Solved

Trace Net Send

Posted on 2003-11-18
30
6,181 Views
Last Modified: 2008-03-10
Hi

Could someone tell me how to trace a "net send"?

I'm in college and some ***** keeps sending me net sends.

I'd like to be able to (a) trace them, so I can report the sender for harassment(and possibly kick the **** out of him/her), and (b) stop them from popping up, ie disable them.

Any suggestions
0
Comment
Question by:aolXFT
  • 9
  • 7
  • 4
  • +7
30 Comments
 
LVL 19

Accepted Solution

by:
Dexstar earned 100 total points
ID: 9772983
aolXFT:

> I'd like to be able to (a) trace them, so I can report the sender for
> harassment(and possibly kick the **** out of him/her), and (b) stop them from
> popping up, ie disable them.

I hate that stuff too.

You need to get a firewall program (ZoneAlarm is good and free [http://www.zonealarm.com/]).  It should not only block them, but tell you where they are coming from.

You could also use a packet sniffer to find out the exact contents of the message, but if you can track it down to an IP, that should get you what you want.

This might also help you do what you want:
http://www.itc.virginia.edu/desktop/docs/messagepopup/

Hope That Helps,
Dex*
0
 
LVL 6

Author Comment

by:aolXFT
ID: 9773061
Hmm

Looks like I need a packet sniffer.
0
 
LVL 6

Author Comment

by:aolXFT
ID: 9773065
any easier way?
0
Complete VMware vSphere® ESX(i) & Hyper-V Backup

Capture your entire system, including the host, with patented disk imaging integrated with VMware VADP / Microsoft VSS and RCT. RTOs is as low as 15 seconds with Acronis Active Restore™. You can enjoy unlimited P2V/V2V migrations from any source (even from a different hypervisor)

 
LVL 18

Expert Comment

by:chicagoan
ID: 9773282
netstat -a
y not turn off messenger service?
and get a firewall?
0
 
LVL 19

Expert Comment

by:Dexstar
ID: 9773438
aolXFT:

To get the IP of the sender of the message, you'll need a packet sniffer.  netstat -y doesn't seem to help much.  If you just want to get rid of the messages forever, follow the directions in the link that I already posted.

Dex*
0
 
LVL 9

Expert Comment

by:TooKoolKris
ID: 9773512
The name of the computer that sends the NetSend message is in the message itself.

You don't need a sniffer if the computer is in the same domain as you just Tracert the computer name and it will resolve to the IP.
0
 
LVL 19

Expert Comment

by:Dexstar
ID: 9773531
Except Spammers have figured out how to exploit this service, so nowadays, 99 times out of 100, the sender is going to be off your local network, and you'll need a sniffer to find out their IP.

D*
0
 
LVL 9

Expert Comment

by:TooKoolKris
ID: 9773569
Doesn't sound like thats the case here. Says he's in college, probably some kid playing around on the network.
0
 
LVL 6

Author Comment

by:aolXFT
ID: 9773812
I think it is just some 'kid' playing around on the network, mostly trying to embarrase their friends. It just so happens that I find their games with each other extremely annoying when I'm trying to do stuff. This isn't spam sent to me by external users.

The messages are sent to "Workgroup", and the from is usually set to God, or a space.

If I had the IP Address, or name, or the computer I would be able to find them easly. What I don't have is admin access to the machine, or the rights to install software. If a packet sniffer was the only solution it would have to be a small one, that didn't need to be installed, ie run straight from the downloaded executable(bit like PuTTy).
0
 
LVL 19

Expert Comment

by:Dexstar
ID: 9773969
Well, without admin rights, you're out of luck.  You can't sniff packets at the TCP/IP level.  It requires a device driver to be installed.

If this is a computer in a lab, class, or library, then you need to ask an admin to disable the Messenger service (as outlined in the link I sent in my original response).

Dex*
0
 
LVL 5

Assisted Solution

by:juliancrawford
juliancrawford earned 50 total points
ID: 9775746
What you could do is run a honeypot to catch the naughty one.
A honey put sets up a listening port that captures the incoming IP addresses.

First disable the NETBIOS so you can use the ports.
For NET SEND you will need to listen on port 139 (or 445 for win2k).

This link has many honeypots to try - free to use - nothing to install :)
http://www.astalavista.com/tools/intrusiondetection/misc/
0
 
LVL 7

Assisted Solution

by:Robing66066
Robing66066 earned 50 total points
ID: 9775753
You might be able to tell by checking your arp table.  (I tried this and it seems to work.)

Next time you get messaged, open a DOS prompt and issue the command:

arp -a

That will list all the entries in your arp table, including the entry for the person who is annoying you.

If you are on a closed network, there shouldn't be too many entries in the list.  You should be able to do an nslookup on each entry to find out what each device is, or call your help desk with the list of addresses and determine who did it.  It's certainly not as positive an ID as a sniffer would be, but it's cheap and easy.

Good luck!
0
 
LVL 7

Expert Comment

by:Robing66066
ID: 9775764
(The arp entries you are looking for are IP addresses, not the physical address...)
0
 
LVL 19

Expert Comment

by:Dexstar
ID: 9781641
Robing:

That will work IF the message is coming from someone on the same subnet.  If it has to cross a gateway or a router, then the arp entry will only show the gateway or router.

