dissolved
asked on
Unauthorized user. Need to track him down.
Ok, someone just plugged into my network at work with an unauthorized computer. I have his MAC. problem is we have 3 switches and a core switch. Which one do I log in to and what command do I give to find the switchport he is on?
Thanks. This guy has been causing havoc. How do I find him?
Thanks
Thanks. This guy has been causing havoc. How do I find him?
Thanks
ASKER
Hi Dr-IP. I'm getting errors trying that . I'm doing a
Switch2ndfloor# sh 00-0F-1F-16-D2-3A
Is that what you wanted me to do?
Switch2ndfloor# sh 00-0F-1F-16-D2-3A
Is that what you wanted me to do?
On my switches I use
sh Mac-address-table address 0004.0068.713c
sh Mac-address-table address 0004.0068.713c
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Thanks lrmoore, I downloaded it. Will use it tomorrow when I return to work! Gotta catch him
Just curious Dr Ip, I'm confused.
sh mac-address-table address 0004.0068.713c
I'm assuming I put HIS mac address, in the "mac-address" place you specified. What do I put for table address? Also, what signifcance does the 0004.0068.713c have?
Thanks
Just curious Dr Ip, I'm confused.
sh mac-address-table address 0004.0068.713c
I'm assuming I put HIS mac address, in the "mac-address" place you specified. What do I put for table address? Also, what signifcance does the 0004.0068.713c have?
Thanks
The 0004.0068.713c is an example for the mac address; use the same command except substitute the 0004.0068.713c with the mac address you are looking for.
ASKER
10-4
Thanks for the patience with me :)
Thanks for the patience with me :)
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Rigging it so they can never plug in that laptop again may be a good idea, but until I found out who it was I wouldn’t do anything likely to tip them off to the fact I know what they are doing, then I’d give it to them good.
Last time I caught someone with a laptop plugged into my network screwing with things, after I had figured out who it was, I fixed their wagon really good. I hacked that laptop so good, that after a month of trying to fix it they threw it away. Fact is when you really are the master of your network, anyone that comes and plays on your home turf is wide open for a myriad of exploits.
Also there is a lesson here, secure the inside of your network just as if it was directly exposed to the internet, because often the greatest treats of all are those that come from within.
Last time I caught someone with a laptop plugged into my network screwing with things, after I had figured out who it was, I fixed their wagon really good. I hacked that laptop so good, that after a month of trying to fix it they threw it away. Fact is when you really are the master of your network, anyone that comes and plays on your home turf is wide open for a myriad of exploits.
Also there is a lesson here, secure the inside of your network just as if it was directly exposed to the internet, because often the greatest treats of all are those that come from within.
ASKER
Thanks Pengwyn. I'll keep that in mind when I attempt this command tomorrow.
Dr IP. That is great advice. Thank you.
Dr IP. That is great advice. Thank you.
ASKER
the sh mac-address-table command is unrecognized. I'm trying this from the # prompt on a 2980G switch and 2948 switch. Any ideas?
Thanks
Thanks
ASKER
lrmoore, i got the tool running. I put in my switch's IP address and SNMP community string, it shows MAC addresses, interface etc. But does not show IP. Is this normal or is this a problem with the SNMP?
Put your router's IP and snmp string in the other side.
It takes a combination of MAC address from the switch and arp entry from the router to get the complete picture..
It takes a combination of MAC address from the switch and arp entry from the router to get the complete picture..
The closest switch I have access to right now is a WS-C2924-XL with version 12.0(5)WC5a enterprise. Maybe your ISO is older, and uses a slightly diffrent command, try “show m?” and “show ip m?”, and see if it lists a similar command.
Since they probable are using a DHCP address, an easy way to find it is to look on the DHCP servers list of reservations, and if you have used some standard for naming your computers on the network, their's should stand out like a sore thumb.
ASKER
Thanks guys.
lrmoore: Thanks, totally didnt use my brain on that one. Problem I have now is that we dont have access to the router. I only have access to the switches. I obtained the relevant SNMP info from the switch.
But I have no clue what the router is setup to use. I tried the same SNMP name with it's IP and I got an error
" 172.25.22.1 Does not reply to SNMP quries using HMSSro"
Is there anyway to derive what SNMP name the router uses without having access to it? I guess its possible its not even configured with an SNMP public name (i'm still learning with the SNMP stuff btw)
Dr IP:You're right. He is in the address lease and does indeed stick out. He is offline at the moment, I'm waiting for him to come back on. The switch I am using here is a 2980G which doenst appear to be running IOS. Maybe Cat0S? The regular commands dont work on it.........
Thanks
lrmoore: Thanks, totally didnt use my brain on that one. Problem I have now is that we dont have access to the router. I only have access to the switches. I obtained the relevant SNMP info from the switch.
But I have no clue what the router is setup to use. I tried the same SNMP name with it's IP and I got an error
" 172.25.22.1 Does not reply to SNMP quries using HMSSro"
Is there anyway to derive what SNMP name the router uses without having access to it? I guess its possible its not even configured with an SNMP public name (i'm still learning with the SNMP stuff btw)
Dr IP:You're right. He is in the address lease and does indeed stick out. He is offline at the moment, I'm waiting for him to come back on. The switch I am using here is a 2980G which doenst appear to be running IOS. Maybe Cat0S? The regular commands dont work on it.........
Thanks
If you don't know the snmp string of the router, you can try the SNMP Brute Force feature of SolarWinds toolkit.
Else, if you can telnet to it, you can "sho arp" and look for it manually..
Else, if you can telnet to it, you can "sho arp" and look for it manually..
One thing you might want to do is open a command prompt on your computer and do a ping with the -t option so that when they connect again you hopefully will spot it right away.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Ok that worked! Now we have 3 or 4 switches here. HOw do I figure out wich one he is on?
dhsscat2980_21 (enable) sh cam 00-08-74-FF-44-9F
* = Static Entry. + = Permanent Entry. # = System Entry. R = Router Entry.
X = Port Security Entry
VLAN Dest MAC/Route Des [CoS] Destination Ports or VCs / [Protocol Type]
---- ------------------ ----- -------------------------- ---------- -------
22 00-08-74-ff-44-9f 3/33 [ALL]
Total Matching CAM Entries Displayed = 1
dhsscat2980_21 (enable)
dhsscat2980_21 (enable) sh cam 00-08-74-FF-44-9F
* = Static Entry. + = Permanent Entry. # = System Entry. R = Router Entry.
X = Port Security Entry
VLAN Dest MAC/Route Des [CoS] Destination Ports or VCs / [Protocol Type]
---- ------------------ ----- --------------------------
22 00-08-74-ff-44-9f 3/33 [ALL]
Total Matching CAM Entries Displayed = 1
dhsscat2980_21 (enable)
Unless port 3/33 is plugged into another switch, I’d say that’s where they are.
ASKER
thanks!
office#sh Mac-address-table address 0004.0068.713c
Non-static Address Table:
Destination Address Address Type VLAN Destination Port
------------------- ------------ ---- --------------------
0004.0068.713c Dynamic 1 FastEthernet0/46
office#