You are not logged in.

#1 2013-03-18 16:57:46

DeadDingo
Member
Registered: 2012-09-29
Posts: 46

Trying to find the guy torrenting on our network at work

Some guy is torrenting movies on our network.  Information via nmap on the target ip address keeps coming back as an hp printer.  Any ideas on how to find the guy?


In order to understand recursion, one must first understand recursion.

Offline

#2 2013-03-18 18:33:26

drcouzelis
Member
From: Connecticut, USA
Registered: 2009-11-09
Posts: 3,424
Website

Re: Trying to find the guy torrenting on our network at work

About how many computers are on this network? I wonder if you could find out who it is using some sort of social hack or something... big_smile

EDIT: And how many users?

Last edited by drcouzelis (2013-03-18 18:40:52)

Offline

#3 2013-03-18 18:37:43

ewaller
Administrator
From: Pasadena, CA
Registered: 2009-07-13
Posts: 12,393

Re: Trying to find the guy torrenting on our network at work

Have you access to the routers and their logs?
Maybe some quality time with Wireshark?

Edit:  Of course, if you just want it to stop without finding the perpetrator, sometimes a thinly veiled warning about policy, responsibility, consequences, and an ongoing investigation into abuse might make it stop.

Last edited by ewaller (2013-03-18 20:06:50)


Nothing is too wonderful to be true, if it be consistent with the laws of nature -- Michael Faraday
Like you, I have no idea what you are doing, but I am pretty sure it is wrong...Jasonwryan
----
How to Ask Questions the Smart Way

Offline

#4 2013-03-18 19:47:00

tladuke
Member
Registered: 2009-07-23
Posts: 171

Re: Trying to find the guy torrenting on our network at work

http://www.netdisco.org/

If you have more somewhat more expensive network gear, you could turn off his port on the switch.

Offline

#5 2013-03-18 21:01:37

Awebb
Member
Registered: 2010-05-06
Posts: 4,131

Re: Trying to find the guy torrenting on our network at work

Start firing people until the torrent traffic stops, thenre-employ the rest.

Offline

#6 2013-03-18 23:50:53

DeadDingo
Member
Registered: 2012-09-29
Posts: 46

Re: Trying to find the guy torrenting on our network at work

drcouzelis wrote:

About how many computers are on this network? I wonder if you could find out who it is using some sort of social hack or something... big_smile

EDIT: And how many users?

Unfortunately the network is too big and there are too many users on any given day to approach the problem this way.  There are hundreds of users who use the network.

We have many different workstations on network in different departments as well as a Wide Area Network.  I have ruled out the possibility of it coming from a workstation computer, I am pretty sure they are torrenting via wireless network connection on a personal laptop.

I will monitor some network traffic tomorrow with wireshark and see what I can find.  Usually the ISP catches wind of the torrenting the minute it starts happening and notifys me.  I have the torrenters IP and MAC address now, just waiting for them to come back online and torrent some more.


In order to understand recursion, one must first understand recursion.

Offline

#7 2013-03-18 23:59:21

ewaller
Administrator
From: Pasadena, CA
Registered: 2009-07-13
Posts: 12,393

Re: Trying to find the guy torrenting on our network at work

DeadDingo wrote:

I have the torrenters IP and MAC address now, just waiting for them to come back online and torrent some more.

Assuming they are not too bright, the MAC could tell you what chipset they are using.  It might narrow down the search some.  On the other hand, you said it appeared to be a printer; maybe they are MAC spoofing already.

How many access points are there with the SSID? Can you track down which one is associated to them?  Can you obtain signal strengths from the various clients from the APs?


Nothing is too wonderful to be true, if it be consistent with the laws of nature -- Michael Faraday
Like you, I have no idea what you are doing, but I am pretty sure it is wrong...Jasonwryan
----
How to Ask Questions the Smart Way

Offline

#8 2013-03-19 05:03:48

DeadDingo
Member
Registered: 2012-09-29
Posts: 46

Re: Trying to find the guy torrenting on our network at work

Unfortunately it does seem like whoever it is might be MAC spoofing already given the previous nmap scan.

We have about 10 different access points all broadcasting the same SSID.  However, each access point is mounted outside on different buildings.  So if I could figure out which SSID is associated to them I could narrow it down to what building it is coming from which would be a huge help.  I'm not sure how to go about that, except by logging into each access point and checking the logs for that specific ip address.  There must be a better way.


