Solved

Un-authorized local IP addresses showing on the network

Posted on 2006-06-29
19
570 Views
Last Modified: 2010-03-19
When I do an IPSCAN on our network in the office, there's a bunch of alive ip addresses in the network.  How can I figure which computers or devices these are.  I would like to kick them out of their connection for now while trying to figure this out.  What is a better way to deal with this issue.  Has someone able crack our network?  Please advice.
0
Comment
Question by:r_yague
  • 3
  • 3
  • 2
  • +6
19 Comments
 
LVL 4

Accepted Solution

by:
gbirkemeier earned 74 total points
Comment Utility
Use tracert or nslookup to determine the netbios name. This may help to identify the source of the IP.
Remember printers, print servers, some switches, and other network aware hardware can be using IP addresses.
0
 
LVL 13

Assisted Solution

by:prashsax
prashsax earned 71 total points
Comment Utility
Use this from command prompt

nbtstat -A IP_ADDRESS.

This will tell you the computer name. Look for entry for number 20.
0
 
LVL 10

Assisted Solution

by:fm250
fm250 earned 71 total points
Comment Utility
you can use an eval version of solarwind to do that for you. it has the ip scan tool that gives you details about every ip. you can scan a range of ips or subnet. you can use other free tools to do that for you as well.
here is the link: http://support.solarwinds.net/Help/IP-Network-Browser/Overview.htm
0
 
LVL 16

Assisted Solution

by:The--Captain
The--Captain earned 71 total points
Comment Utility
http://www.gfi.com/languard/ - one of my clients really likes it.

Of course, the ARP command should reveal if you're dealing with a single host or many (arp spoofs notwithstanding)

Cheers,
-Jon
0
 
LVL 44

Expert Comment

by:scrathcyboy
Comment Utility
use command prompt --

ipconfig /all

That should show you all IPs on the network.

Also go into the router or switch at the root IP address (192.168.0.1 ???) and check STATUS -- it will show all computers connected, their IP addresses, and their MAC addresses correlated to name, and that will give you a complete display.  Print it out, for reference, the IP numbers dont often change.
0
 
LVL 16

Expert Comment

by:The--Captain
Comment Utility
>use command prompt --
>
>ipconfig /all

scrathcyboy, you forgot to mention that you have to run this command on *every* machine on the network, which may not be feasible...

>Also go into the router or switch at the root IP address (192.168.0.1 ???) and check STATUS -- it will show
>all computers connected, their IP addresses, and their MAC addresses correlated to name,
>and that will give you a complete display

Ridiculous.  This will work a very small fraction of the time, but not most.  Neither my own router or managed switch conform to your advice...  How can you even suggest that this will work in most cases?

I could comment more on what appears to be your habit of just firing off wildly inaccurate advice, but this is not the place.

Cheers,
-Jon
0
 
LVL 27

Assisted Solution

by:pseudocyber
pseudocyber earned 71 total points
Comment Utility
r_vague, what kind of gear are you running?  If you have manageable equipment, you might be able to look in your forwarding tables and ARP tables to pinpoint there those IP's are physically connected and then shutdown their port and wait for the phone to ring.
0
 

Author Comment

by:r_yague
Comment Utility
I just remembered that we installed VOIP telephone units.  Do you think these unknown IPs are the telephone adapters that came with each phone?  If so, how can I check which adapter belongs to which IP address.  
0
Enabling OSINT in Activity Based Intelligence

Activity based intelligence (ABI) requires access to all available sources of data. Recorded Future allows analysts to observe structured data on the open, deep, and dark web.

 
LVL 27

Expert Comment

by:pseudocyber
Comment Utility
>> If so, how can I check which adapter belongs to which IP address.  

As we have said, you would check your ARP and Forwarding Tables.  Then, the MAC should be on the bottom of the phone - on a label or something.
0
 
LVL 13

Expert Comment

by:prashsax
Comment Utility
Yes, these new IP can be assigned to these VOIP phones.

You can goto to DHCP management console. Note down the MAC address from the lease list.

Then you can match these MAC address with the VOIP phones to be sure of it.
0
 

Author Comment

by:r_yague
Comment Utility
DHCP is provided by the router/firewall and not the server.  So I checked the router DHCP and they were the VOIP phones (I checked the MAC addresses of the phone adapters). But there are still about 12 more (IP's and corresponding MAC addresses) that I am not sure what they are.  Now I want to know if there's a way to find out what kind of devices specific MAC addresses are, like they all start with 00:11:11......and so on.
0
 

Author Comment

by:r_yague
Comment Utility
Correction,  the mac addresses all start with 00:11.....and so on.
0
 
LVL 10

Expert Comment

by:fm250
Comment Utility
from the router firewall, issue the command: sh arp
and see the matching ip to mac
0
 
LVL 51

Assisted Solution

by:Keith Alabaster
Keith Alabaster earned 71 total points
Comment Utility
The MAC addresses do not denote their use. Some manufacturers bought blocks of MAC addresses for future use which is why 3COM, for example, all used to have the same first 6 bytes for example as did Intel.
0
 
LVL 18

Assisted Solution

by:carl_legere
carl_legere earned 71 total points
Comment Utility
ping IP
then do
arp -a

or use www.angryziber.com/ipscan
add MAC address in options
0
 
LVL 18

Expert Comment

by:carl_legere
Comment Utility
Your deployment of VOIP phones or IP phones isn't quite kosher if they are grabbing DHCP from your regular network.  Usually they are vlan'd off on another network, this other subnet has strict QOS assignments on the network/routers
0
 
LVL 13

Expert Comment

by:prashsax
Comment Utility
Just one more way to be sure.

Assign one of these IP address to another machine.(Static IP).

Then it would prompt you an IP conflict. It will also prompt on the other end that an IP conflict has occured.

User will report to you and you can easily find the device.
0

Featured Post

Enabling OSINT in Activity Based Intelligence

Activity based intelligence (ABI) requires access to all available sources of data. Recorded Future allows analysts to observe structured data on the open, deep, and dark web.

Join & Write a Comment

Suggested Solutions

Title # Comments Views Activity
Remotely accessing Raspberry Pi from internet 4 58
FTP output from Wireshak 6 47
MOVING OFFICE / SERVER 22 68
DHCP on ASA 3 19
Don’t let your business fall victim to the coming apocalypse – use our Survival Guide for the Fax Apocalypse to identify the risks and signs of zombie fax activities at your business.
Join Greg Farro and Ethan Banks from Packet Pushers (http://packetpushers.net/podcast/podcasts/pq-show-93-smart-network-monitoring-paessler-sponsored/) and Greg Ross from Paessler (https://www.paessler.com/prtg) for a discussion about smart network …
Get a first impression of how PRTG looks and learn how it works.   This video is a short introduction to PRTG, as an initial overview or as a quick start for new PRTG users.
This video gives you a great overview about bandwidth monitoring with SNMP and WMI with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're looking for how to monitor bandwidth using netflow or packet s…

728 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

8 Experts available now in Live!

Get 1:1 Help Now