Tracking down a unknown IP

Unanswered Question
Jul 16th, 2010
User Badges:

Can some one help me figure out how to track down this rogue device on the

network. I noticed it in my Kiwi Syslog  server. It shows a hostname of 10.0.0.7. I can ping it, but I cannot seem to locate it. I have tried using Nmap with the following results:


Starting Nmap 5.30BETA1 ( http://nmap.org ) at 2010-07-15 09:02 Eastern Daylight Time

NSE: Loaded 117 scripts for scanning.

Initiating Ping Scan at 09:02

Scanning 10.0.0.7 [7 ports]

Completed Ping Scan at 09:02, 0.09s elapsed (1 total hosts)

Initiating Parallel DNS resolution of 1 host. at 09:02

Completed Parallel DNS resolution of 1 host. at 09:02, 0.00s elapsed

Initiating SYN Stealth Scan at 09:02

Scanning 10.0.0.7 [1000 ports]

Completed SYN Stealth Scan at 09:02, 0.16s elapsed (1000 total ports)

Initiating UDP Scan at 09:02

Scanning 10.0.0.7 [1000 ports]

Discovered open port 123/udp on 10.0.0.7

Completed UDP Scan at 09:02, 4.25s elapsed (1000 total ports)

Initiating Service scan at 09:02

Scanning 1000 services on 10.0.0.7

Service scan Timing: About 0.40% done

Discovered open port 161/udp on 10.0.0.7

Discovered open|filtered port 161/udp on 10.0.0.7 is actually open

Service scan Timing: About 3.30% done; ETC: 10:20 (1:15:42 remaining)

Service scan Timing: About 6.30% done; ETC: 10:03 (0:57:45 remaining)

Service scan Timing: About 9.30% done; ETC: 09:57 (0:50:23 remaining)

Service scan Timing: About 93.30% done; ETC: 09:46 (0:02:58 remaining)

Completed Service scan at 09:46, 2638.84s elapsed (1000 services on 1 host)

Initiating OS detection (try #1) against 10.0.0.7

Initiating Traceroute at 09:46

Completed Traceroute at 09:46, 0.03s elapsed

Initiating Parallel DNS resolution of 2 hosts. at 09:46

Completed Parallel DNS resolution of 2 hosts. at 09:46, 0.05s elapsed

NSE: Script scanning 10.0.0.7.

NSE: Starting runlevel 1 (of 2) scan.

Initiating NSE at 09:46

NSE Timing: About 96.30% done; ETC: 09:59 (0:00:30 remaining)

NSE Timing: About 96.30% done; ETC: 10:00 (0:00:31 remaining)

NSE Timing: About 96.30% done; ETC: 10:21 (0:01:17 remaining)

Completed NSE at 10:21, 2078.55s elapsed

NSE: Starting runlevel 2 (of 2) scan.

Initiating NSE at 10:21

Completed NSE at 10:21, 5.02s elapsed

NSE: Script Scanning completed.

Nmap scan report for 10.0.0.7

Host is up (0.00s latency).

Not shown: 1000 closed ports, 998 open|filtered ports

PORT    STATE SERVICE VERSION

123/udp open  ntp     NTP v4

| ntp-info: 

|   receive time stamp: 07/15/10 09:46:36

|   system: cisco

|  leap: 0

|   stratum: 2

|   rootdelay: 25.53

|   rootdispersion: 6.96

|   peer: 511

|   refid: 156.34.21.3

|   reftime: 0xCFE98F9B.EF8BC22B

|   poll: 6

|   clock: 0xCFE98FB1.E0211428

|   phase: -0.462

|   freq: -176.82

|_  error: 0.75

161/udp open  snmp    Cisco SNMP service

Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port

Device type: switch|WAP

Running: Cisco IOS 12.X

OS details: Cisco 3750 switch (IOS 12.2), Cisco Aironet 1231G WAP (IOS 12.3)

Network Distance: 2 hops

Host script results:

|_ipidseq: Randomized

| qscan: 

| PORT   FAMILY  MEAN (ms)  STDDEV  LOSS (%) 


| 1      0       62.50      0.53    0.0%     

| 3      0       62.80      0.42    0.0%     

|_65389  0       62.30      0.48    0.0%     

TRACEROUTE (using port 113/tcp)

HOP RTT     ADDRESS

1   0.00 ms 192.168.2.3

2   0.00 ms 10.0.0.7

Read data files from: C:\Program Files\Nmap

OS and Service detection performed. Please report any incorrect results at http://nmap.org/submit/ .

