Author Topic: tool to query hostnames & devicenames  (Read 970 times)

0 Members and 1 Guest are viewing this topic.

Offline legacy

  • Super Contributor
  • ***
  • Posts: 3634
  • Country: 00
Re: tool to query hostnames & devicenames
« Reply #25 on: January 19, 2019, 10:46:34 am »
With Fing you can create an inventory of your devices and receive alerts when new devices have joined your campus network since your last scan; but in order to achieve it, you also need to set up an account.

This gives us an idea: we *might* ask our visitors to create an account when they take their ticket at the reception, so we can then monitor their machines, with a perfect inventory of IP, os, machine description, etc, so, during periodical checks, all the machines not on the list will be easy to be labelled as "suspicious".

As far as I have understood, without creating a Digital Device Inventory, Fing can only try IP addresses in batches, and relies on the underlying Linux kernel to buffer ARP replies; but this is basically what nmap -sn (ping scan flag) does.
the Bunker is open!
(shortcut)
 

Offline legacy

  • Super Contributor
  • ***
  • Posts: 3634
  • Country: 00
Re: tool to query hostnames & devicenames
« Reply #26 on: January 19, 2019, 11:03:01 am »
In the meanwhile, I am assembling a couple of armored cabinets for routers, and precious servers and weird stuff :D
the Bunker is open!
(shortcut)
 

Offline Nominal Animal

  • Frequent Contributor
  • **
  • Posts: 505
  • Country: fi
    • My home page and email address
Re: tool to query hostnames & devicenames
« Reply #27 on: January 19, 2019, 02:42:26 pm »
This gives us an idea: we *might* ask our visitors to create an account when they take their ticket at the reception, so we can then monitor their machines, with a perfect inventory of IP, os, machine description, etc, so, during periodical checks, all the machines not on the list will be easy to be labelled as "suspicious".
You definitely need the inventory, in some form of another.

You could do what e.g. coffee shops and such do, and redirect all traffic from unknown devices to a registration page, where they type in their information, and a short key they obtain from any authorized lab worker. (The keys might be sorted in "untrusted visitor, external web access only" and "student"; "three hours", "today", "this week"; and preprinted and put in some jar not trivially accessible to guests. Anything else the admin handles.)

Again, this is just the combined two first steps in the security scheme.  The unknown device users have to talk to a human to get a key, and the humans have very simple and friendly criteria how to behave.  Any lab worker can hand off those "guest" keys for a day, they just need to help the guest fill in the web form. (That is to ensure the guests won't just fill in asdfgfgfds. It is easy to describe/frame it as "courtesy and helping" instead of "we're suspicious of you".  Trust but verify.)

armored cabinets
Standard racks, with doors you can close and lock on all sides (even though you can pick the lock using a twig), should suffice if in-campus.

For wireless routers, don't bother; just have a piece of security cable tied to keep it in place if human reachable, so it is not just trivially swipable.  (Same applies to video projectors and such, by the way.)

All access problems I've observed have been caused by students letting in complete strangers through locked doors (na├»ve, don't want to look prejudiced), or by personnel or students with an obvious drug/gambling/kleptomania problem looking for wallets to swipe.  Again, the first step is making it look like it is not worth the effort of trying to obtain access without permission.  So, not so much making it look impossible, just make it look too noisy and too obvious trying to break them.

If you make security practices cumbersome, people will just work around it.  It is important to try and make it easier to do it right, than bypass it.  This is the major reason why I tend to implement home-brew scripts for monitoring and such, not NIH.  There just aren't modular security component services that one could combine to fit very different needs; they all want to be the overarching framework that stuff happens under.  (Yes, I am one of those who are disgusted by the awful design and implementation of the pile of crap called systemd. I don't like the approach at all.)

Again, if I were to write the identifying service, I'd make it trivial to install and configure, even for embedded devices; and as simple as humanly possible.  Have it just do that one thing, reliably identify the machine based on Ethernet/WiFi queries.  The server side would similarly have to be modular.

I very definitely subscribe to Unix philosophy and the KISS principle.  I do choose the paranoid approach and overengineer the code I write, but I don't see any contradiction or real NIH symptoms in that.
 

Offline legacy

  • Super Contributor
  • ***
  • Posts: 3634
  • Country: 00
Re: tool to query hostnames & devicenames
« Reply #28 on: January 19, 2019, 10:37:45 pm »
Standard racks, with doors you can close and lock on all sidesnd overengineer the code I write, but I don't see any contradiction or real NIH symptoms in that.

yeah, I meant this with humor. I bought two-second-hand racks, they arrived without doors, so I bought also the doors, and now we are assembling them.

