• RSS
  • Twitter
  • FaceBook

Security Forums

Log in

FAQ | Search | Usergroups | Profile | Register | RSS | Posting Guidelines | Recent Posts

Tracking VNC Abusers

Users browsing this topic:0 Security Fans, 0 Stealth Security Fans
Registered Security Fans: None
Post new topic   Reply to topic   Printer-friendly version    Networking/Security Forums Index -> Computer Forensics and Incident Response

View previous topic :: View next topic  
Author Message
carringtonmc
Just Arrived
Just Arrived


Joined: 22 Aug 2008
Posts: 0
Location: USA

Offline

PostPosted: Sat Aug 23, 2008 12:51 pm    Post subject: Tracking VNC Abusers Reply with quote

Let's say you administer a network running Windows XP Pro SP2, with a large amount of users. On this network there's a user who's abusing a VNC program, utilizing it to snoop on other users in real time.

Is there a means of detecting when VNC is used on the network? Is there a way to uncover footprints of VNC being used on a host, and a means of tracing those footprints back to the source of where VNC was executed (IP, username, etc)?

I know about looking for the VNC process via Task Manager/Processes. I know about netstat -n -a -p tcp. I know about searching the PC for VNC software that may have been remotely installed for access, and looking for a VNC active icon on the toolbar.

Because of the large number of users on the network, I need a way to monitor the network as a whole, sniffing for a VNC process, or tracking footprints back to the source from a PC which was possibly victimized.

Reminder: This is being done /by/ a user of the network /within/ the network enclave. Meaning a firewall packet trap listening for port 5900-etc traffic isn't going to solve this issue.

Any feedback pertaining to this matter will be greatly appreciated. Thanks!
Back to top
View user's profile Send private message AIM Address
ashu.wifi
Lamer
Lamer


Joined: 22 Aug 2008
Posts: 0
Location: Heaven

Offline

PostPosted: Sat Aug 23, 2008 1:32 pm    Post subject: Re: Tracking VNC Abusers Reply with quote

Hi

Once i found an very nice video tutorial about finding sniffers in yours network have a look

http://www.irongeek.com/i.php?page=videos/finding-promiscuous-and-arp-poisoning-sniffers-on-your-network-with-ettercap

also try using netstat -b switch that show you which application is connecting to which process Smile

Moderator note: removed integral quote of post immediately above - capi
Back to top
View user's profile Send private message Send e-mail
Display posts from previous:   

Post new topic   Reply to topic   Printer-friendly version    Networking/Security Forums Index -> Computer Forensics and Incident Response All times are GMT + 2 Hours
Page 1 of 1


 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum

Community Area

Log in | Register