07-20-2010 11:59 AM - edited 03-09-2019 11:04 PM
Can some one help me figure out how to track down this rogue device on the
network. I noticed it in my Kiwi Syslog server. It shows a hostname of 10.0.0.7. I can ping it, but I cannot seem to locate it. I have tried using Nmap with the following results:
Starting Nmap 5.30BETA1 ( http://nmap.org ) at 2010-07-15 09:02 Eastern Daylight Time
NSE: Loaded 117 scripts for scanning.
Initiating Ping Scan at 09:02
Scanning 10.0.0.7 [7 ports]
Completed Ping Scan at 09:02, 0.09s elapsed (1 total hosts)
Initiating Parallel DNS resolution of 1 host. at 09:02
Completed Parallel DNS resolution of 1 host. at 09:02, 0.00s elapsed
Initiating SYN Stealth Scan at 09:02
Scanning 10.0.0.7 [1000 ports]
Completed SYN Stealth Scan at 09:02, 0.16s elapsed (1000 total ports)
Initiating UDP Scan at 09:02
Scanning 10.0.0.7 [1000 ports]
Discovered open port 123/udp on 10.0.0.7
Completed UDP Scan at 09:02, 4.25s elapsed (1000 total ports)
Initiating Service scan at 09:02
Scanning 1000 services on 10.0.0.7
Service scan Timing: About 0.40% done
Discovered open port 161/udp on 10.0.0.7
Discovered open|filtered port 161/udp on 10.0.0.7 is actually open
Service scan Timing: About 3.30% done; ETC: 10:20 (1:15:42 remaining)
Service scan Timing: About 6.30% done; ETC: 10:03 (0:57:45 remaining)
Service scan Timing: About 9.30% done; ETC: 09:57 (0:50:23 remaining)
Service scan Timing: About 93.30% done; ETC: 09:46 (0:02:58 remaining)
Completed Service scan at 09:46, 2638.84s elapsed (1000 services on 1 host)
Initiating OS detection (try #1) against 10.0.0.7
Initiating Traceroute at 09:46
Completed Traceroute at 09:46, 0.03s elapsed
Initiating Parallel DNS resolution of 2 hosts. at 09:46
Completed Parallel DNS resolution of 2 hosts. at 09:46, 0.05s elapsed
NSE: Script scanning 10.0.0.7.
NSE: Starting runlevel 1 (of 2) scan.
Initiating NSE at 09:46
NSE Timing: About 96.30% done; ETC: 09:59 (0:00:30 remaining)
NSE Timing: About 96.30% done; ETC: 10:00 (0:00:31 remaining)
NSE Timing: About 96.30% done; ETC: 10:21 (0:01:17 remaining)
Completed NSE at 10:21, 2078.55s elapsed
NSE: Starting runlevel 2 (of 2) scan.
Initiating NSE at 10:21
Completed NSE at 10:21, 5.02s elapsed
NSE: Script Scanning completed.
Nmap scan report for 10.0.0.7
Host is up (0.00s latency).
Not shown: 1000 closed ports, 998 open|filtered ports
PORT STATE SERVICE VERSION
123/udp open ntp NTP v4
| ntp-info:
| receive time stamp: 07/15/10 09:46:36
| system: cisco
| leap: 0
| stratum: 2
| rootdelay: 25.53
| rootdispersion: 6.96
| peer: 511
| refid: 156.34.21.3
| reftime: 0xCFE98F9B.EF8BC22B
| poll: 6
| clock: 0xCFE98FB1.E0211428
| phase: -0.462
| freq: -176.82
|_ error: 0.75
161/udp open snmp Cisco SNMP service
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: switch|WAP
Running: Cisco IOS 12.X
OS details: Cisco 3750 switch (IOS 12.2), Cisco Aironet 1231G WAP (IOS 12.3)
Network Distance: 2 hops
Host script results:
|_ipidseq: Randomized
| qscan:
| PORT FAMILY MEAN (ms) STDDEV LOSS (%)
| 1 0 62.50 0.53 0.0%
| 3 0 62.80 0.42 0.0%
|_65389 0 62.30 0.48 0.0%
TRACEROUTE (using port 113/tcp)
HOP RTT ADDRESS
1 0.00 ms 192.168.2.3
2 0.00 ms 10.0.0.7
Read data files from: C:\Program Files\Nmap
OS and Service detection performed. Please report any incorrect results at http://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 4739.89 seconds
Raw packets sent: 13027 (543.796KB) | Rcvd: 1022 (41.304KB)
It looks like the router hop goes off of one of my L3 switches, but when I do a "sh arp | include 10.0.0.7", I don't get anything. How can I track this down to a port?
I have already look at the ARP table on the router (192.168.2.3) and there is no 10.0.0.7 entry.
Thanks.
07-21-2010 01:53 PM
Does your L3 switch have interface VLAN configured in the 10.0.0.0 subnet? if it doesn't then you wouldn't be able to check the MAC address of 10.0.0.7 with the "show arp" command. From the NMAP, it seems to be a Wireless Access Point (Cisco Aironet 1231G WAP (IOS 12.3)).
07-22-2010 05:31 AM
Thanks for the reply.
Yes, the 192.168.2.3 L3 switch utilizes VLANs and SVIs for internal routing. I guess one of the reasons I am confused is the router does have the following addresses in it's ARP table:
Internet 10.8.92.9 20 0001.a003.d235 ARPA Vlan92
Internet 10.8.30.75 9 001e.c952.6478 ARPA Vlan30
Internet 192.168.2.54 60 0019.3176.28fe ARPA Vlan7
Internet 10.8.92.2 - 0012.d94b.bc4a ARPA Vlan80
Internet 10.8.30.77 18 001b.23df.3382 ARPA Vlan30
Internet 10.8.90.9 170 0000.4835.57dd ARPA Vlan90
Internet 192.168.2.55 9 001b.d59a.71a0 ARPA Vlan7
So why can it record MAC addresses for these devices, but not the 10.0.0.7?
Our VLANS are subnetted as follows: "10.0.0.0/24 is subnetted, 14 subnets"
Ultimately, if it were you, how would you try and track down this device?
07-22-2010 09:43 AM
The router has the ARP entries for all those VLAN because the router has interfaces in those VLANs.
You would need to have an interface in 10.0.0.0/24 on the router for the router to be able to show you the ARP entries in that particular subnet/vlan.
If you check the output of "show ip int brief" on the router, you would see that those ARP entries that you see in the router would have the VLAN interfaces configured in the router. You probably do not have an interface from 10.0.0.0/24 on the router, hence you don't see any ARP entries for that subnet in the router.
Hope that makes sense.
07-22-2010 11:05 AM
It makes sense, but when I ping the 10.0.0.7 address from a 10.4.8.x machine, it goes through the 192.168.2.3 L3 switch utilizing SVIs. The tracert shows the following:
Tracing route to 10.0.0.7 over a maximum of 30 hops
1 <1 ms <1 ms <1 ms 192.168.2.3
2 1 ms <1 ms <1 ms 10.0.0.7
Trace complete.
So it must have a route or interface to to 10.0.0.7 correct?
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: