Join Us!

Unknown Device on N...
 
Notifications
Clear all

Unknown Device on Network  

  RSS
Minesh
(@minesh)
Member

Hi,

We have a an unknown device's IP address, and unable to locate it, but have found the MAC address begins E2-12-1D (Unknown OUI). As yet, we are unable to identify what it is, or whether it is a spoofed MAC. It's showing up as an NTP server, but doesn't respond to pings etc.

Suggestions welcome,

Thanks

Minesh

EDIT Had to get onto Networking guys and they have pinpointed the location of the device… will investigate later.

Quote
Posted : 26/02/2008 4:55 pm
azrael
(@azrael)
Senior Member

First hit in Google ?

http//standards.ieee.org/regauth/oui/index.shtml

-P

ReplyQuote
Posted : 26/02/2008 5:03 pm
Minesh
(@minesh)
Member

Sorry, forgot to edit the first bit out my post.

I suppose the question is, does anyone know how we can identify this unknown device?

Minesh

ReplyQuote
Posted : 26/02/2008 5:11 pm
iruiper
(@iruiper)
Active Member

And haven't you been able to traceroute it until some very specific point?

ReplyQuote
Posted : 26/02/2008 6:03 pm
Minesh
(@minesh)
Member

It didn't respond to pin or tracert. We tried all we can from our end, but in the end got the networking guys to pinpoint it's location.

Would be great if there was another way though.

Minesh

ReplyQuote
Posted : 26/02/2008 6:12 pm
keydet89
(@keydet89)
Community Legend

It didn't respond to pin or tracert. We tried all we can from our end, but in the end got the networking guys to pinpoint it's location.

Would be great if there was another way though.

In this thread so far, I've seen no mention of either SNMP or nmap.

Also, if this system was identified as an NTP server, how was this done? Traffic analysis? If so, you might consider using p0f and targeting just that system by IP.

ReplyQuote
Posted : 26/02/2008 6:47 pm
Minesh
(@minesh)
Member

Thanks Harlan…

NMAP has found that it's running XP Home in French Language, so that helps us a bit! The NTP server was discovered using the old sourceforge NetTime (why its still used I do not know). Will give p0f a go.

Totally forgot about NMAP!

Cheers

Minesh

ReplyQuote
Posted : 26/02/2008 7:42 pm
Minesh
(@minesh)
Member

Ok, so it may not be Windows at all… another scan shows QNX v4. The another says it can't identify it (which is the same result we got earlier)… despite nmap sugggesting that it's 100% accurate, lol.

Someone will go and see if it's where we were told.

Minesh

ReplyQuote
Posted : 26/02/2008 8:27 pm
BitHead
(@bithead)
Community Legend

I love my Fluke OptiView for problems just like this.

ReplyQuote
Posted : 26/02/2008 8:49 pm
ddow
 ddow
(@ddow)
Active Member

Minesh, any chance someone is running a honeypot and changing the simulated OS on you. This is kinda weird to be just some rogue system.

ReplyQuote
Posted : 26/02/2008 10:44 pm
Minesh
(@minesh)
Member

Hi Dennis,

It would be very unlikely as we're the IT department, and I wouldn't think anyone apart from us would require using a honeypot on the network… won't rule it out though, because that would just be stupid.

I guess the only way to find out will be when someone goes up and investigates. It still could be any OS with it's MAC changed, or even a networking device. If I have little on tomorrow will carry on investigating from my machine, until it's physcially checked.

Minesh

ReplyQuote
Posted : 26/02/2008 10:55 pm
Minesh
(@minesh)
Member

Well, it was an ethernet hub used to connect one of our machines and a personal laptop. Someone's gonna be in trouble, lol.

Thanks for all the help.

Minesh

ReplyQuote
Posted : 27/02/2008 6:52 pm
Share: