Solved

Unauthorized user. Need to track him down.

Posted on 2004-10-20
23
344 Views
Last Modified: 2010-04-17
Ok, someone just plugged into my network at work with an unauthorized computer. I have his MAC.  problem is we have 3 switches and a core switch. Which one do I log in to and what command do I give to find the switchport he is on?
Thanks. This guy has been causing havoc. How do I find him?
Thanks
0
Comment
Question by:dissolved
  • 9
  • 9
  • 4
  • +1
23 Comments
 
LVL 13

Expert Comment

by:Dr-IP
ID: 12362508
Try this and if it's on the switch it should show you the port, you may also see the VLAN it's on.

office#sh Mac-address-table address 0004.0068.713c
Non-static Address Table:
Destination Address  Address Type  VLAN  Destination Port
-------------------  ------------  ----  --------------------
0004.0068.713c       Dynamic          1  FastEthernet0/46
office#
0
 

Author Comment

by:dissolved
ID: 12362701
Hi Dr-IP. I'm getting errors trying that . I'm doing a

Switch2ndfloor#    sh  00-0F-1F-16-D2-3A

Is that what you wanted me to do?
0
 
LVL 13

Expert Comment

by:Dr-IP
ID: 12362856
On my switches I use

sh Mac-address-table address 0004.0068.713c
0
 
LVL 79

Assisted Solution

by:lrmoore
lrmoore earned 200 total points
ID: 12363021
dissolved,
Get the free 30day eval of SolarWinds Engineers toolkit and use the switchport mapper...
You'll find him in seconds....
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 12363028
forgot the link
http://www.solarwinds.net
0
 

Author Comment

by:dissolved
ID: 12363079
Thanks lrmoore, I downloaded it. Will use it tomorrow when I return to work! Gotta catch him

 Just curious Dr Ip, I'm confused.

sh mac-address-table address 0004.0068.713c

I'm assuming I put HIS mac address, in the "mac-address" place you specified. What do I put for table address? Also, what signifcance does the 0004.0068.713c have?

Thanks
0
 
LVL 13

Expert Comment

by:Dr-IP
ID: 12363135
The 0004.0068.713c is an example for the mac address; use the same command except substitute the 0004.0068.713c with the mac address you are looking for.
0
 

Author Comment

by:dissolved
ID: 12363143
10-4
 Thanks for the patience with me :)
0
 
LVL 11

Assisted Solution

by:PennGwyn
PennGwyn earned 100 total points
ID: 12364415
Cisco likes xxxx.xxxx.xxxx notation for MAC addresses.  Some of the equipment I use can't decide whether it prefers XXXXXX:XXXXXX or XX:XX:XX:XX:XX:XX from one command to the next.

The "sh mac-address-table" command shows this switch's table of what MAC addresses are on what port.  Adding "address <blah>" will show only that address, rather than the whole table (which could be pretty large).  The answer may be a port that connects to another switch -- if so, telnet to that switch and repeat.  Eventually, you'll get to a switch where the table points to a user port.

Another technique I like is to define a dynamic VLAN and assign his MAC address to it.  If you run VTP, he can move to any other jack, and he'll still wind up quarantined.  He will either slink away, or ask you why he can't connect any more.

0
 
LVL 13

Expert Comment

by:Dr-IP
ID: 12364995
Rigging it so they can never plug in that laptop again may be a good idea, but until I found out who it was I wouldn’t do anything likely to tip them off to the fact I know what they are doing, then I’d give it to them good.

Last time I caught someone with a laptop plugged into my network screwing with things, after I had figured out who it was, I fixed their wagon really good. I hacked that laptop so good, that after a month of trying to fix it they threw it away. Fact is when you really are the master of your network, anyone that comes and plays on your home turf is wide open for a myriad of exploits.

Also there is a lesson here, secure the inside of your network just as if it was directly exposed to the internet, because often the greatest treats of all are those that come from within.    
0
 

Author Comment

by:dissolved
ID: 12366161
Thanks Pengwyn. I'll keep that in mind when I attempt this command tomorrow.