Dex*
0
 
LVL 6

Author Comment

by:aolXFT
ID: 9781862
Robbing/Dexstar

I think they may be on the same subnet as me. I don't know too much about networks/subnets, but I believe everyone in the college uses the same subnet mask of 255.255.0.0, although I'm not too sure about this.

I just have to wait for a net send to come now. They aren't coming as much as they were yesterday.

I'll test Robings solution, and if it works I'll knock up the points, and accept Robbing solution as an answer, and a few other helpful comments as assisting. If not, well, we'll see
0
 
LVL 3

Assisted Solution

by:cincin77
cincin77 earned 20 total points
ID: 9787686
check for the remote machine's name in the message.
then do a:
nbtstat -A machine_name

you can see the name of the user logged on on that machine.
0
 
LVL 3

Expert Comment

by:ManuelGuerra
ID: 9800661
aolXFT,
If the sender can hide his/her name maybe also he can hide his IP, and only a good sniffer can help you. If you want only stop that messages then set to manual the messenger service, but you wont to recieve more messages for any one, neither from "good" people and "bad" people.

MG
0
 
LVL 6

Author Comment

by:aolXFT
ID: 9805830
"good" people don't send me net sends, so I don't think there is any problem with turning them off.

How do I set the messenger to manual?
0
 
LVL 9

Assisted Solution

by:TooKoolKris
TooKoolKris earned 20 total points
ID: 9806833
Right click on My Computer - Manage then expand Services & Applications then click on Services. Scroll through that list until you find Messenger. Double click on Messenger and change the startup type to manual.
0
 
LVL 18

Expert Comment

by:chicagoan
ID: 9806884
>"good" people don't send me net sends, so I don't think there is any problem with turning them off.
pretty standard to turn it off - just go into services and disable it.
or block it at the border if you have network apps using it for alerts
0
 
LVL 2

Expert Comment

by:xybx
ID: 9814401
Hey,

Install a firewall like Tiny, and set it to alert you on incoming connections. You will get the IP of the connecting computer.
0
 
LVL 19

Expert Comment

by:Dexstar
ID: 9819231
aolXFT:

The link I posted in my very first response has detailed instructions on disabling or setting the service to be manual:  http://www.itc.virginia.edu/desktop/docs/messagepopup/

Enjoy,
Dex*
0
 
LVL 9

Expert Comment

by:TooKoolKris
ID: 9819891
No need for a link,

Right click on My Computer - Manage then expand Services & Applications then click on Services. Scroll through that list until you find Messenger. Double click on Messenger and change the startup type to manual.
0
 
LVL 6

Author Comment

by:aolXFT
ID: 9821679
My privilages don't allow me to disable the messenger service, or install firewalls, or tracers, or anything like that.

It looks like there is no answer to my original question that I can use with my privilage level. I have found certain answers to be very enlightening, and educational.

I think it is time to close the question by accepting the most helpful comments.
0
 
LVL 6

Author Comment

by:aolXFT
ID: 9821756
Increasing points to 240 and awarding as follows:

For providing the most educational information, as well as the most possible solutions
Dex: 100

For providing educational possible solutions.
Robbing: 50
juliancrawford: 50

For providing useful/helpful information
TooKoolKris: 20
CinCin77: 20

I believe the above is allowed under EE rules. I'll award as outlined above, if nobody makes an objection in the meantime based on the EE rules.

Anotherwords, I think the above is okay, but I'm not sure, so I want to wait to make sure before I award.
0
 
LVL 19

Expert Comment

by:Dexstar
ID: 9821796
Looks good to me...

D*
0
 
LVL 7

Expert Comment

by:Robing66066
ID: 9825939
Sounds fine with me, but most importantly, did you catch the bugger?
0
 
LVL 6

Author Comment

by:aolXFT
ID: 9826004
I haven't had any since, so no I didn't catch him, but at least I've learnt a lot of useful and helpful information from the answers to this question.

I know where to look however next time someone does start annoying me.

Thanks.
0
 
LVL 13

Expert Comment

by:WillHudson
ID: 9832406
Just for future reference, you could go to command prompt and type:
net stop messenger

this will stop the messenger service :)
0
 
LVL 6

Author Comment

by:aolXFT
ID: 9832655
Thanks Will, but Access is Denied,

they aparently don't like us stopping services.
0

Featured Post

Active Directory Webinar

We all know we need to protect and secure our privileges, but where to start? Join Experts Exchange and ManageEngine on Tuesday, April 11, 2017 10:00 AM PDT to learn how to track and secure privileged users in Active Directory.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Access 2016 5 63
php extract($_REQUEST) 5 93
Windows Domain: Providing local user with local admin rights only when required - Best Practice? 3 84
Home security 15 43
In this increasingly digital world, security hacks are no longer just a threat, but a reality. As we've witnessed with Target's big identity hack 2013, Heartbleed in 2015, and now Cloudbleed, companies and their leaders need to prepare for the unthi…
Many businesses neglect disaster recovery and treat it as an after-thought. I can tell you first hand that data will be lost, hard drives die, servers will be hacked, and careless (or malicious) employees can ruin your data.
Email security requires an ever evolving service that stays up to date with counter-evolving threats. The Email Laundry perform Research and Development to ensure their email security service evolves faster than cyber criminals. We apply our Threat…
Nobody understands Phishing better than an anti-spam company. That’s why we are providing Phishing Awareness Training to our customers. According to a report by Verizon, only 3% of targeted users report malicious emails to management. With compan…

828 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question