AnchorWatch is a simple script that scans the subnet every X minutes and sends an email alert for each unknown device discovery.
Email contains the following information:
- MAC Address
- Hostname
- IP Address
- OS Name
- OUI Vendor Name
- Last Seen Timestamp
AnchorWatch is a powershell script that depends on nmap
- a network scanning utility - for scanning the subnet.
AnchorWatch will send an email notification each time an unknown device is detected on the network.
An example of email notification from AnchorWatch:
AnchorWatch has no dependency other than nmap. Download nmap for windows here: https://nmap.org/download.html
Edit .\anchorWatch.ps1 and add the follwing details in corresponding sections:
SMTP Hostname Domain Name of SMTP Server
SMTP Port Default= 25. Use 25, 465, or 587
SMTP Username
SMTP Password
Email Address From [email protected]
Email Address to [email protected]
Additionally, you'd need to add network range in trustDevices.ps1
also.
.\anchorWatch.ps1
Running anchorWatch.ps1
will start AnchorWatch in default blacklisting mode.
Default mode blacklists all the devices by default. You'd need to whitelist all the devices manually by adding the Corresponding MAC to a text file named known_hosts.txt
known_hosts.txt
data format:
<MAC Address> <Host name>
To speedup the whitelisting process, you can alternatively run the following command:
.\trustDevices.ps1
.\trustDevices.ps1
scans the whole subnet(s) and creates a list of discovered devices under known_hosts.txt in a tabular form.
Net admins can then verify each device manually and manage their whitelist using known_hosts.txt
To change the execution policy for the computer, for particular users, or for particular sessions, use the Set-ExecutionPolicy cmdlet, as follows.
-
Start Windows PowerShell with the "Run as Administrator" option. (For more information, see Starting Windows PowerShell.) Only members of the Administrators group on the computer can change the execution policy.
-
Run the Set-ExecutionPolicy cmdlet.
As an Administrator, you can set the execution policy by typing this into your PowerShell window:
Set-ExecutionPolicy RemoteSigned
AnchorWatch is a work of Freelance by Hardeep Singh. Originally created in 2015 for a fellow redittor who asked for a free alternative for Rogue Device Detection tool for Windows machine. At the time there were no cheap or free alternative available, especially for Windows domain. Hence, AnchorWatch came to life.
Hardeep Singh is the founder of https://rootsh3ll.com and primarily teaches Wireless Network Security. You can reach him on harry [at] rootsh3ll.com
Follow on Twitter: https://twitter.com/rootsh3ll
(Slight rework by github.com/cap44)