Threat Level: green Handler on Duty: Brad Duncan

SANS ISC: Detecting irregular programs and services installed in your network - SANS Internet Storm Center SANS ISC InfoSec Forums

Participate: Learn more about our honeypot network

Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
Detecting irregular programs and services installed in your network

When the corporate network becomes target, auditing for security policy compliance can be challenging if you don't have a software controlling irregular usage of administrator privilege granted and being used to install unauthorized software or to change configuration by installing services that could cause an interruption in network service. Examples of this possible issues are additional DHCP Servers (IPv4 and IPv6), Dropbox, Spotify or ARP scanning devices.

We can use nmap to detect all protocols that sends broadcast packets and are supported by packetdecoders.lua:

  • Ether
    • ARP requests (IPv4)
    • CDP - Cisco Discovery Protocol
    • EIGRP - Cisco Enhanced Interior Gateway Routing Protocol
    • OSPF - Open Shortest Path First
  • UDP
    • DHCP
    • Netbios
    • SSDP
    • HSRP
    • DropBox
    • Logitech SqueezeBox Discovery
    • Multicast DNS/Bonjour/ZeroConf
    • Spotify

The following example shows how to use nmap with the broadcast listener script and we can see the result of a device with dropbox installed, a device sending ARP request (a router in this case) and a device sending DHCPv6 requests:

nmap broadcast detection script

You can run this program periodically to track common security issues in your network, just in case your IPS could be missing something ;)

Manuel Humberto Santander Pelaez
SANS Internet Storm Center - Handler
e-mail: msantand at isc dot sans dot org

Manuel Humberto Santander Pelaacuteez

195 Posts
ISC Handler
Oct 5th 2014

Sign Up for Free or Log In to start participating in the conversation!