We also have a couple of HP-RP3440 rack-machines. They perfectly fit the rack  :D
the Bunker is open!
(shortcut)
 
The following users thanked this post: Nominal Animal

Offline dmills

  • Super Contributor
  • ***
  • Posts: 1470
Re: tool to query hostnames & devicenames
« Reply #29 on: January 20, 2019, 08:15:47 am »
Not everything even has the notion of a hostname....
I know some of our kit does not, but everything on an IP network has the notion of a MAC address, and the ARP tables will have the data to map from IP address to MAC and ultimately to a particular port on a particular switch.

The grown up switch vendors (Cisco, Arista, Juniper and the like) have tools to locate which switch and port is hosting a given MAC address, so providing you work on that level you can use ARP to map from IP address->MAC, then query the switching fabrics routing tables to figure out which port on your switches. 

It might actually be worth seeing if the NOC team from the CCC could give you any hints, after all, you only think your toy little campus lab is full of free thinking, cable fiddling, SNMP poking, exploit trying hackers, trust me, Congress has it worse (~17,000 of 'em turned up this year)!

For most things with a real OS, you might find that enabling LLDP gets you what you need easily, but not everything will support lldpd, when it is available however, it is an excellent tool.

Regards, Dan.
 

Offline LapTop006

  • Supporter
  • ****
  • Posts: 326
  • Country: au
Re: tool to query hostnames & devicenames
« Reply #30 on: January 20, 2019, 07:38:19 pm »
Not everything even has the notion of a hostname....
I know some of our kit does not, but everything on an IP network has the notion of a MAC address, and the ARP tables will have the data to map from IP address to MAC and ultimately to a particular port on a particular switch.

Ethernet perhaps, not all IP (PPP for example has not MAC, neither does SONET IIRC)
 

Offline legacy

  • Super Contributor
  • ***
  • Posts: 3634
  • Country: 00
Re: tool to query hostnames & devicenames
« Reply #31 on: January 22, 2019, 01:30:36 am »
It might actually be worth seeing if the NOC team from the CCC could give you any hints, after all, you only think your toy little campus lab is full of free thinking, cable fiddling, SNMP poking, exploit trying hackers, trust me, Congress has it worse (~17,000 of 'em turned up this year)!

 :-DD
the Bunker is open!
(shortcut)
 

Offline dmills

  • Super Contributor
  • ***
  • Posts: 1470
Re: tool to query hostnames & devicenames
« Reply #32 on: January 22, 2019, 04:36:14 am »
It might actually be worth seeing if the NOC team from the CCC could give you any hints, after all, you only think your toy little campus lab is full of free thinking, cable fiddling, SNMP poking, exploit trying hackers, trust me, Congress has it worse (~17,000 of 'em turned up this year)!
:-DD
Thing is, I was actually serious!

The Chaos Communications Congress network operations team are about as good as it gets at making networks still work under those kinds of conditions (And they ~Mostly~ don't bite).

The NOC for defcon or Blackhat might be other good options.

Regards, Dan.
 

Offline MarkR42

  • Contributor
  • Posts: 12
  • Country: gb
Re: tool to query hostnames & devicenames
« Reply #33 on: January 22, 2019, 05:39:33 am »
Maybe you could try to stick to modern standard protocols and use MDNS / Bonjour?

The added advantage is that it should interoperate with Apple's software (And many Linux boxes use the avahi-daemon to provide MDNS too)

Install avahi-daemon on your Linux box, and try avahi-browse -a
 

Offline legacy

  • Super Contributor
  • ***
  • Posts: 3634
  • Country: 00
Re: tool to query hostnames & devicenames
« Reply #34 on: January 22, 2019, 05:53:21 am »
The Chaos Communications Congress network operations team

I was laughing because I was not thinking you were serious, I mean that *they* do serious stuff with a lot of users. For sure more than 200 like in my case.

but it's really a good idea, I can try to contact someone for hints :D
the Bunker is open!
(shortcut)
 

Offline legacy

  • Super Contributor
  • ***
  • Posts: 3634
  • Country: 00
Re: tool to query hostnames & devicenames
« Reply #35 on: January 22, 2019, 05:56:01 am »
avahi-daemon

yup, we are working on a couple of Gentoo/HPPA machines just right now.

Code: [Select]
net-misc/lldpd
      Homepage:      https://vincentbernat.github.com/lldpd/
      Description:   Implementation of IEEE 802.1ab (LLDP)

Code: [Select]
net-dns/avahi
      Homepage:      http://avahi.org/
      Description:   System which facilitates service discovery on a local network

These are now in our Catalyst profile for building a new stage4 :D
the Bunker is open!
(shortcut)
 


Share me

Digg  Facebook  SlashDot  Delicious  Technorati  Twitter  Google  Yahoo
Smf