Tracking VNC Abusers

Networking/Security Forums -> Computer Forensics and Incident Response

Author: carringtonmcLocation: USA PostPosted: Sat Aug 23, 2008 12:51 pm    Post subject: Tracking VNC Abusers
Let's say you administer a network running Windows XP Pro SP2, with a large amount of users. On this network there's a user who's abusing a VNC program, utilizing it to snoop on other users in real time.

Is there a means of detecting when VNC is used on the network? Is there a way to uncover footprints of VNC being used on a host, and a means of tracing those footprints back to the source of where VNC was executed (IP, username, etc)?

I know about looking for the VNC process via Task Manager/Processes. I know about netstat -n -a -p tcp. I know about searching the PC for VNC software that may have been remotely installed for access, and looking for a VNC active icon on the toolbar.

Because of the large number of users on the network, I need a way to monitor the network as a whole, sniffing for a VNC process, or tracking footprints back to the source from a PC which was possibly victimized.

Reminder: This is being done /by/ a user of the network /within/ the network enclave. Meaning a firewall packet trap listening for port 5900-etc traffic isn't going to solve this issue.

Any feedback pertaining to this matter will be greatly appreciated. Thanks!

Author: ashu.wifiLocation: Heaven PostPosted: Sat Aug 23, 2008 1:32 pm    Post subject: Re: Tracking VNC Abusers

Once i found an very nice video tutorial about finding sniffers in yours network have a look

also try using netstat -b switch that show you which application is connecting to which process Smile

Moderator note: removed integral quote of post immediately above - capi

Networking/Security Forums -> Computer Forensics and Incident Response

output generated using printer-friendly topic mod, All times are GMT + 2 Hours

Page 1 of 1

Powered by phpBB 2.0.x © 2001 phpBB Group