In order to understand recursion, one must first understand recursion.

Offline

#9 2013-03-19 08:15:50

McDoenerKing
Member
From: Germany
Registered: 2010-06-21
Posts: 57

Re: Trying to find the guy torrenting on our network at work

Introduce username/password system for wireless network access. This is how most universities in germany prevent illegal actions over their network. If they catch the ip address they can check their logs for the userid and thus they know who was the culprit. It may be a lot work, but it may be worth it.

Is the wireless access for private use or are you using it for the workstations and computers too?
Every big company I have been too had static ip and wired access only. Personal laptops/smartphones weren't allowed for a reason. smile

Offline

#10 2013-03-21 04:19:26

DeadDingo
Member
Registered: 2012-09-29
Posts: 46

Re: Trying to find the guy torrenting on our network at work

There are a few things regarding our network and security that I would love to change.  But for the time being I have to work with what I have.  Our wireless network is open access.  However, we do have domain username/password authentication required to actually use the wireless.  But this was quickly defeated with the silly implementation of the "guest" account access which requires no domain credentials.  Unfortunately my place of work loves to make security sacrifices to give way to convince.

I am going to spend a bit of time on WireShark the next few days to see if I can gather a bit more information on this issue.


In order to understand recursion, one must first understand recursion.

Offline

#11 2013-03-21 05:38:11

progandy
Member
Registered: 2012-05-17
Posts: 2,146

Re: Trying to find the guy torrenting on our network at work

Can't you limit the guest-account to the local network and specific protocols like http, and https? Then everyone using torrents will have to login with their username.
At least limit the bandwith for guests, maybe to ISDN bandwith.

Offline

#12 2013-03-21 09:39:05

Nico666
Member
Registered: 2012-04-24
Posts: 56

Re: Trying to find the guy torrenting on our network at work

I can see this is a single user in a quite big network-

If the network is that big, why not just let him/her? Is doing the torrenting from a personal laptop, so probably is not doing constants massive traffic from a seedbox, but is just not turning off his/her torrent client (which probably auto-starts in background)

Offline

#13 2013-03-21 09:54:34

McDoenerKing
Member
From: Germany
Registered: 2010-06-21
Posts: 57

Re: Trying to find the guy torrenting on our network at work

@Nico666
His ISP is contacting him about this, so clearly this needs to be fixed and it shouldn't be allowed to do (possibly) illegal actions from an open network.

@DeadDingo
You might can use this case with your legal department to press changes in the network and security. I know that companies hate to be sued, because it means a lot of lost money. I do not know if your company is on isolated ground, but if it isn't it might even be a stranger, who found this honey pot for himself. If mac spoofing and such techniques are already in use, I would make a list of departments with tech savy people to have a smaller sample to look through first.

EDIT: Shutting down guest account should be the last resort, because whoever thinks it is fine to use his work's network to torrent deservers to be fired. It just shows bad personality which no one needs in a company.

Last edited by McDoenerKing (2013-03-21 09:56:27)

Offline

#14 2013-03-21 10:30:53

progandy
Member
Registered: 2012-05-17
Posts: 2,146

Re: Trying to find the guy torrenting on our network at work

We have about 10 different access points all broadcasting the same SSID.  However, each access point is mounted outside on different buildings.  So if I could figure out which SSID is associated to them I could narrow it down to what building it is coming from which would be a huge help.  I'm not sure how to go about that, except by logging into each access point and checking the logs for that specific ip address.  There must be a better way.

maybe a traceroute / tracepath to the ip lists your access points?
You could also wait for torrenting access and then shut down one AP after antother until the torrent traffic vanishes. (claim maintenance  reasons, e.g. firmware update big_smile )

Offline

#15 2013-03-21 10:44:29

2ManyDogs
Member
Registered: 2012-01-15
Posts: 1,635

Re: Trying to find the guy torrenting on our network at work

Is this causing network problems, or does it just annoy you because you know it is happening?

Offline

#16 2013-03-21 14:17:23

DeadDingo
Member
Registered: 2012-09-29
Posts: 46

Re: Trying to find the guy torrenting on our network at work

Ha, this is great, we are now being contacted by the Motion Picture Association of America and the Recording Industry Asociation of America.

