Solved

Trace Net Send

Posted on 2003-11-18
30
6,171 Views
Last Modified: 2008-03-10
Hi

Could someone tell me how to trace a "net send"?

I'm in college and some ***** keeps sending me net sends.

I'd like to be able to (a) trace them, so I can report the sender for harassment(and possibly kick the **** out of him/her), and (b) stop them from popping up, ie disable them.

Any suggestions
0
Comment
Question by:aolXFT
  • 9
  • 7
  • 4
  • +7
30 Comments
 
LVL 19

Accepted Solution

by:
Dexstar earned 100 total points
ID: 9772983
aolXFT:

> I'd like to be able to (a) trace them, so I can report the sender for
> harassment(and possibly kick the **** out of him/her), and (b) stop them from
> popping up, ie disable them.

I hate that stuff too.

You need to get a firewall program (ZoneAlarm is good and free [http://www.zonealarm.com/]).  It should not only block them, but tell you where they are coming from.

You could also use a packet sniffer to find out the exact contents of the message, but if you can track it down to an IP, that should get you what you want.

This might also help you do what you want:
http://www.itc.virginia.edu/desktop/docs/messagepopup/

Hope That Helps,
Dex*
0
 
LVL 6

Author Comment

by:aolXFT
ID: 9773061
Hmm

Looks like I need a packet sniffer.
0
 
LVL 6

Author Comment

by:aolXFT
ID: 9773065
any easier way?
0
 
LVL 18

Expert Comment

by:chicagoan
ID: 9773282
netstat -a
y not turn off messenger service?
and get a firewall?
0
 
LVL 19

Expert Comment

by:Dexstar
ID: 9773438
aolXFT:

To get the IP of the sender of the message, you'll need a packet sniffer.  netstat -y doesn't seem to help much.  If you just want to get rid of the messages forever, follow the directions in the link that I already posted.

Dex*
0
 
LVL 9

Expert Comment

by:TooKoolKris
ID: 9773512
The name of the computer that sends the NetSend message is in the message itself.

You don't need a sniffer if the computer is in the same domain as you just Tracert the computer name and it will resolve to the IP.
0
 
LVL 19

Expert Comment

by:Dexstar
ID: 9773531
Except Spammers have figured out how to exploit this service, so nowadays, 99 times out of 100, the sender is going to be off your local network, and you'll need a sniffer to find out their IP.

D*
0
 
LVL 9

Expert Comment

by:TooKoolKris
ID: 9773569
Doesn't sound like thats the case here. Says he's in college, probably some kid playing around on the network.
0
 
LVL 6

Author Comment

by:aolXFT
ID: 9773812
I think it is just some 'kid' playing around on the network, mostly trying to embarrase their friends. It just so happens that I find their games with each other extremely annoying when I'm trying to do stuff. This isn't spam sent to me by external users.

The messages are sent to "Workgroup", and the from is usually set to God, or a space.

If I had the IP Address, or name, or the computer I would be able to find them easly. What I don't have is admin access to the machine, or the rights to install software. If a packet sniffer was the only solution it would have to be a small one, that didn't need to be installed, ie run straight from the downloaded executable(bit like PuTTy).
0
 
LVL 19

Expert Comment

by:Dexstar
ID: 9773969
Well, without admin rights, you're out of luck.  You can't sniff packets at the TCP/IP level.  It requires a device driver to be installed.

If this is a computer in a lab, class, or library, then you need to ask an admin to disable the Messenger service (as outlined in the link I sent in my original response).

Dex*
0
 
LVL 5

Assisted Solution

by:juliancrawford
juliancrawford earned 50 total points
ID: 9775746
What you could do is run a honeypot to catch the naughty one.
A honey put sets up a listening port that captures the incoming IP addresses.

First disable the NETBIOS so you can use the ports.
For NET SEND you will need to listen on port 139 (or 445 for win2k).

This link has many honeypots to try - free to use - nothing to install :)
http://www.astalavista.com/tools/intrusiondetection/misc/
0
 
LVL 7

Assisted Solution

by:Robing66066
Robing66066 earned 50 total points
ID: 9775753
You might be able to tell by checking your arp table.  (I tried this and it seems to work.)

Next time you get messaged, open a DOS prompt and issue the command:

arp -a

That will list all the entries in your arp table, including the entry for the person who is annoying you.

If you are on a closed network, there shouldn't be too many entries in the list.  You should be able to do an nslookup on each entry to find out what each device is, or call your help desk with the list of addresses and determine who did it.  It's certainly not as positive an ID as a sniffer would be, but it's cheap and easy.

Good luck!
0
 
LVL 7

Expert Comment

by:Robing66066
ID: 9775764
(The arp entries you are looking for are IP addresses, not the physical address...)
0
 
LVL 19

Expert Comment

by:Dexstar
ID: 9781641
Robing:

That will work IF the message is coming from someone on the same subnet.  If it has to cross a gateway or a router, then the arp entry will only show the gateway or router.

Dex*
0
 
LVL 6

Author Comment

by:aolXFT
ID: 9781862
Robbing/Dexstar

I think they may be on the same subnet as me. I don't know too much about networks/subnets, but I believe everyone in the college uses the same subnet mask of 255.255.0.0, although I'm not too sure about this.

