Possible to be Sneaky?!

NotAGolf · 17 Nov 2006 at 19:26

Evening All! Just wondering if there are any programs out there that will allow me to monitor the network in my student house. Tried a google but the few I seem to find are geared towards wired networks, and any wireless monitors don’t seem to work.

The setup is as follows: Router (Netgear WGT624v3) attached to my computer wired. Up to 6 others connected wirelessly.

My problem is that i know some of them are using torrent apps when they shouldn't be :mad:

(we "agreed" to only download overnight). Is there anything I could do to work it out (apart from asking them as I know they will just lie :mad:

).

The only thing that seems to be of any use is the logs provided by the router, however the IP listed is usually wrong, as is the time, and it only shows part of the address sometimes which is pretty useless. However even if I do spot a site relating to torrents trackers/the IP address is wrong so I don’t know who it is!!!

So are there any geniuses out there that can help me be sneaky?!!! Thanks

bitslice · 17 Nov 2006 at 19:46

maybe get a network scanner and look for PC's with open TCP ports 6881-6999.

get snort and look for the following protocol signatures:

BitTorrent_Response
TCP_Probe_BitTorrent
BitTorrent_Get_Request

not easy though is it ?

.

NotAGolf · 17 Nov 2006 at 20:30

bitslice said:
not easy though is it ?
.

lol, certainly isn't! But thank for the feedback, any particular scanner?

EDIT: "get snort".... bit of a giveaway, sorry my bad!!

NotAGolf · 17 Nov 2006 at 21:04

I tried snort but its very unix based, and i know nothing about that so dont really like the idea of that. I've downloaded GFI LANguard NSS 7.0 which doesn't seem to have any wireless support. Any other ideas?

bitslice · 17 Nov 2006 at 22:14

I'd guess that to sniff their wireless traffic, you would need to tap the WAN port (plug it into a hub, plug a PC running a sniffer into that)

or disable the WEP/WPA encryption, add a wireless card to your PC and point the sniffer at that. (NB. only certain wireless cards can work in monitor mode)

or have them connect to another wireless AP and sniff that link to the netgear. That will let you dick about with their connection too. (add a firewall etc.)
tbh. looking at sniffer logs is bloody boring

It appears that the netgear supports port blocking at certain times, configure that to block the torrent ports during the day. Although they could remap it to port 80 if they were bothered

You could use nmap to scan for torrent ports in use.

this might be worth a look
http://www.lowth.com/rope/BlockingBittorrent

---
at work it's easier, I just scan for .torrent files in the firewall logs
.

NotAGolf · 18 Nov 2006 at 10:01

bitslice said:
It appears that the netgear supports port blocking at certain times, configure that to block the torrent ports during the day. Although they could remap it to port 80 if they were bothered

.

In the options for blocking ports on the router I have to specify the protocol and Ports used. Am i right in thinking that torrents use ports 6881-6999? And that it only uses the TCP protocol? And thanks for everyone's help, i wish these people would just do as they're told!

PS. How easy would it be to get round this? What are the steps required to use a different ports in uTorrent for example? And would I have to change my Upnp and other settings on the router? Thanks again.

MAllen · 18 Nov 2006 at 15:10

http://insecure.org/nmap/

Learn how to play with nmap. This will let you work out what your house mates are doing on their PCs. Well, what ports they have open which is the most important for you.

Also...

In the Netgear Router, you can make it always hand out the same IP address from DHCP to the PCs in the house. This will let you make more sense out of the logs. (And also know who you are probing with nmap) Also make sure that the clock in the router is set correctly, or using NTP to update itself.

This will not affect your housemate's use of the network, but will simplify your "management".

Also...

You are in the right area with the blocking of ports in the router. Perfect if you then set it to only work at certain times of day. Though, as you suspect, your house mates can change the ports that BT works on. Though with nmap you should be able to spot the changes.

This port locking in the router is your best bet. Learn how this works, and you can control your house network. (Just make sure you have changed the default login password for the router so you really are in control)

Also...

Dont forget that some PC users don't have a clue as to how to change the settings of their BT software. So they may not even know that it is running 24/7 in the task tray.

NotAGolf · 18 Nov 2006 at 18:32

Thanks for that MAllen, I have blocked the ports and put it on a schedule and that seems to be working at the moment however i think they may be able to change the ports so i will definately learn how to use NMAP.

MAllen said:
Also...

In the Netgear Router, you can make it always hand out the same IP address from DHCP to the PCs in the house. This will let you make more sense out of the logs. (And also know who you are probing with nmap) Also make sure that the clock in the router is set correctly, or using NTP to update itself.

I've adjusted the time, but i'm not sure about handing out the same IP addresses. Is this the "Use Router as DHCP Server" option? (This option is currently enabled) I think it probably is but if someone could confirm that for me?

The only other thing i can see that might be related is directly below that; there is an option called "Address Reservation" Where you have to manually enter the IP address, MAC address, name etc. Cold anyone give me any more information?

MAllen · 18 Nov 2006 at 19:00

"Use Router as DHCP Server" should be on. This means the router allocates the IP Addresses for each PC.

"Address Reservation" is the section that I was refering to. Try it with your own address. You can get your MAC address from ipconfig /all . Then this page lets you fix it so you always get the same IP Address when you turn on your PC.

You don't have to type in the details if you can find it in the list at the top of the page. This should list the devices currently connected to the router. Just tick it and hit Add. (From memory... the page is something like this?)

Using this list you can make sure everyone in the house always gets the same IP Address each time they turn on their PCs. This then lets you directly monitor each machine, know which one it is and spot who is abusing the file sharing out of hours. nmap would allow you to create a script to run an hourly check. Though be aware that probing somone's ports should make their firewall software complain.

Basically - read the manual of the router, and learn to control the available ports. And then read the nmap manual and learn how to do some port scanning.