Network Monitoring with NMAP, DNS, and DHCP
Keeping track of devices on a network might not be an item that ordinary users will concern themselves with. Most users will simply be satisfied that their device has an internet connection. With the recent rise of IoT, mobile, and home automation devices it would be wise to take a closer look at those devices that occupy your network space. In this post I’ll cover how users can monitor their networks using DNS, DHCP, and NMAP.
By default, most devices that connect to a network will broadcast. This broadcast is seen by all devices on the same network and they register the sender’s hardware address in a ARP table, or arp cache. The hardware address, also referred to as a mac address is unique to value assigned to network interface hardware. Most mac addresses are fixed with 3 octets identifying the hardware vendor and the remaining 3 octets which are unique to each interface. Mac addresses can be generated, so don’t assume these are carved in stone. Attackers will spoof mac addresses because of the false notion that they are fixed and unchangeable.
You can use the following command to view the devices on your network that have broadcasted their mac address.
sudo arp
Linux users will see the ARP table stored on their computer. Windows users will need to add the -a switch to the command to get the same information. Not every device on the network will appear in the results. This is because those devices have not broadcasted, or had a need to broadcast. One way to get their mac address is to scan the IP addresses on your network. This can be done using NMAP, here is the command to do that.
sudo nmap -sn 192.168.0.0/24
The nice thing about NMAP is that it has a built in MAC address vendor list. From the results, you can see the vendor names included. This is very useful to identify the devices. Drawing from my work experience, there was a problem on an employer’s network I had recently started working for. I didn’t have any background on their network architecture. The server team had issues connecting to one of their servers and I heard staff in the office talking about it. I ran a NMAP scan and found a Polycomm device using the same IP as the server that was offline. Sure enough, one of the telco team members was testing a new IP phone in the conference room and inadvertently assigned it the same IP as the production server. The road to hell is paved with good intent, so it helps to have a view of the road and NMAP makes a good flashlight.
Now that a basic inventory of your network has been done, we can move forward with using DHCP to assign IP addresses of our choosing to those MAC addresses. I’ll be showing how to us Linux DHCP Server in this post, but the technique is similar to other platforms. In my test network, I have a single DHCP subnet that has a 24 netmask subnet address range of x.180 to x.190 and my DHCP server is authoritative. With this configuration, any DHCP client that connects to the test network will get an address from 180-190. For my static assigned IP addresses for known MAC addresses, I use a range of 160-179. For each of these known devices, I’ll create a host and enter in the network settings specific to each. Here are the details I enter for each.
Host description: Laptop-wlan-160 Host name: Laptop-wlan-160 Hardware Address: 01:23:45:67:89:ab Fixed IP address: x.x.x.160 Host description: Laptop-eth-161 Host name: Laptop-eth-161 Hardware Address: 01:23:45:67:89:cd Fixed IP address: x.x.x.161
From this example, you can see I have a laptop that has a wired and wireless connection. Both have been assigned a fixed IP in my DHCP host list. If I connect my laptop using the wireless network adapter, it will get the x.160 IP address. In contrast, if I connect using the ethernet cable it will get a x.161 address. I continue with this convention for all of my known devices.
I could static IP these devices, but having them set as DHCP clients with fix assigned IP addresses provides me more information available from the DHCP logs. A static assigned IP device will not appear in the DHCP log. It’s the DHCP host status, lists, and logs that provide the network monitoring function we will use to identify any device connecting to the network.
As I mentioned, devices with static assigned IP addresses will not appear in the DHCP logs. We could use NMAP to sweep our network looking for these devices. If there are valid concerns about a device that connects to a network that is an intrusion, these steps should be taken. Use ACLs and Firewall policies to deny traffic from any device not in a range. These policies are set and applied to our services, gateways, and routers.
Here is an example of such a device, the raspberry pi under the server room floor. This device was connected to a network and placed underneath the tile flooring of a server room. It had a static assigned address and used the network gateway to access the internet. The owners and operators of the server room hired a network monitoring service to identify a problem. The monitoring service identified the raspberry pi on the network. After further isolation, the network connection the raspberry pi used was traced back. The intent of this device isn’t clear, but it is obvious it did not belong on that network.
For those devices that do serve a purpose on your network, you can take an additional step to monitor your network. Using an in house DNS is a useful way to track internet access. Most often than not, hosts on your network will call internet hosts by their domain name. These names need to be converted to an IP address in order for the communication to occur. The DNS does this by referencing tables that have name to IP and IP to name lists, or records. By having an in house DNS, any host that needs to talk with the internet using a name will need to query the DNS to resolve the name to an IP. Your in house DNS will register this request then forward the request on to an internet DNS that has the record. You can use DNS logs to further understand how devices are used.
There are many more ways to monitor your network. These are some simple methods that leverage the services you currently use. Having a way to view the devices on your network is key to understanding how your network is operating. If you begin to see unexpected behavior on your network, you have some tools at your disposal to help identify the source.