You can wrap hook NMap to MySQL and cron with a bit of Perl and get e-mail alerts whenever there's an unauthorized system connected to your network. If your policy permits, you can then "prosecute" the system by gathering as much information as possible from the system without breaking into it (make sure your organization's policy allows this and make sure your supervisors know and support this).
You'd be amazed what info you can gather with NBTScan, SMBClient, NMBClient, SNMPWalk, and NMap. Note: all of these tools can gather information that a normal MS system offers up by default (withouth authentication). For awhile, the home version of XP not only had default shares, it also had SNMP enabled by default. Between all of those tools, you could determine MAC address, IP address, installed software, logged in users, IM logins, files available via P2P, running software (it's also common that people who disregard the rules concerning unauthorized systems are usually infected with one or more bits of malicious code), misc. keys and serial numbers. Couple that with whatever's available via open shares and it's rare that they can deny that the system was online.
As I no longer have that job, I cannot vouch for what's open by default on XP Home or XP Pro systems. Those systems have had a firewall enabled since SP2 but that often doesn't matter as people who take their laptops everywhere tend to have a lot of holes poked through the firewall.
It might be a learning experience if turn off your firewall and scan your laptop. (Hint: you not only want to learn what ports are open, you want to discover what services are running on those ports and what info is freely available via those services.) The older an install is, the more info it will usually offer up.
No comments:
Post a Comment