I just have to wait for a net send to come now. They aren't coming as much as they were yesterday.

I'll test Robings solution, and if it works I'll knock up the points, and accept Robbing solution as an answer, and a few other helpful comments as assisting. If not, well, we'll see
0
Get up to 2TB FREE CLOUD per backup license!

An exclusive Black Friday offer just for Expert Exchange audience! Buy any of our top-rated backup solutions & get up to 2TB free cloud per system! Perform local & cloud backup in the same step, and restore instantly—anytime, anywhere. Grab this deal now before it disappears!

 
LVL 3

Assisted Solution

by:cincin77
cincin77 earned 20 total points
ID: 9787686
check for the remote machine's name in the message.
then do a:
nbtstat -A machine_name

you can see the name of the user logged on on that machine.
0
 
LVL 3

Expert Comment

by:ManuelGuerra
ID: 9800661
aolXFT,
If the sender can hide his/her name maybe also he can hide his IP, and only a good sniffer can help you. If you want only stop that messages then set to manual the messenger service, but you wont to recieve more messages for any one, neither from "good" people and "bad" people.

MG
0
 
LVL 6

Author Comment

by:aolXFT
ID: 9805830
"good" people don't send me net sends, so I don't think there is any problem with turning them off.

How do I set the messenger to manual?
0
 
LVL 9

Assisted Solution

by:TooKoolKris
TooKoolKris earned 20 total points
ID: 9806833
Right click on My Computer - Manage then expand Services & Applications then click on Services. Scroll through that list until you find Messenger. Double click on Messenger and change the startup type to manual.
0
 
LVL 18

Expert Comment

by:chicagoan
ID: 9806884
>"good" people don't send me net sends, so I don't think there is any problem with turning them off.
pretty standard to turn it off - just go into services and disable it.
or block it at the border if you have network apps using it for alerts
0
 
LVL 2

Expert Comment

by:xybx
ID: 9814401
Hey,

Install a firewall like Tiny, and set it to alert you on incoming connections. You will get the IP of the connecting computer.
0
 
LVL 19

Expert Comment

by:Dexstar
ID: 9819231
aolXFT:

The link I posted in my very first response has detailed instructions on disabling or setting the service to be manual:  http://www.itc.virginia.edu/desktop/docs/messagepopup/

Enjoy,
Dex*
0
 
LVL 9

Expert Comment

by:TooKoolKris
ID: 9819891
No need for a link,

Right click on My Computer - Manage then expand Services & Applications then click on Services. Scroll through that list until you find Messenger. Double click on Messenger and change the startup type to manual.
0
 
LVL 6

Author Comment

by:aolXFT
ID: 9821679
My privilages don't allow me to disable the messenger service, or install firewalls, or tracers, or anything like that.

It looks like there is no answer to my original question that I can use with my privilage level. I have found certain answers to be very enlightening, and educational.

I think it is time to close the question by accepting the most helpful comments.
0
 
LVL 6

Author Comment

by:aolXFT
ID: 9821756
Increasing points to 240 and awarding as follows:

For providing the most educational information, as well as the most possible solutions
Dex: 100

For providing educational possible solutions.
Robbing: 50
juliancrawford: 50

For providing useful/helpful information
TooKoolKris: 20
CinCin77: 20

I believe the above is allowed under EE rules. I'll award as outlined above, if nobody makes an objection in the meantime based on the EE rules.

Anotherwords, I think the above is okay, but I'm not sure, so I want to wait to make sure before I award.
0
 
LVL 19

Expert Comment

by:Dexstar
ID: 9821796
Looks good to me...

D*
0
 
LVL 7

Expert Comment

by:Robing66066
ID: 9825939
Sounds fine with me, but most importantly, did you catch the bugger?
0
 
LVL 6

Author Comment

by:aolXFT
ID: 9826004
I haven't had any since, so no I didn't catch him, but at least I've learnt a lot of useful and helpful information from the answers to this question.

I know where to look however next time someone does start annoying me.

Thanks.
0
 
LVL 13

Expert Comment

by:WillHudson
ID: 9832406
Just for future reference, you could go to command prompt and type:
net stop messenger

this will stop the messenger service :)
0
 
LVL 6

Author Comment

by:aolXFT
ID: 9832655
Thanks Will, but Access is Denied,

they aparently don't like us stopping services.
0

Featured Post

What Should I Do With This Threat Intelligence?

Are you wondering if you actually need threat intelligence? The answer is yes. We explain the basics for creating useful threat intelligence.

Join & Write a Comment

Password hashing is better than message digests or encryption, and you should be using it instead of message digests or encryption.  Find out why and how in this article, which supplements the original article on PHP Client Registration, Login, Logo…
Big data transfers via information superhighways require special attention and protection. Learn more about the IT-regulations of the country where your server is located. Analyze cloud providers and their encryption systems for safe data transit. S…
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, Just open a new email message.  In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…
This tutorial demonstrates a quick way of adding group price to multiple Magento products.

747 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

11 Experts available now in Live!

Get 1:1 Help Now