I want to trace "moving targets" (hackers) working internally in my organisation.
Results 1 to 8 of 8

Thread: I want to trace "moving targets" (hackers) working internally in my organisation.

  1. #1
    Junior Member
    Join Date
    Oct 2002
    Posts
    18

    I want to trace "moving targets" (hackers) working internally in my organisation.

    Hi, I want to trace some client network accounts. I want to know at once when they actually logged in or if they r logged in now on which computer. I had a very nice utility called "net watch" but i lost it . i tried to search it but could not find it again in google.

    Some users in my network are on to nasty things trying to illegally enter in other's computers etc....i want to catch them red handed . Any kind of tools u would suggest or a nice plan including "server-and-client-side-settings"?.

    I consider them as moving targets coz they would use any machine in my old NT4.0 network with some windows2000 clients and all other NT4.0 clients.

    How do i trace down "moving targets"?........

    I want their passwords...........whenever they change........(i'm prepaired to go to extremem lengths to trace them down) and anyother information i can gather.
    PLease Help

  2. #2
    Senior Member
    Join Date
    Aug 2002
    Posts
    651
    If you have the IP address that the "attack" is coming from, then you could try doing a nbtstat -A computername (nbtstat -a if you have the machine name), I think. That should give you the username of the person that's logged onto that machine. Also, you might want to try a tool called NT Last from Foundstone . I think it may help you out a little. It gives the username and last login times on a specified machine. They have many other useful tools on this site as well. Hope this helps you.
    Opinions are like holes - everybody\'s got\'em.

    Smile

  3. #3
    Senior Member
    Join Date
    Jul 2002
    Posts
    167
    If you find an FTP server installed on the target machine you can run a trap and trace with TCPdump or WinDump. What this does is its creates a file and logs all the commands executed, such as ls, mkdir etc.... It also recreates all the files that were uploaded to the target machine. This way you know what exactly has been uploaded, such as password crackers etc...

    There is also another thread going around about the security scanner nessus. If you haven't scanned your system, it might be a good idea to see if it is open to exploits.

  4. #4
    Junior Member
    Join Date
    Aug 2002
    Posts
    15
    Are you an Admin on the Network?

    Some users in my network are on to nasty things trying to illegally enter in other's computers etc....i want to catch them red handed
    Your running NT/2000 right?, go to the folders that are being abused and turn auditing on. (log successfull logins) then just check the event logs, find whoevers doing it and suspend their account - then they`ll find you

    I want their passwords...........whenever they change........(i'm prepaired to go to extremem lengths to trace them down) and anyother information i can gather.
    This wont get their passwords but it`ll get their user names. ( Its not really legal to "get their passwords"

  5. #5
    Senior Member
    Join Date
    Aug 2002
    Posts
    651
    Very good advice about the security auditing alanj23. Sometimes we overlook the obvious answers. I think that it would definitely help to either identify the perpetrator or at least the compromised account so that you can put a stop to it.
    Opinions are like holes - everybody\'s got\'em.

    Smile

  6. #6
    Junior Member
    Join Date
    Oct 2002
    Posts
    18
    It is not legal i know...but if i have strong reasons to believe that these guys r upto bad tricks against my network then i juss wana stay one step ahead of them by knowing what stuff they r about to use and how far are they planning to go. well...thanx for the help.

  7. #7
    try a good sniffer i think there is one in the ao tools or check out thescreensavers.com
    Ametuers get jail time Pros get jobs.

  8. #8
    Senior Member
    Join Date
    Sep 2001
    Posts
    1,027
    Originally posted here by amir4u
    It is not legal i know...but if i have strong reasons to believe that these guys r upto bad tricks against my network then i juss wana stay one step ahead of them by knowing what stuff they r about to use and how far are they planning to go. well...thanx for the help.
    If it's your network (meaning you either own it or are the network administrator and have the authorization) there's no reason for it to be illegal (enabling logon banners might help establish that the users were aware that no privacy is assumed on these computers [...] if this goes to court).

    Now, like has been said, on w2k there are many ways to track user activites...
    - Auditing
    - The tool from foundstone that was mentionned
    - userstat.exe (from w2k reskit)
    - Monitor open sessions (shares) with mmc (managment console)
    ...

    What exactly do you want to monitor?


    Ammo
    Credit travels up, blame travels down -- The Boss

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •