Your home network is your fortress. Inside it lies tons of valuable information—unencrypted files, personal, private data, and perhaps most importantly, computers that can be hijacked and used for any purpose. Let’s talk about how you can, with the power of evil, sniff around your home network to make sure you don’t have any uninvited guests.
In this post, we’ll show you how to map out your network, take a peek under the covers to see who’s talking to what, and how to uncover devices or processes that may be sucking down bandwidth. In short: You’ll be able to recognize the signs that something on your network is compromised. We’ll assume you’re familiar with some networking basics, like how to find your router’s list of devices and what a MAC address is. If not, head over to our Know Your Network night school to brush up first.
Before we go any further, though, we should issue a warning: Use these powers for good, and only run these tools and commands on hardware or networks you own or manage. Your friendly neighborhood IT department wouldn’t like you port scanning or sniffing packets on the corporate network, and neither would all the people at your local coffee shop. As with every evil week post, the point is to teach you how it’s done so you can do it yourself and protect yourself—not exploit others.
Once you have a physical map of your network and a list of all of your trusted devices, it’s time to go digging. Log in to your router and check its list of connected devices. That’ll give you a basic list of names, IP addresses, and MAC addresses. Remember though, your routers device list may or may not show you everything. It should, but some routers only show you devices that use the router for its IP address. Either way, keep that list to the side—it’s good, but we want more information.
Next, we’re going to turn to our old friend nmap. For those unfamiliar, nmap is a cross-platform, open source network scanning tool that can find devices are on your network, along with a ton of detail on those devices. You can see open ports, the operating system in use, IP and MAC addresses, even open ports and services.Download nmap here, check out these install guides to set it up, and follow these instructions discover hosts on your home network.
In my case, I installed and ran it from the command line (if you want a graphical interface, Zenmap usually comes with the installer), then told nmap to scan the IP range I’m using for my home network. It found most of the active devices on my home network, excluding a few I have some enhanced security on (although those were discoverable too with some of nmap’s commands, which you can find in the link above.)
Before you even log onto your computer, write down what you think you know. Start with a sheet of paper and jot down all of your connected devices. That includes things like smart TVs, set-top boxes, laptops and computers, tablets and phones, or any other device that might be connected to your network. If it helps, draw a map of your home, complete with rooms. Then write down every device and where it lives. You may be surprised with exactly how many devices you have connected to the internet at the same time.
Network admins and engineers will recognize this step—it’s the first step in exploring any network you’re not familiar with. Do an inventory of the devices on it, identify them, and then see if the reality matches up with what you expect. If (or when) it doesn’t, you’ll be able to quickly eliminate what you do know from what you don’t know. You may be tempted to just log in to your router and look at its status page to see what’s connected, but don’t do that yet. Unless you can identify everything on your network by its IP and MAC address, you’ll just get a big list of stuff—one that includes any intruders or freeloaders. Take a physical inventory first, then move on to the digital one.
Compare nmap’s list with your router’s list. You should see the same things (unless something you wrote down earlier is powered off now.) If you see something on your router that nmap didn’t turn up, try using nmap against that IP address directly. Then, based on what you know, look at the information nmap found about the device. If it’s claiming to be an Apple TV, it probably shouldn’t have services like http running, for example. If it looks strange, probe it specifically for more information, like I did in the screenshot above. I noticed one of my machines was rejecting ping requests, which made nmap skip over it. I told nmap to just probe it anyway, and sure it enough it responded.