Nmap done: 1 IP address (1 host up) scanned in 4739.89 seconds

           Raw packets sent: 13027 (543.796KB) | Rcvd: 1022 (41.304KB)


It looks like the router hop goes off of one of my L3 switches, but when I do a "sh arp | include 10.0.0.7", I don't get anything. How can I track this down to a port?

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Nagaraja Thanthry Fri, 07/16/2010 - 11:18
User Badges:
  • Cisco Employee,

Hello,


You can do it in two steps:


Step 1: As long as it is in the same IP subnet, ping the IP address. Then,

check the ARP cache


Step 2: Now on the switch, issue "show mac address-table | include "


That will give you the exact port where the IP is connected to.


Hope this helps.


Regards,


NT

Ganesh Hariharan Fri, 07/16/2010 - 11:40
User Badges:
  • Purple, 4500 points or more
  • Community Spotlight Award,

    Member's Choice, February 2016

Can some one help me figure out how to track down this rogue device on the

network. I noticed it in my Kiwi Syslog  server. It shows a hostname of 10.0.0.7. I can ping it, but I cannot seem to locate it. I have tried using Nmap with the following results:


Starting Nmap 5.30BETA1 ( http://nmap.org ) at 2010-07-15 09:02 Eastern Daylight Time

NSE: Loaded 117 scripts for scanning.

Initiating Ping Scan at 09:02

Scanning 10.0.0.7 [7 ports]

Completed Ping Scan at 09:02, 0.09s elapsed (1 total hosts)

Initiating Parallel DNS resolution of 1 host. at 09:02

Completed Parallel DNS resolution of 1 host. at 09:02, 0.00s elapsed

Initiating SYN Stealth Scan at 09:02

Scanning 10.0.0.7 [1000 ports]

Completed SYN Stealth Scan at 09:02, 0.16s elapsed (1000 total ports)

Initiating UDP Scan at 09:02

Scanning 10.0.0.7 [1000 ports]

Discovered open port 123/udp on 10.0.0.7

Completed UDP Scan at 09:02, 4.25s elapsed (1000 total ports)

Initiating Service scan at 09:02

Scanning 1000 services on 10.0.0.7

Service scan Timing: About 0.40% done

Discovered open port 161/udp on 10.0.0.7

Discovered open|filtered port 161/udp on 10.0.0.7 is actually open

Service scan Timing: About 3.30% done; ETC: 10:20 (1:15:42 remaining)

Service scan Timing: About 6.30% done; ETC: 10:03 (0:57:45 remaining)

Service scan Timing: About 9.30% done; ETC: 09:57 (0:50:23 remaining)

Service scan Timing: About 93.30% done; ETC: 09:46 (0:02:58 remaining)

Completed Service scan at 09:46, 2638.84s elapsed (1000 services on 1 host)

Initiating OS detection (try #1) against 10.0.0.7

Initiating Traceroute at 09:46

Completed Traceroute at 09:46, 0.03s elapsed

Initiating Parallel DNS resolution of 2 hosts. at 09:46

Completed Parallel DNS resolution of 2 hosts. at 09:46, 0.05s elapsed

NSE: Script scanning 10.0.0.7.

NSE: Starting runlevel 1 (of 2) scan.

Initiating NSE at 09:46

NSE Timing: About 96.30% done; ETC: 09:59 (0:00:30 remaining)

NSE Timing: About 96.30% done; ETC: 10:00 (0:00:31 remaining)

NSE Timing: About 96.30% done; ETC: 10:21 (0:01:17 remaining)

Completed NSE at 10:21, 2078.55s elapsed

NSE: Starting runlevel 2 (of 2) scan.

Initiating NSE at 10:21

Completed NSE at 10:21, 5.02s elapsed

NSE: Script Scanning completed.

Nmap scan report for 10.0.0.7

Host is up (0.00s latency).

Not shown: 1000 closed ports, 998 open|filtered ports

PORT    STATE SERVICE VERSION

123/udp open  ntp     NTP v4

| ntp-info: 

|   receive time stamp: 07/15/10 09:46:36

|   system: cisco

|  leap: 0

|   stratum: 2

|   rootdelay: 25.53

|   rootdispersion: 6.96

|   peer: 511

|   refid: 156.34.21.3

|   reftime: 0xCFE98F9B.EF8BC22B

|   poll: 6

|   clock: 0xCFE98FB1.E0211428

|   phase: -0.462

|   freq: -176.82

|_  error: 0.75

161/udp open  snmp    Cisco SNMP service

Warning: OSScan results may be unreliable bec

Hi,


As Suggested by NT first ping frm local switch and then issue command show mac-address to find the ip address assoiated with the mac and mac learning from the port.


