Home > Security > General IT Security
Network Sniff (TeamViewer)
by markevans4 on Jul 29, 2014 at 8:10 AM 1st Post
General IT Security Join the Community! Creating your account only takes a few minutes. Join Now
Hello everyone. I just started a new job as System Administrator but due to some issue in upper management i have more on my plate and have to take care of task for Network admin too. My skills on firewall are not so good and so would need some help from you guys. Keeping the political issue aside, I have been ask to sniff the network and see if a user (one specific user) is using TeamViewer from his desktop to connect to system outside of our company. (personal client on the side) Well I don't need to block any port. What HR wants is a report that shows that this user spends half of the day fixing IT problem for his client rather than helping company user. I did my research and found out that TV uses port 5938 and it will jump to other ports like 80 and 443 of 5938 is block. I sniff all the traffic going out to internet from his IP but how would one differentiate if the port 80 and 443 are TV traffic or regular internet traffic? What would be the best way to get accurate report on his activity with TV in specific? Any kind of help and information will be appreciated. Thank you. Reply 15 Subscribe
15 Replies Sponsored by Seagate Technology LLC
Serrano jeff cook Jul 29, 2014 at 9:06 AM
If you are already sniffing the traffic you should be able to see the DNS requests made by the PC. You can use the DNS response to map what IP is being used for what sever. This is more accurate then just reverse DNS. That is how you can tell where they are going. It might be best to reboot the PC to cause all DNS cache to be cleared and force new connections. Just so you know this takes time and make sure you save all raw capture files and burn to a non rewritable media. Also take lots of notes, then take more. That way when you are on the witness stand you can answer honestly and truthfully and have the data to back you up. For your documentation start with the formal written request to do this signed by the CEO or VP and HR and legal if you have one.
Datil Gearhead89 Jul 29, 2014 at 10:28 AM
Use PSEXEC to run a command from his machine http://technet.microsoft.com/en-us/sysinternals/bb897553.aspx I usually copy it to C:\exec Open command prompt and type in cd C:\exec then psexec \\machinename -s -h betstat -b -f psexec \\machinename -s -h netstat -o -f Run netstat -b -f to get the .exe and the foreign address that it's communicating with Run netstat -o -f to find the PID and the foreign address that it's communicating with Using either the PID or -b you should be able to see that TeamViewer is being used throughout the day and what ports.
Ghost Chili [email protected]
Jul 29, 2014 at 11:16 AM Internal I.T. Ltd is an IT service provider.
What are you using for a firewall, most modern UTM/NGFW are application aware and can track apps like teamviewer base on their packet info.
Sonora Ivan-Ivan Jul 29, 2014 at 5:14 PM
Try with hidden/spy screen capture and you will have pretty nice proof.
Mace hutchingsp Jul 29, 2014 at 5:44 PM
I'd just go look at something like Spector360 - better and more understandable "proof" than a bunch of packet captures.
Tabasco Edward_B Jul 29, 2014 at 8:12 PM
+1 for SpectorSoft or similar. When it comes down to the nitty gritty of it HR will need simple reports / proof that they can later submit to the unemployment office or possibly even use in court (to battle a wrongful termination lawsuit). While that may not seem like something they want now, I've learned over the years its better to be proactive in your data compilations now, than to be scrambling in a reactive mode later.
Poblano Ridge Jul 29, 2014 at 9:05 PM
Keeping the political issue aside, I have been ask to sniff the network and see if a user (one specific user) is using TeamViewer from his desktop to connect to system outside of our company. (personal client on the side)
Sorry but the political issues must be dealt with first before you can safely deal with the technical issues at hand. You are being asked to do something that can get you fired and put in jail! Cover your bases. Make sure you have clear, written authorization from an executive, that specifically authorizes you to capture all traffic, to analyse all traffic, and report your finding. No matter who it is, if they refuse to provide you written authorization to perform a packet capture and analysis, then you should not do what they ask, and you should report it to someone else either at the same level or higher up.
