07-16-2010 10:07 AM
Can some one help me figure out how to track down this rogue device on the
network. I noticed it in my Kiwi Syslog server. It shows a hostname of 10.0.0.7. I can ping it, but I cannot seem to locate it. I have tried using Nmap with the following results:
Starting Nmap 5.30BETA1 ( http://nmap.org ) at 2010-07-15 09:02 Eastern Daylight Time
NSE: Loaded 117 scripts for scanning.
Initiating Ping Scan at 09:02
Scanning 10.0.0.7 [7 ports]
Completed Ping Scan at 09:02, 0.09s elapsed (1 total hosts)
Initiating Parallel DNS resolution of 1 host. at 09:02
Completed Parallel DNS resolution of 1 host. at 09:02, 0.00s elapsed
Initiating SYN Stealth Scan at 09:02
Scanning 10.0.0.7 [1000 ports]
Completed SYN Stealth Scan at 09:02, 0.16s elapsed (1000 total ports)
Initiating UDP Scan at 09:02
Scanning 10.0.0.7 [1000 ports]
Discovered open port 123/udp on 10.0.0.7
Completed UDP Scan at 09:02, 4.25s elapsed (1000 total ports)
Initiating Service scan at 09:02
Scanning 1000 services on 10.0.0.7
Service scan Timing: About 0.40% done
Discovered open port 161/udp on 10.0.0.7
Discovered open|filtered port 161/udp on 10.0.0.7 is actually open
Service scan Timing: About 3.30% done; ETC: 10:20 (1:15:42 remaining)
Service scan Timing: About 6.30% done; ETC: 10:03 (0:57:45 remaining)
Service scan Timing: About 9.30% done; ETC: 09:57 (0:50:23 remaining)
Service scan Timing: About 93.30% done; ETC: 09:46 (0:02:58 remaining)
Completed Service scan at 09:46, 2638.84s elapsed (1000 services on 1 host)
Initiating OS detection (try #1) against 10.0.0.7
Initiating Traceroute at 09:46
Completed Traceroute at 09:46, 0.03s elapsed
Initiating Parallel DNS resolution of 2 hosts. at 09:46
Completed Parallel DNS resolution of 2 hosts. at 09:46, 0.05s elapsed
NSE: Script scanning 10.0.0.7.
NSE: Starting runlevel 1 (of 2) scan.
Initiating NSE at 09:46
NSE Timing: About 96.30% done; ETC: 09:59 (0:00:30 remaining)
NSE Timing: About 96.30% done; ETC: 10:00 (0:00:31 remaining)
NSE Timing: About 96.30% done; ETC: 10:21 (0:01:17 remaining)
Completed NSE at 10:21, 2078.55s elapsed
NSE: Starting runlevel 2 (of 2) scan.
Initiating NSE at 10:21
Completed NSE at 10:21, 5.02s elapsed
NSE: Script Scanning completed.
Nmap scan report for 10.0.0.7
Host is up (0.00s latency).
Not shown: 1000 closed ports, 998 open|filtered ports
PORT STATE SERVICE VERSION
123/udp open ntp NTP v4
| ntp-info:
| receive time stamp: 07/15/10 09:46:36
| system: cisco
| leap: 0
| stratum: 2
| rootdelay: 25.53
| rootdispersion: 6.96
| peer: 511
| refid: 156.34.21.3
| reftime: 0xCFE98F9B.EF8BC22B
| poll: 6
| clock: 0xCFE98FB1.E0211428
| phase: -0.462
| freq: -176.82
|_ error: 0.75
161/udp open snmp Cisco SNMP service
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: switch|WAP
Running: Cisco IOS 12.X
OS details: Cisco 3750 switch (IOS 12.2), Cisco Aironet 1231G WAP (IOS 12.3)
Network Distance: 2 hops
Host script results:
|_ipidseq: Randomized
| qscan:
| PORT FAMILY MEAN (ms) STDDEV LOSS (%)
| 1 0 62.50 0.53 0.0%
| 3 0 62.80 0.42 0.0%
|_65389 0 62.30 0.48 0.0%
TRACEROUTE (using port 113/tcp)
HOP RTT ADDRESS
1 0.00 ms 192.168.2.3
2 0.00 ms 10.0.0.7
Read data files from: C:\Program Files\Nmap
OS and Service detection performed. Please report any incorrect results at http://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 4739.89 seconds
Raw packets sent: 13027 (543.796KB) | Rcvd: 1022 (41.304KB)
It looks like the router hop goes off of one of my L3 switches, but when I do a "sh arp | include 10.0.0.7", I don't get anything. How can I track this down to a port?
Is this the right discussion group?
07-16-2010 01:38 PM
Did you ping 10.0.0.7 from the L3 switch first?
Then, instead of "sh arp | include 10.0.0.7", maybe try "show ip arp 10.0.0.7" for the MAC addr.
Then "show mac addr [MAC addr]" for the downstream port.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide