Results 1 to 3 of 3

Thread: How would you respond to a malicious device on your network?

  1. #1
    Join Date
    Dec 2008
    Location
    USA
    Beans
    521
    Distro
    Ubuntu 12.04 Precise Pangolin

    How would you respond to a malicious device on your network?

    Today I found a device I didn't recognize on my network. Turned out it was ok, but now I'd like to know what you would do.
    Specifically what would you do if it was malicious.

    I used nmap and did some intensive scanning. I tried connecting to it via open ports.
    I guess I would have ultimately banned the mac and changed some passwords, but I wasn't too panicked.

    Can I use wireshark to monitor the traffic to the box?
    Last edited by wlraider70; June 13th, 2013 at 09:33 PM.
    I don' really like coffee. I guess I'll give my Ubuntu beans to my wife.

    Luke

  2. #2
    Join Date
    May 2008
    Location
    SoCal
    Beans
    Hidden!
    Distro
    Ubuntu 12.04 Precise Pangolin

    Re: How would you respond to a malicious device on your network?

    Quote Originally Posted by wlraider70 View Post
    Today I found a device I didn't recognize on my network. Turned out it was ok, but now I'd like to know what you would do.
    Specifically what would you do if it was malicious.
    It depends on what you mean by "my network". Is this your home network, or your businesses network, or the network where you work. If this network is a a business network, do you have a posted policy regarding rogue devices? In short, there is no pat answer.

    On my home network there are no available IP addresses for a rouge device to use so that is the end of that story. At work we have a posted policy forbidding unregistered devices. If the user persists in introducing these to the network they will be fired. We monitor the network flow all the time (not me) and regularly remove devices and warn users. Most of the time on a LAN these devices (personal NAS devices or user owned laptops) are inadvertent and only sometimes cause real problems.
    I used nmap and did some intensive scanning. I tried connecting to it via open ports.
    I guess I would have ultimately banned the mac and changed some passwords, but I wasn't too panicked.

    Can I use wireshark to monitor the traffic to the box?
    How did you find this rogue device? You should monitor the entire network. You can set up a host the runs wireshark and attach it to a managed switch that would aggregate all the other ports on that switch that are going to the router. Or you can install wireshark on a host that has 2 NIC's and forwards all network traffic through this host. Wireshark would then monitor one of its NIC's.
    -BAB1

  3. #3
    Join Date
    Mar 2011
    Beans
    671

    Re: How would you respond to a malicious device on your network?

    Really depends. If it's behind my router I'd make note of any information on the device, like MAC, and shut the router off from the internet and reconfigure the password, ensure all of the settings are the same, and potentially wipe it and start fresh.

    From there maybe I'd confirm my system settings, making sure the Firewall hasn't been changed, that my ports aren't changed, etc. But I wouldn't worry too much about it, I'd just assume some kid got onto my wifi somehow. I'd just make sure to check the router and its logs for a few weeks to make sure it didn't happen again.

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •