Help with unknown device location...

oneirishpollack · ‎07-20-2010

Can some one help me figure out how to track down this rogue device on the

network. I noticed it in my Kiwi Syslog server. It shows a hostname of 10.0.0.7. I can ping it, but I cannot seem to locate it. I have tried using Nmap with the following results:

Starting Nmap 5.30BETA1 ( http://nmap.org ) at 2010-07-15 09:02 Eastern Daylight Time

NSE: Loaded 117 scripts for scanning.

Initiating Ping Scan at 09:02

Scanning 10.0.0.7 [7 ports]

Completed Ping Scan at 09:02, 0.09s elapsed (1 total hosts)

Initiating Parallel DNS resolution of 1 host. at 09:02

Completed Parallel DNS resolution of 1 host. at 09:02, 0.00s elapsed

Initiating SYN Stealth Scan at 09:02

Scanning 10.0.0.7 [1000 ports]

Completed SYN Stealth Scan at 09:02, 0.16s elapsed (1000 total ports)

Initiating UDP Scan at 09:02

Scanning 10.0.0.7 [1000 ports]

Discovered open port 123/udp on 10.0.0.7

Completed UDP Scan at 09:02, 4.25s elapsed (1000 total ports)

Initiating Service scan at 09:02

Scanning 1000 services on 10.0.0.7

Service scan Timing: About 0.40% done

Discovered open port 161/udp on 10.0.0.7

Discovered open|filtered port 161/udp on 10.0.0.7 is actually open

Service scan Timing: About 3.30% done; ETC: 10:20 (1:15:42 remaining)

Service scan Timing: About 6.30% done; ETC: 10:03 (0:57:45 remaining)

Service scan Timing: About 9.30% done; ETC: 09:57 (0:50:23 remaining)

Service scan Timing: About 93.30% done; ETC: 09:46 (0:02:58 remaining)

Completed Service scan at 09:46, 2638.84s elapsed (1000 services on 1 host)

Initiating OS detection (try #1) against 10.0.0.7

Initiating Traceroute at 09:46

Completed Traceroute at 09:46, 0.03s elapsed

Initiating Parallel DNS resolution of 2 hosts. at 09:46

Completed Parallel DNS resolution of 2 hosts. at 09:46, 0.05s elapsed

NSE: Script scanning 10.0.0.7.

NSE: Starting runlevel 1 (of 2) scan.

Initiating NSE at 09:46

NSE Timing: About 96.30% done; ETC: 09:59 (0:00:30 remaining)

NSE Timing: About 96.30% done; ETC: 10:00 (0:00:31 remaining)

NSE Timing: About 96.30% done; ETC: 10:21 (0:01:17 remaining)

Completed NSE at 10:21, 2078.55s elapsed

NSE: Starting runlevel 2 (of 2) scan.

Initiating NSE at 10:21

Completed NSE at 10:21, 5.02s elapsed

NSE: Script Scanning completed.

Nmap scan report for 10.0.0.7

Host is up (0.00s latency).

Not shown: 1000 closed ports, 998 open|filtered ports

PORT STATE SERVICE VERSION

123/udp open ntp NTP v4

| ntp-info:

| receive time stamp: 07/15/10 09:46:36

| system: cisco

| leap: 0

| stratum: 2

| rootdelay: 25.53

| rootdispersion: 6.96

| peer: 511

| refid: 156.34.21.3

| reftime: 0xCFE98F9B.EF8BC22B

| poll: 6

| clock: 0xCFE98FB1.E0211428

| phase: -0.462

| freq: -176.82

|_ error: 0.75

161/udp open snmp Cisco SNMP service

Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port

Device type: switch|WAP

Running: Cisco IOS 12.X

OS details: Cisco 3750 switch (IOS 12.2), Cisco Aironet 1231G WAP (IOS 12.3)

Network Distance: 2 hops

Host script results:

|_ipidseq: Randomized

| qscan:

| PORT FAMILY MEAN (ms) STDDEV LOSS (%)

| 1 0 62.50 0.53 0.0%

| 3 0 62.80 0.42 0.0%

|_65389 0 62.30 0.48 0.0%

TRACEROUTE (using port 113/tcp)

HOP RTT ADDRESS

1 0.00 ms 192.168.2.3

2 0.00 ms 10.0.0.7

Read data files from: C:\Program Files\Nmap

OS and Service detection performed. Please report any incorrect results at http://nmap.org/submit/ .

Nmap done: 1 IP address (1 host up) scanned in 4739.89 seconds

Raw packets sent: 13027 (543.796KB) | Rcvd: 1022 (41.304KB)

It looks like the router hop goes off of one of my L3 switches, but when I do a "sh arp | include 10.0.0.7", I don't get anything. How can I track this down to a port?

I have already look at the ARP table on the router (192.168.2.3) and there is no 10.0.0.7 entry.

Thanks.

Jennifer Halim · ‎07-21-2010

Does your L3 switch have interface VLAN configured in the 10.0.0.0 subnet? if it doesn't then you wouldn't be able to check the MAC address of 10.0.0.7 with the "show arp" command. From the NMAP, it seems to be a Wireless Access Point (Cisco Aironet 1231G WAP (IOS 12.3)).

oneirishpollack · ‎07-22-2010

Thanks for the reply.

Yes, the 192.168.2.3 L3 switch utilizes VLANs and SVIs for internal routing. I guess one of the reasons I am confused is the router does have the following addresses in it's ARP table:

Internet 10.8.92.9              20   0001.a003.d235 ARPA   Vlan92
Internet 10.8.30.75              9   001e.c952.6478 ARPA   Vlan30
Internet 192.168.2.54           60   0019.3176.28fe ARPA   Vlan7
Internet 10.8.92.2               -   0012.d94b.bc4a ARPA   Vlan80
Internet 10.8.30.77             18   001b.23df.3382 ARPA   Vlan30
Internet 10.8.90.9             170   0000.4835.57dd ARPA   Vlan90
Internet 192.168.2.55            9   001b.d59a.71a0 ARPA   Vlan7

So why can it record MAC addresses for these devices, but not the 10.0.0.7?

Our VLANS are subnetted as follows: "10.0.0.0/24 is subnetted, 14 subnets"

Ultimately, if it were you, how would you try and track down this device?

Jennifer Halim · ‎07-22-2010

The router has the ARP entries for all those VLAN because the router has interfaces in those VLANs.

You would need to have an interface in 10.0.0.0/24 on the router for the router to be able to show you the ARP entries in that particular subnet/vlan.

If you check the output of "show ip int brief" on the router, you would see that those ARP entries that you see in the router would have the VLAN interfaces configured in the router. You probably do not have an interface from 10.0.0.0/24 on the router, hence you don't see any ARP entries for that subnet in the router.

Hope that makes sense.

oneirishpollack · ‎07-22-2010

It makes sense, but when I ping the 10.0.0.7 address from a 10.4.8.x machine, it goes through the 192.168.2.3 L3 switch utilizing SVIs. The tracert shows the following:

Tracing route to 10.0.0.7 over a maximum of 30 hops

1 <1 ms <1 ms <1 ms 192.168.2.3
2 1 ms <1 ms <1 ms 10.0.0.7

Trace complete.

So it must have a route or interface to to 10.0.0.7 correct?