Re: Who is on the network?

From: Patrick (
Date: 01/17/03

From: "Patrick" <>
Date: Fri, 17 Jan 2003 14:06:01 -0800

Yes, you are correct. We have a number of IPs in the DHCP
pool and some static ones as well. I am after IP thieves!

>-----Original Message-----
>I interpret the original post as saying he wants to
determine who stole an
>IP address, in which case DHCP probably wouldn't help.
>Well, if it's a windows computer or maybe a non-windows
computer running
>SMB, you can sometimes get the user name, computer name,
and domain or
>workgroup name by doing a NBTSTAT -a IPADDRESS
command [note that the -a
>is case sensitive, should be lower case if using IP
address]. I believe
>usually the computer has to be on and reachable by
netbios. You could also
>use NMAP to determine the OS and services and banners
running on it [for
>non-windows machines also], and you can use GETACCT from
> to enumerate the login IDs, user
names and share
>names on the windows computer. Going to
http://ipaddress or TELNET
>ipaddress sometimes gives you some information. There
are a variety of
>other vulnerability assessment scanners that might tell
you something at:
>You could probably use router or switch or firewall rules
to make it so
>certain IP addresses can only be used with certain MAC
addresses or certain
>switch/router ports or interfaces. If your rules get too
long, you could
>start impacting network performance. You could
certainly enable these
>rules temporarily when an offending IP address is
detected to block that
>computer from accessing the internet or other subnets.
>You may be able to do a NET SEND ipaddress "message" to
send a popup message
>to Windows computers. Your company should definitely
publish and advertize
>a computer policy stating that this is unacceptable and
stating the
>punishment for anyone caught doing this. You can't very
fairly expect to
>reprimand or punish without a policy.
>There are also IDS systems that could probably monitor
traffic and alarm if
>a MAC address associated with a certain IP address
changes [ISS is expensive
>and maybe not the best but I believe will do this].
>Note that on Windows NT / XP / 2000, users must have
local admin permissions
>on the computer to change the IP address. Removing the
users from the local
>Administrators group would fix this. Third party tools
may let you try to
>do this for other versions of Windows... however if the
user brings in her
>own computer, neither of these would work.
>"Dmitry Kulshitsky" <dimkin(remove)> wrote in
>> Do you want to say that you manually assign ip
addresses after discovering
>> the free one by pinging the range of your addresses?
Then you definitely
>> need the DHCP server (dynamic host configuration
protocol). It will allow
>> you to automatically configure ip addresses and some
other network
>> parameters.
>> "Patrick" <> wrote in message
>> news:72f001c2bdba$fb5bcf60$8ef82ecf@TK2MSFTNGXA04...
>> > Hi there,
>> >
>> > We have a number of static IPs on our network and
>> > sometimes users will ping the range till they find a
>> > one and take it. We like to control who uses those
>> > How can I tell who is using them? I usually ping the
>> > with a -a switch but it doesn't always return the
name of
>> > the PC. What other tools are there? Is there any
way to
>> > find out anything about these PCs?
>> > Thanks!
>> >