Help with rogue device..

oneirishpollack · ‎07-16-2010

Can some one help me figure out how to track down this rogue device on the

network. I noticed it in my Kiwi Syslog server. It shows a hostname of 10.0.0.7. I can ping it, but I cannot seem to locate it. I have tried using Nmap with the following results:

Starting Nmap 5.30BETA1 ( http://nmap.org ) at 2010-07-15 09:02 Eastern Daylight Time

NSE: Loaded 117 scripts for scanning.

Initiating Ping Scan at 09:02

Scanning 10.0.0.7 [7 ports]

Completed Ping Scan at 09:02, 0.09s elapsed (1 total hosts)

Initiating Parallel DNS resolution of 1 host. at 09:02

Completed Parallel DNS resolution of 1 host. at 09:02, 0.00s elapsed

Initiating SYN Stealth Scan at 09:02

Scanning 10.0.0.7 [1000 ports]

Completed SYN Stealth Scan at 09:02, 0.16s elapsed (1000 total ports)

Initiating UDP Scan at 09:02

Scanning 10.0.0.7 [1000 ports]

Discovered open port 123/udp on 10.0.0.7

Completed UDP Scan at 09:02, 4.25s elapsed (1000 total ports)

Initiating Service scan at 09:02

Scanning 1000 services on 10.0.0.7

Service scan Timing: About 0.40% done

Discovered open port 161/udp on 10.0.0.7

Discovered open|filtered port 161/udp on 10.0.0.7 is actually open

Service scan Timing: About 3.30% done; ETC: 10:20 (1:15:42 remaining)

Service scan Timing: About 6.30% done; ETC: 10:03 (0:57:45 remaining)

Service scan Timing: About 9.30% done; ETC: 09:57 (0:50:23 remaining)

Service scan Timing: About 93.30% done; ETC: 09:46 (0:02:58 remaining)

Completed Service scan at 09:46, 2638.84s elapsed (1000 services on 1 host)

Initiating OS detection (try #1) against 10.0.0.7

Initiating Traceroute at 09:46

Completed Traceroute at 09:46, 0.03s elapsed

Initiating Parallel DNS resolution of 2 hosts. at 09:46

Completed Parallel DNS resolution of 2 hosts. at 09:46, 0.05s elapsed

NSE: Script scanning 10.0.0.7.

NSE: Starting runlevel 1 (of 2) scan.

Initiating NSE at 09:46

NSE Timing: About 96.30% done; ETC: 09:59 (0:00:30 remaining)

NSE Timing: About 96.30% done; ETC: 10:00 (0:00:31 remaining)

NSE Timing: About 96.30% done; ETC: 10:21 (0:01:17 remaining)

Completed NSE at 10:21, 2078.55s elapsed

NSE: Starting runlevel 2 (of 2) scan.

Initiating NSE at 10:21

Completed NSE at 10:21, 5.02s elapsed

NSE: Script Scanning completed.

Nmap scan report for 10.0.0.7

Host is up (0.00s latency).

Not shown: 1000 closed ports, 998 open|filtered ports

PORT STATE SERVICE VERSION

123/udp open ntp NTP v4

| ntp-info:

| receive time stamp: 07/15/10 09:46:36

| system: cisco

| leap: 0

| stratum: 2

| rootdelay: 25.53

| rootdispersion: 6.96

| peer: 511

| refid: 156.34.21.3

| reftime: 0xCFE98F9B.EF8BC22B

| poll: 6

| clock: 0xCFE98FB1.E0211428

| phase: -0.462

| freq: -176.82

|_ error: 0.75

161/udp open snmp Cisco SNMP service

Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port

Device type: switch|WAP

Running: Cisco IOS 12.X

OS details: Cisco 3750 switch (IOS 12.2), Cisco Aironet 1231G WAP (IOS 12.3)

Network Distance: 2 hops

Host script results:

|_ipidseq: Randomized

| qscan:

| PORT FAMILY MEAN (ms) STDDEV LOSS (%)

| 1 0 62.50 0.53 0.0%

| 3 0 62.80 0.42 0.0%

|_65389 0 62.30 0.48 0.0%

TRACEROUTE (using port 113/tcp)

HOP RTT ADDRESS

1 0.00 ms 192.168.2.3

2 0.00 ms 10.0.0.7

Read data files from: C:\Program Files\Nmap

OS and Service detection performed. Please report any incorrect results at http://nmap.org/submit/ .

Nmap done: 1 IP address (1 host up) scanned in 4739.89 seconds

Raw packets sent: 13027 (543.796KB) | Rcvd: 1022 (41.304KB)

It looks like the router hop goes off of one of my L3 switches, but when I do a "sh arp | include 10.0.0.7", I don't get anything. How can I track this down to a port?

Is this the right discussion group?

yjdabear · ‎07-16-2010

Did you ping 10.0.0.7 from the L3 switch first?

Then, instead of "sh arp | include 10.0.0.7", maybe try "show ip arp 10.0.0.7" for the MAC addr.

Then "show mac addr [MAC addr]" for the downstream port.