Hope to Help !!


Ganesh.H

oneirishpollack Fri, 07/16/2010 - 21:55
User Badges:

Help me out with this.


192.168.2.3 is my internal router. When I ping two devices: 10.4.4.30 and the unknown device 10.0.0.7 I get replies. When I do a 'show arp', I fail to get a MAC for the 10.0.0.7 address, though I do get one for the 10.4.4.30 address.



L1-router2# sh arp | include 10.4.4.30
Internet  10.4.4.30               1   0019.b973.b5c9  ARPA   Vlan4
L1-router2# sh arp | include 10.0.0.7
L1-router2#

Leo Laohoo Fri, 07/16/2010 - 23:49
User Badges:
  • Super Gold, 25000 points or more
  • Hall of Fame,

    The Hall of Fame designation is a lifetime achievement award based on significant overall achievements in the community. 

  • Cisco Designated VIP,

    2017 LAN, Wireless

MAC address of "0019.b973.b5c9" is a Dell client.

Ganesh Hariharan Sat, 07/17/2010 - 01:45
User Badges:
  • Purple, 4500 points or more
  • Community Spotlight Award,

    Member's Choice, February 2016

Help me out with this.


192.168.2.3 is my internal router. When I ping two devices: 10.4.4.30 and the unknown device 10.0.0.7 I get replies. When I do a 'show arp', I fail to get a MAC for the 10.0.0.7 address, though I do get one for the 10.4.4.30 address.



L1-router2# sh arp | include 10.4.4.30
Internet  10.4.4.30               1   0019.b973.b5c9  ARPA   Vlan4
L1-router2# sh arp | include 10.0.0.7
L1-router2#


Try ping from the switch where you can thing it is connected and the try show arp or show mac-address.


Hope to Help !!


Ganesh.H

oneirishpollack Sat, 07/17/2010 - 18:10
User Badges:

I relocated this to the correct response.


In addition, the 10.4.4.30 address was just to verify that ARP was working on the switch, The 10.0.0.7 address is the IP I am trying to discover.

Richard Burts Sat, 07/17/2010 - 05:29
User Badges:
  • Super Silver, 17500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

The output from NMAP indicates that the device is 2 hops away. In this case there would not be an ARP entry in the local router (since ARP is for locally connected devices). I would suggest doing a traceroute to the 10.0.0.7 address. Go to the last device that responded, and do the show arp on that device.


HTH


Rick

oneirishpollack Sat, 07/17/2010 - 19:27
User Badges:

Re:  Tracking down a unknown IP

Thanks for all the help thus far. Here  is the situation....



The trace route (tracert) from my workstation  (10.9.9.50/24) to 10.0.0.7 shows this...


"Tracing route to 10.0.0.7 over a  maximum of 30 hops


  1     3 ms     4 ms     4 ms  192.168.2.3
  2     1  ms    <1 ms    <1 ms  10.0.0.7


Trace complete."


Trace ip  10.0.0.7 from my internal router (192.168.2.3) maxes out:


"L1-router2#trace  ip 10.0.0.7


Type  escape sequence to abort.
Tracing the route to 10.0.0.7


  1  *  *  *
   2  *  *  *
  3  *  *  *
  4  *  *  *
  5  *  *  *
  6  *   *  *

29  *  *  *
30  *  *  *"


So 10.0.0.7, the "rogue" device I am trying to locate appears to be connected to 192.168.2.3 (VLANs used) based on the results of my trace route. Why doesn't the MAC show up in the mac-address table of 192.168.2.3 or the IP/MAC in the ARP table?

oneirishpollack Tue, 07/20/2010 - 08:33
User Badges:

So I verified that the tracert:


Tracing route to 10.0.0.7 over a maximum of 30 hops

  1    <1 ms    <1 ms    <1 ms  192.168.2.3
  2     1 ms    <1 ms    <1 ms  10.0.0.7

Trace complete.


10.0.0.7 is the device in question, but it's IP is not in the ARP table of the router.



L1-router2#sh arp | include 10.0.0.7
L1-router2#


Any reasons why this might be?

Actions

This Discussion