Dr IP. That is great advice.  Thank you.
0
IT, Stop Being Called Into Every Meeting

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

 

Author Comment

by:dissolved
ID: 12368672
the sh mac-address-table command is unrecognized. I'm trying this from the # prompt on a 2980G switch and 2948 switch. Any ideas?
Thanks
0
 

Author Comment

by:dissolved
ID: 12369870
lrmoore, i got the tool running.  I put in my switch's IP address and SNMP community string, it shows MAC addresses, interface etc. But does not show IP. Is this normal or is this a problem with the SNMP?
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 12369912
Put your router's IP and snmp string in the other side.
It takes a combination of MAC address from the switch and arp entry from the router to get the complete picture..
0
 
LVL 13

Expert Comment

by:Dr-IP
ID: 12370016
The closest switch I have access to right now is a WS-C2924-XL with version 12.0(5)WC5a enterprise. Maybe your ISO is older, and uses a slightly diffrent command, try “show m?” and “show ip m?”, and see if it lists a similar command.
0
 
LVL 13

Expert Comment

by:Dr-IP
ID: 12370123
Since they probable are using a DHCP address, an easy way to find it is to look on the DHCP servers list of reservations, and if you have used some standard for naming your computers on the network, their's should stand out like a sore thumb.
0
 

Author Comment

by:dissolved
ID: 12370215
Thanks guys.

lrmoore: Thanks, totally didnt use my brain on that one. Problem I have now is that we dont have access to the router. I only have access to the switches. I obtained the relevant SNMP info from the switch.
But I have no clue what the router is setup to use. I tried the same SNMP name with it's IP and I got an error
" 172.25.22.1 Does not reply to SNMP quries using  HMSSro"

Is there anyway to derive what SNMP name the router uses without having access to it? I guess its possible its not even configured with an SNMP public name (i'm still learning with the SNMP stuff btw)

Dr IP:You're right. He is in the address lease and does indeed stick out. He is offline at the moment, I'm waiting for him to come back on.  The switch I am using here is a 2980G which doenst appear to be running IOS. Maybe Cat0S?  The regular commands dont work on it.........

Thanks
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 12370590
If you don't know the snmp string of the router, you can try the SNMP Brute Force feature of SolarWinds toolkit.
Else, if you can telnet to it, you can "sho arp" and look for it manually..
0
 
LVL 13

Expert Comment

by:Dr-IP
ID: 12370752
One thing you might want to do is open a command prompt on your computer and do a ping with the -t option so that when they connect again you hopefully will spot it right away.
0
 
LVL 13

Accepted Solution

by:
Dr-IP earned 200 total points
ID: 12372262
On my CAT OS switches the command is "sh cam XX-XX-XX-XX-XX-XX" the X's are for the MAC address. You can also do a "sh cam dynamic" and it will show you the ports each MAC address is being routed to.
0
 

Author Comment

by:dissolved
ID: 12372602
Ok that worked! Now we have 3 or 4 switches here. HOw do I figure out wich one he is on?


dhsscat2980_21 (enable) sh cam 00-08-74-FF-44-9F
* = Static Entry. + = Permanent Entry. # = System Entry. R = Router Entry.
X = Port Security Entry

VLAN  Dest MAC/Route Des    [CoS]  Destination Ports or VCs / [Protocol Type]
----  ------------------    -----  -------------------------------------------
22    00-08-74-ff-44-9f             3/33 [ALL]
Total Matching CAM Entries Displayed = 1
dhsscat2980_21 (enable)

0
 
LVL 13

Expert Comment

by:Dr-IP
ID: 12373148
Unless port 3/33 is plugged into another switch, I’d say that’s where they are.
0
 

Author Comment

by:dissolved
ID: 12373390
thanks!
0

Featured Post

Why You Should Analyze Threat Actor TTPs

After years of analyzing threat actor behavior, it’s become clear that at any given time there are specific tactics, techniques, and procedures (TTPs) that are particularly prevalent. By analyzing and understanding these TTPs, you can dramatically enhance your security program.

Join & Write a Comment

Suggested Solutions

Problem Description:   Couple of months ago we upgraded the ADSL line at our branch office from Home to Business line. The purpose of transforming the service to have static public IP’s. We were in need for public IP’s to publish our web resour…
Getting hacked is no longer a matter or "if you get hacked" — the 2016 cyber threat landscape is now titled "when you get hacked." When it happens — will you be proactive, or reactive?
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

760 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

18 Experts available now in Live!

Get 1:1 Help Now