I want to trace "moving targets" (hackers) working internally in my organisation.

[amir4u]

Hi, I want to trace some client network accounts. I want to know at once when they actually logged in or if they r logged in now on which computer. I had a very nice utility called "net watch" but i lost it . i tried to search it but could not find it again in google.

Some users in my network are on to nasty things trying to illegally enter in other's computers etc....i want to catch them red handed . Any kind of tools u would suggest or a nice plan including "server-and-client-side-settings"?.

I consider them as moving targets coz they would use any machine in my old NT4.0 network with some windows2000 clients and all other NT4.0 clients.

How do i trace down "moving targets"?........

I want their passwords...........whenever they change........(i'm prepaired to go to extremem lengths to trace them down) and anyother information i can gather.
PLease Help

[t2k2]

If you have the IP address that the "attack" is coming from, then you could try doing a nbtstat -A computername (nbtstat -a if you have the machine name), I think. That should give you the username of the person that's logged onto that machine. Also, you might want to try a tool called NT Last from Foundstone . I think it may help you out a little. It gives the username and last login times on a specified machine. They have many other useful tools on this site as well. Hope this helps you.

[detoxsmurf]

If you find an FTP server installed on the target machine you can run a trap and trace with TCPdump or WinDump. What this does is its creates a file and logs all the commands executed, such as ls, mkdir etc.... It also recreates all the files that were uploaded to the target machine. This way you know what exactly has been uploaded, such as password crackers etc...

There is also another thread going around about the security scanner nessus. If you haven't scanned your system, it might be a good idea to see if it is open to exploits.

[alanj23]

Are you an Admin on the Network?

Some users in my network are on to nasty things trying to illegally enter in other's computers etc....i want to catch them red handed

Your running NT/2000 right?, go to the folders that are being abused and turn auditing on. (log successfull logins) then just check the event logs, find whoevers doing it and suspend their account - then they`ll find you

I want their passwords...........whenever they change........(i'm prepaired to go to extremem lengths to trace them down) and anyother information i can gather.

This wont get their passwords but it`ll get their user names. ( Its not really legal to "get their passwords"

[t2k2]

Very good advice about the security auditing alanj23. Sometimes we overlook the obvious answers. I think that it would definitely help to either identify the perpetrator or at least the compromised account so that you can put a stop to it.

[amir4u]

It is not legal i know...but if i have strong reasons to believe that these guys r upto bad tricks against my network then i juss wana stay one step ahead of them by knowing what stuff they r about to use and how far are they planning to go. well...thanx for the help.

[mmoehring]

try a good sniffer i think there is one in the ao tools or check out thescreensavers.com

[ammo]

Originally posted here by amir4u
It is not legal i know...but if i have strong reasons to believe that these guys r upto bad tricks against my network then i juss wana stay one step ahead of them by knowing what stuff they r about to use and how far are they planning to go. well...thanx for the help.

If it's your network (meaning you either own it or are the network administrator and have the authorization) there's no reason for it to be illegal (enabling logon banners might help establish that the users were aware that no privacy is assumed on these computers [...] if this goes to court).

Now, like has been said, on w2k there are many ways to track user activites...
- Auditing
- The tool from foundstone that was mentionned
- userstat.exe (from w2k reskit)
- Monitor open sessions (shares) with mmc (managment console)
...

What exactly do you want to monitor?


Ammo