How to find everyone on the network
[The note was published in the Sandbox, I decided to transfer it to the blog]
So, we have: a subsidiary, even two, with a dozen technical engineers, a Class C office subnet , a lot of all the equipment and the lack of a system administrator (to be precise, he coming and solves only critical issues). In the appendage, questions like:
- Listen, but how to determine the network address of this piece of iron (the piece of hardware is presented in an industrial version) without resetting the settings? I don’t know who tuned in, but once she worked for us, on which subnet I don’t know either.
“By the way, you don’t know at what address we have DVSR?” Yes, we have one, yes, we set, but no one remembers.
- And what addresses are not occupied from 64 to 80?
- (Call coming admin) Your mail server died in the morning because someone took his IP. Judging by the logs, that computer had MAC xx: xx: xx: xx: xx: xx, can you tell me what it was?
And for the sake of this, they prevent me from sleeping during the day! An urgent need to find a solution, even inelegant, but quick and effective.
So let's get started. To begin with, I do not have admin access to any server or router. But then there is one powerful vyzigany machine on which Ubuntu Linux settled. So everything will live on it, and the result will be available on the local web server.
To solve the problem on the technical side, you just need to know which devices appeared on the network (MAC addresses), which IPs they occupied, be aware if a new device appears on the network with IP from office subnets (10.0.0.0/24 and 62.85. xx.0 / 28 (DMZ + demo)).
You can either passively listen to the network and collect all the MAC addresses, or for the same purpose use active scanning and write all new information to the log. The second option seemed to me more simple and interesting.
1) Install arp-scan :
2) We will write a small script that will create 2 files: a list of computers that are active on the network now, and a list of all detected MAC / IP combinations during the script's operation (cumulative) and upload them to the internal web. Additionally, he will notify the system administrator of all new devices on the network, we will use the sSMTP utility to send mail. We get a fairly informative list of all IPs and all MACs that have ever used these IPs, indicating the vendors of network interfaces. Since arp-scan uses very low-level access, both he and the whole script work only with administrator rights. 3) Add the script to crontab (I chose the hourly runoff):
That's all, now we have in our hands up-to-date and automatically (!) Updated information about active devices on the network (the scanning source will not be shown): In addition, there is a log in the mailbox when for the first time some interface is lit up on the network. By the way, such statistics are quite useful for novice administrators who try to filter access to the Internet and keep track of traffic only by the IP addresses of machines, and cunning users quietly change their IP and do whatever they want. Now, such "mind games" will be documented. We drink coffee further ...
So, we have: a subsidiary, even two, with a dozen technical engineers, a Class C office subnet , a lot of all the equipment and the lack of a system administrator (to be precise, he coming and solves only critical issues). In the appendage, questions like:
- Listen, but how to determine the network address of this piece of iron (the piece of hardware is presented in an industrial version) without resetting the settings? I don’t know who tuned in, but once she worked for us, on which subnet I don’t know either.
“By the way, you don’t know at what address we have DVSR?” Yes, we have one, yes, we set, but no one remembers.
- And what addresses are not occupied from 64 to 80?
- (Call coming admin) Your mail server died in the morning because someone took his IP. Judging by the logs, that computer had MAC xx: xx: xx: xx: xx: xx, can you tell me what it was?
And for the sake of this, they prevent me from sleeping during the day! An urgent need to find a solution, even inelegant, but quick and effective.
So let's get started. To begin with, I do not have admin access to any server or router. But then there is one powerful vyzigany machine on which Ubuntu Linux settled. So everything will live on it, and the result will be available on the local web server.
To solve the problem on the technical side, you just need to know which devices appeared on the network (MAC addresses), which IPs they occupied, be aware if a new device appears on the network with IP from office subnets (10.0.0.0/24 and 62.85. xx.0 / 28 (DMZ + demo)).
You can either passively listen to the network and collect all the MAC addresses, or for the same purpose use active scanning and write all new information to the log. The second option seemed to me more simple and interesting.
1) Install arp-scan :
$ sudo apt-get install arp-scan2) We will write a small script that will create 2 files: a list of computers that are active on the network now, and a list of all detected MAC / IP combinations during the script's operation (cumulative) and upload them to the internal web. Additionally, he will notify the system administrator of all new devices on the network, we will use the sSMTP utility to send mail. We get a fairly informative list of all IPs and all MACs that have ever used these IPs, indicating the vendors of network interfaces. Since arp-scan uses very low-level access, both he and the whole script work only with administrator rights. 3) Add the script to crontab (I chose the hourly runoff):
#!/bin/bash
#
# quick and dirty scan for new devices
# create empty /var/www/list.txt before first run
#
arp-scan --interface eth0 62.85.xx.0/28 | grep ^62 > /tmp/x2
arp-scan --interface eth0 10.0.0.0/24 | grep ^10 > /tmp/x1
echo `date` > /var/www/current.txt
cat /tmp/x1 /tmp/x2 | sort | uniq >> /var/www/current.txt
#
# send email if completely new IP/MAC pair found
test `diff /var/www/current.txt /var/www/list.txt | grep '<' | wc -l` -gt 1 && \ (echo "Subject: New equipment found" > /tmp/report; diff /var/www/current.txt /var/www/list.txt | grep '<' >> /tmp/report;\
ssmtp rat@admin.lv < /tmp/report) || echo false > /dev/null
# mplayer /usr/share/sounds/war2/orcs/basic-orc-voices/annoyed7.wav
#
cat /var/www/list.txt /tmp/x1 /tmp/x2 | sort |uniq > /tmp/list.txt
mv /tmp/list.txt /var/www/list.txt$ sudo mv arpscan /etc/cron.hourly/
$ sudo chown root.root /etc/cron.hourly/arpscan
$ sudo chmod +x /etc/cron.hourly/arpscanThat's all, now we have in our hands up-to-date and automatically (!) Updated information about active devices on the network (the scanning source will not be shown): In addition, there is a log in the mailbox when for the first time some interface is lit up on the network. By the way, such statistics are quite useful for novice administrators who try to filter access to the Internet and keep track of traffic only by the IP addresses of machines, and cunning users quietly change their IP and do whatever they want. Now, such "mind games" will be documented. We drink coffee further ...
Sat Dec 13 00:17:35 EET 2008
10.0.0.10 00:17:a4:0c:8f:xx Global Data Services
10.0.0.1 00:50:da:de:a7:xx 3COM CORPORATION
10.0.0.102 00:00:85:77:e9:xx CANON INC.
10.0.0.104 00:1b:78:24:19:xx Hewlett Packard
10.0.0.11 00:18:fe:33:59:xx Hewlett Packard