AnchorWatch - A rogue device detection script for Windows with email alerts
AnchorWatch is a simple script that scans the subnet every X minutes and sends an email alert for each unknown device discovery.
Email contains the following information:
- MAC Address
- IP Address
- OS Name
- OUI Vendor Name
- Last Seen Timestamp
AnchorWatch is a powershell script that depends on
nmap - a network scanning utility - for scanning the subnet.
AnchorWatch will send an email notification each time an unknown device is detected on the network.
An example of email notification from AnchorWatch:
AnchorWatch has no dependency other than nmap. Download nmap for windows here: https://nmap.org/download.html
Edit .\anchorWatch.ps1 and add the follwing details in corresponding sections:
SMTP Hostname Domain Name of SMTP Server SMTP Port Default= 25. Use 25, 465, or 587 SMTP Username SMTP Password Email Address From email@example.com Email Address to firstname.lastname@example.org
Additionally, you'd need to add network range in
anchorWatch.ps1 will start AnchorWatch in default blacklisting mode.
Default mode blacklists all the devices by default. You'd need to whitelist all the devices manually by adding the Corresponding MAC to a text file named
known_hosts.txt data format:
<MAC Address> <Host name>
Automatic Device Whitelisting
To speedup the whitelisting process, you can alternatively run the following command:
.\trustDevices.ps1 scans the whole subnet(s) and creates a list of discovered devices under known_hosts.txt in a tabular form.
Net admins can then verify each device manually and manage their whitelist using known_hosts.txt
Fix Powershell ExecutionPolicy Error
To change the execution policy for the computer, for particular users, or for particular sessions, use the Set-ExecutionPolicy cmdlet, as follows.
Start Windows PowerShell with the "Run as Administrator" option. (For more information, see Starting Windows PowerShell.) Only members of the Administrators group on the computer can change the execution policy.
Run the Set-ExecutionPolicy cmdlet.
As an Administrator, you can set the execution policy by typing this into your PowerShell window:
AnchorWatch is a work of Freelance by Hardeep Singh. Originally created in 2015 for a fellow redittor who asked for a free alternative for Rogue Device Detection tool for Windows machine. At the time there were no cheap or free alternative available, especially for Windows domain. Hence, AnchorWatch came to life.
Hardeep Singh is the founder of https://rootsh3ll.com and primarily teaches Wireless Network Security. You can reach him on harry [at] rootsh3ll.com
Follow on Twitter: https://twitter.com/rootsh3ll
(Slight rework by github.com/cap44)