Pimiento markevans4 Jul 29, 2014 at 10:00 PM
I have Cisco ASA 5515. Is that an application aware firewall?? Jeff and Gearhead89 thanks for your input. I will try your tips out. Ivan, hutchingsp, Edward_B thanks for pointing out the hidden/spy screen capture software. I had used some before (freeware) and as per my experience, you would have to login to the system to install\configure it. The guy under question is an IT person with 10 to 15 years of experience. So I don't want to do anything that might tip him off that something is going on. So looking for something that wont be detected. But I will look into SpectorSoft and see if there is a silent way to set it up. Ridge thanks for the input. Yes, I myself don't want to get into a llegal issue just beacuse someone in the HR wants me to find dirt on someone. I got my based covered with an written approval from HR and VP. Thank you, Mark.
Datil Gearhead89 Jul 29, 2014 at 11:42 PM
The Cisco ASA should be able to sniff the traffic out for you or some of it at least. http://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/11011... This would also help - http://www.firegen.com/
Mace hutchingsp Jul 29, 2014 at 11:57 PM
@markevans4 I'm pretty sure Spector is all but invisible though I'm sure they can confirm. I guess my only point is that if you're taking a disciplinary against someone I'd be very wary of doing it based on a bunch of pcaps and netstat and similar stuff that most folks simply won't understand vs. "There's screenshots with the dates and times".
Thai Pepper Jack (Veriato) Jul 30, 2014 at 12:14 AM Brand Representative for Veriato
Yes, Spector 360 or Spector CNE would definitely provide you with the information you are looking for. You can get data on the applications the users are using, how much time they are spending using those applications, the source/destination IP addresses and ports those applications are communicating on, etc. And, as mentioned above, you can provide screenshots to supplement the data that you collect and provide context around it. It is definitely something that is very easy for someone in, for example, HR, to comprehend. And yes, I agree that you should definitely work with HR and/or your company's legal department before implementing something like this. Also, make sure your company has an appropriate Acceptable Use Policy in place. Here are a couple of resources that you might find useful: Bringing Your Acceptable Use Policy Up to 2013 Standards (white paper, pdf, direct download) Is Employee Monitoring Legal? (article)
Veriato Spector360Review it:(0)
Veriato Spector CNE InvestigatorReview it:(0)
Cayenne is33 Jul 30, 2014 at 12:15 AM
Well, if you have SW running you can see what processes a given computer is running. I don't know if teamviewer is used day to day, if it isnt that should be enough to bring back to mgmt
Mace hutchingsp Jul 30, 2014 at 12:18 AM
Jack, because I work with nice people who never do anything untoward I've never needed to use a tool like Spector 360. Do you have a sample report or something? I'd be interested but it's simply curiosity so wouldn't bother to contact you directly IYSWIM :-)
Thai Pepper Jack (Veriato) Jul 30, 2014 at 1:13 AM Brand Representative for Veriato
hutchingsp, Sure. I don't have an example in my lab of TeamViewer, but I'll substitute in WireShark. I'm suspecting that a user, Paul Finch, is using WireShark. I can go into the Dashboard and view all recorded events related to the WireShark program running, and I'll see something like this.
If you're not sure which user is using it, that's fine, too. You can still find it very easily. If I want to see what connections were established by WireShark, I can do that, too...
From the first screenshot I posted, I can select one of those events and go directly to the screenshot that was taken on that user's computer when the event was recorded. It would look like this. Also, note that there are playback controls at the top so you can then progress forward or backward if you want.
You can configure the Dashboard so that any authorized user (HR, legal, for example) can log in and view whatever information they are authorized to see. The role-based access in Spector 360 is very granular. If you just need to provide the data to someone, you can take the data and have it generated as a report. For the screenshots, you have the option to export those (all, some, single one if you want) as a series of image files or as an AVI file.
If you have any other questions, just let me know.
Veriato Spector360Review it:(0)
Tabasco Tom2338 Aug 3, 2014 at 10:52 AM
Why not just mirror the switch port.
Subscribe This discussion has been inactive for over a year. You may get a better answer to your question by starting a new discussion. Read these next...