@McDoenerKing
That is not a bad idea expecially now that we are receiving multiple messages about this daily.

@progandy
traceroute isn't a bad idea. Ill give that a try next time the guy pops up on the network.  Also gonna spend some quality time with wireshark over the next little while.


In order to understand recursion, one must first understand recursion.

Offline

#17 2013-03-21 16:00:35

dag
Member
From: US
Registered: 2013-01-20
Posts: 216

Re: Trying to find the guy torrenting on our network at work

block ports 1024-65535 these are the areas torrent apps use. try to find is ip(wirshark, and the like) and have a talk.


--------------------------------------
alcoves wonder creates the wonder unto the ages; never lose that.

Offline

#18 2013-03-21 16:45:25

alphaniner
Member
From: Ancapistan
Registered: 2010-07-12
Posts: 2,602

Re: Trying to find the guy torrenting on our network at work

DeadDingo wrote:

Ha, this is great, we are now being contacted by the Motion Picture Association of America and the Recording Industry Asociation of America.

Meh, just tell the copyright goon squad that it's not your company's duty to enforce their failed business model.


But whether the Constitution really be one thing, or another, this much is certain - that it has either authorized such a government as we have had, or has been powerless to prevent it. In either case, it is unfit to exist.
-Lysander Spooner

Offline

#19 2013-03-21 17:07:13

Awebb
Member
Registered: 2010-05-06
Posts: 4,131

Re: Trying to find the guy torrenting on our network at work

alphaniner wrote:
DeadDingo wrote:

Ha, this is great, we are now being contacted by the Motion Picture Association of America and the Recording Industry Asociation of America.

Meh, just tell the copyright goon squad that it's not your company's duty to enforce their failed business model.

It might be, depending on the law in the respective country.

Offline

#20 2013-03-24 00:57:54

DeadDingo
Member
Registered: 2012-09-29
Posts: 46

Re: Trying to find the guy torrenting on our network at work

Well, I'm on vacation for a week so I'm gonna have to let it go for right now.  Will resume the hunt when I get back haha.


In order to understand recursion, one must first understand recursion.

Offline

#21 2013-03-24 11:23:30

hunterthomson
Member
Registered: 2008-06-22
Posts: 794
Website

Re: Trying to find the guy torrenting on our network at work

dag wrote:

block ports 1024-65535 these are the areas torrent apps use. try to find is ip(wirshark, and the like) and have a talk.

I agree, I'd go even further and bock outbound ports except the ones needed... just guessing TCP{21,22,80,443}. You should be blocking all unneeded outbound ports anyway.

alphaniner wrote:

Meh, just tell the copyright goon squad that it's not your company's duty to enforce their failed business model.

Unfortunately, this may not be the case depending on the country.

If you are required by law to prevent abuse of your network, this is a policy issue. You need to tell your boss that the law requires you implement measures to prevent this. Your organization can handel the problem one of three ways.

One, technically with you.

Two, legally in court with lawyers.

Three, financially by paying off the MPAA and RIAA.

The option that will save the organization the most money is option number one, technically with you.

It sounds like your boss may not allow you to do it with technical measures. If so, start forwarding the emails from the MPAA and RIAA to the accounting/billing department. That should light a fire under their butts tongue

Last edited by hunterthomson (2013-03-24 13:23:31)


OpenBSD-current Thinkpad X230, i7-3520M, 16GB CL9 Kingston, Samsung 830 256GB
Contributor: linux-grsec

Offline

#22 2013-03-24 19:48:05

ANOKNUSA
Member
Registered: 2010-10-22
Posts: 2,141

Re: Trying to find the guy torrenting on our network at work

alphaniner wrote:
DeadDingo wrote:

Ha, this is great, we are now being contacted by the Motion Picture Association of America and the Recording Industry Asociation of America.

Meh, just tell the copyright goon squad that it's not your company's duty to enforce their failed business model.

Kinda like how it's not Google's responsibility to mmitigate Oracle's failure or Samsung's job to ensure Apple makes a profit in the smartphone market, or...

If patent and copyright trolls were reasonable, none of this bullshit would be a problem.  As it is, the OP's employer would probably be on the hook for one careless and selfish employee.

Offline

Board footer

Powered by FluxBB