• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 358
  • Last Modified:

Unauthorized user. Need to track him down.

Ok, someone just plugged into my network at work with an unauthorized computer. I have his MAC.  problem is we have 3 switches and a core switch. Which one do I log in to and what command do I give to find the switchport he is on?
Thanks. This guy has been causing havoc. How do I find him?
Thanks
0
dissolved
Asked:
dissolved
  • 9
  • 9
  • 4
  • +1
3 Solutions
 
Dr-IPCommented:
Try this and if it's on the switch it should show you the port, you may also see the VLAN it's on.

office#sh Mac-address-table address 0004.0068.713c
Non-static Address Table:
Destination Address  Address Type  VLAN  Destination Port
-------------------  ------------  ----  --------------------
0004.0068.713c       Dynamic          1  FastEthernet0/46
office#
0
 
dissolvedAuthor Commented:
Hi Dr-IP. I'm getting errors trying that . I'm doing a

Switch2ndfloor#    sh  00-0F-1F-16-D2-3A

Is that what you wanted me to do?
0
 
Dr-IPCommented:
On my switches I use

sh Mac-address-table address 0004.0068.713c
0
Cloud Class® Course: Ruby Fundamentals

This course will introduce you to Ruby, as well as teach you about classes, methods, variables, data structures, loops, enumerable methods, and finishing touches.

 
lrmooreCommented:
dissolved,
Get the free 30day eval of SolarWinds Engineers toolkit and use the switchport mapper...
You'll find him in seconds....
0
 
lrmooreCommented:
forgot the link
http://www.solarwinds.net
0
 
dissolvedAuthor Commented:
Thanks lrmoore, I downloaded it. Will use it tomorrow when I return to work! Gotta catch him

 Just curious Dr Ip, I'm confused.

sh mac-address-table address 0004.0068.713c

I'm assuming I put HIS mac address, in the "mac-address" place you specified. What do I put for table address? Also, what signifcance does the 0004.0068.713c have?

Thanks
0
 
Dr-IPCommented:
The 0004.0068.713c is an example for the mac address; use the same command except substitute the 0004.0068.713c with the mac address you are looking for.
0
 
dissolvedAuthor Commented:
10-4
 Thanks for the patience with me :)
0
 
PennGwynCommented:
Cisco likes xxxx.xxxx.xxxx notation for MAC addresses.  Some of the equipment I use can't decide whether it prefers XXXXXX:XXXXXX or XX:XX:XX:XX:XX:XX from one command to the next.

The "sh mac-address-table" command shows this switch's table of what MAC addresses are on what port.  Adding "address <blah>" will show only that address, rather than the whole table (which could be pretty large).  The answer may be a port that connects to another switch -- if so, telnet to that switch and repeat.  Eventually, you'll get to a switch where the table points to a user port.

Another technique I like is to define a dynamic VLAN and assign his MAC address to it.  If you run VTP, he can move to any other jack, and he'll still wind up quarantined.  He will either slink away, or ask you why he can't connect any more.

0
 
Dr-IPCommented:
Rigging it so they can never plug in that laptop again may be a good idea, but until I found out who it was I wouldn’t do anything likely to tip them off to the fact I know what they are doing, then I’d give it to them good.

Last time I caught someone with a laptop plugged into my network screwing with things, after I had figured out who it was, I fixed their wagon really good. I hacked that laptop so good, that after a month of trying to fix it they threw it away. Fact is when you really are the master of your network, anyone that comes and plays on your home turf is wide open for a myriad of exploits.

Also there is a lesson here, secure the inside of your network just as if it was directly exposed to the internet, because often the greatest treats of all are those that come from within.    
0
 
dissolvedAuthor Commented:
Thanks Pengwyn. I'll keep that in mind when I attempt this command tomorrow.

Dr IP. That is great advice.  Thank you.
0
 
dissolvedAuthor Commented:
the sh mac-address-table command is unrecognized. I'm trying this from the # prompt on a 2980G switch and 2948 switch. Any ideas?
Thanks
0
 
dissolvedAuthor Commented:
lrmoore, i got the tool running.  I put in my switch's IP address and SNMP community string, it shows MAC addresses, interface etc. But does not show IP. Is this normal or is this a problem with the SNMP?
0
 
lrmooreCommented:
Put your router's IP and snmp string in the other side.
It takes a combination of MAC address from the switch and arp entry from the router to get the complete picture..
0
 
Dr-IPCommented:
The closest switch I have access to right now is a WS-C2924-XL with version 12.0(5)WC5a enterprise. Maybe your ISO is older, and uses a slightly diffrent command, try “show m?” and “show ip m?”, and see if it lists a similar command.
0
 
Dr-IPCommented:
Since they probable are using a DHCP address, an easy way to find it is to look on the DHCP servers list of reservations, and if you have used some standard for naming your computers on the network, their's should stand out like a sore thumb.
0
 
dissolvedAuthor Commented:
Thanks guys.

lrmoore: Thanks, totally didnt use my brain on that one. Problem I have now is that we dont have access to the router. I only have access to the switches. I obtained the relevant SNMP info from the switch.
But I have no clue what the router is setup to use. I tried the same SNMP name with it's IP and I got an error
" 172.25.22.1 Does not reply to SNMP quries using  HMSSro"

Is there anyway to derive what SNMP name the router uses without having access to it? I guess its possible its not even configured with an SNMP public name (i'm still learning with the SNMP stuff btw)

Dr IP:You're right. He is in the address lease and does indeed stick out. He is offline at the moment, I'm waiting for him to come back on.  The switch I am using here is a 2980G which doenst appear to be running IOS. Maybe Cat0S?  The regular commands dont work on it.........

Thanks
0
 
lrmooreCommented:
If you don't know the snmp string of the router, you can try the SNMP Brute Force feature of SolarWinds toolkit.
Else, if you can telnet to it, you can "sho arp" and look for it manually..
0
 
Dr-IPCommented:
One thing you might want to do is open a command prompt on your computer and do a ping with the -t option so that when they connect again you hopefully will spot it right away.
0
 
Dr-IPCommented:
On my CAT OS switches the command is "sh cam XX-XX-XX-XX-XX-XX" the X's are for the MAC address. You can also do a "sh cam dynamic" and it will show you the ports each MAC address is being routed to.
0
 
dissolvedAuthor Commented:
Ok that worked! Now we have 3 or 4 switches here. HOw do I figure out wich one he is on?


dhsscat2980_21 (enable) sh cam 00-08-74-FF-44-9F
* = Static Entry. + = Permanent Entry. # = System Entry. R = Router Entry.
X = Port Security Entry

VLAN  Dest MAC/Route Des    [CoS]  Destination Ports or VCs / [Protocol Type]
----  ------------------    -----  -------------------------------------------
22    00-08-74-ff-44-9f             3/33 [ALL]
Total Matching CAM Entries Displayed = 1
dhsscat2980_21 (enable)

0
 
Dr-IPCommented:
Unless port 3/33 is plugged into another switch, I’d say that’s where they are.
0
 
dissolvedAuthor Commented:
thanks!
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

Get your problem seen by more experts

Be seen. Boost your question’s priority for more expert views and faster solutions

  • 9
  • 9
  • 4
  • +1
Tackle projects and never again get stuck behind a technical roadblock.
Join Now