sending mail, we use the sSMTP utility.
#!/bin/bash
#
# quick and dirty scan for new devices
# create empty /var/www/list.txt before first run
#
arp-scan --interface eth0 62.85.xx.0/28 | grep ^62 > /tmp/x2
arp-scan --interface eth0 10.0.0.0/24 | grep ^10 > /tmp/x1
echo `date` > /var/www/current.txt
cat /tmp/x1 /tmp/x2 | sort | uniq >> /var/www/current.txt
#
# send email if completely new IP/MAC pair found
test `diff /var/www/current.txt /var/www/list.txt | grep '<' | wc -l` -gt 1 && \ (echo "Subject: New equipment found" > /tmp/report; diff /var/www/current.txt /var/www/list.txt | grep '<' >> /tmp/report;\
ssmtp rat@admin.lv < /tmp/report) || echo false > /dev/null
# mplayer /usr/share/sounds/war2/orcs/basic-orc-voices/annoyed7.wav
#
cat /var/www/list.txt /tmp/x1 /tmp/x2 | sort |uniq > /tmp/list.txt
mv /tmp/list.txt /var/www/list.txt
We get a fairly informative list of all IPs and all MACs that have ever used these IPs, with an indication of the network interface vendors.
Since arp-scan uses very low-level access, both he and the entire script work only with administrator rights.
3) Add the script to the crontab (I chose the hourly drawdown):
$ sudo mv arpscan /etc/cron.hourly/
$ sudo chown root.root /etc/cron.hourly/arpscan
$ sudo chmod +x /etc/cron.hourly/arpscan
Everything, now we have up-to-date and automatically (!) Updated information about active devices in the network (the scan source will not be shown):
Sat Dec 13 00:17:35 EET 2008
10.0.0.10 00:17:a4:0c:8f:xx Global Data Services
10.0.0.1 00:50:da:de:a7:xx 3COM CORPORATION
10.0.0.102 00:00:85:77:e9:xx CANON INC.
10.0.0.104 00:1b:78:24:19:xx Hewlett Packard
10.0.0.11 00:18:fe:33:59:xx Hewlett Packard
In addition, in the mailbox there is a log when for the first time some interface was lit up in the network.
By the way, such statistics are quite useful for novice admins who try to filter access to the Internet and keep track of traffic only by the IP addresses of the machines, and the curious users quietly change their IP and create what they want. Now, these "mind games" will be documented.
We drink coffee more ...
Source: https://habr.com/ru/post/86005/
All Articles