Solved

Find Unknown IP

Posted on 2009-04-07
22
368 Views
Last Modified: 2012-05-06
I have been trying to track down the owner of a unknown IP address for about a week now and its driving me crazy cause I cant find it. The ip address is excluded from Windows 2003 DHCP distrubution. I have verified all static IPs of printers, and servers - I have done a port scan and all ports are closed, I have tried to run psexec cmd to see if I could get into cmd, I have tried to open the ip in a web browser, I have tried to run a packet capture on the ip (no packets seem to be sent of received). Is there any other way I can figure out what this IP belongs too?

BTW I do know what the MAC address is

TIA
0
Comment
Question by:modest911
  • 15
  • 6
22 Comments
 
LVL 5

Accepted Solution

by:
johannortje earned 250 total points
ID: 24086512
nbtstat -A xx.xx.xx.xx

Have you tried a reverse DNS lookup on the xx.xx.xx.1, as .1 might be the router/switch (commonly) ?
0
 
LVL 15

Expert Comment

by:wantabe2
ID: 24086548
Look at the ARP table on your switches. It should tell you which port it is plugged into if you have the MAC. You could also try looking at the ARp table on the server by typeing arp -a at the command prompt. Is this a DHCP address or a static IP? If you have laptops on your LAN, remember, if it is plugged in, the wired NIC & the wireless NIC will have an IP if you have wireless & it is wired in.
0
 
LVL 2

Author Comment

by:modest911
ID: 24086551
This is the results -

C:\>nbtstat -a 10.0.0.14

Local Area Connection:
Node IpAddress: [10.0.0.254] Scope Id: []

    Host not found.

Wireless Network Connection:
Node IpAddress: [0.0.0.0] Scope Id: []

    Host not found.
0
 
LVL 2

Author Comment

by:modest911
ID: 24086577
I have unmanaged switches. This is a static ip in the excluded ip ranged.

If I do arp - a on the server it does not show the 14 ip address. If I do arp -a on my client it shows as dynamic
0
 
LVL 15

Expert Comment

by:wantabe2
ID: 24086608
Have you tried a ping -a to see if you can get the name of the device with the IP? Also, have you tried http://www.coffer.com/mac_find/ to type the MAC in to give you a better idea of what it is? If you can do a regular ping on the device, try to telnet into it or click start>run & type in mstsc to see if you can remote into it. Keep us updated.
0
 
LVL 2

Author Comment

by:modest911
ID: 24086646
Yeah I also tried RDP and VNC -


Cool that coffee link is awesome - But it shows a vendor we use a lot of here - haha - Still cool though.

Ping -a just gives good replies


C:\>ping -a 10.0.0.14

Pinging 10.0.0.14 with 32 bytes of data:
Reply from 10.0.0.14: bytes=32 time=50ms TTL=128
Reply from 10.0.0.14: bytes=32 time=26ms TTL=128
Reply from 10.0.0.14: bytes=32 time=26ms TTL=128
Reply from 10.0.0.14: bytes=32 time=45ms TTL=128

Ping statistics for 10.0.0.14:
    Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
    Minimum = 26ms, Maximum = 50ms, Average = 36ms

0
 
LVL 2

Author Comment

by:modest911
ID: 24086665
So now I am googling the prefix "00188B"
0
 
LVL 15

Assisted Solution

by:wantabe2
wantabe2 earned 250 total points
ID: 24086827
While we're on the subject of cool tools.... download this http://sourceforge.net/project/showfiles.php?group_id=171954

This is called Lazy Admin. I use it all the time. With this you can type in the IP address of the device & you have several options to choose from. Basically this tool runs a WMI script to that IP address. It will show you what it is, what services are running, what applications are running or installed, well...it will show everything possible about the device. Let me know what you think about it. I'm sure you will be able to solve your problem with Lazy Admin. Post the results here if you don't mind so I can help.
0
 
LVL 2

Author Comment

by:modest911
ID: 24087005
TLA is nice app - Thanks for that also. But, no joy. I am starting to think maybe someone has a printer on the network that is shared. I am starting to walk office to office - haha


TLA results for 10.0.0.14:
-------------------------------------------
10.0.0.14: Could not get installdate, uptime and installed version!
10.0.0.14: Could not get hosname, model or manufacturer
10.0.0.14: Could not get processor info
10.0.0.14: Could not get drive information!
10.0.0.14: Could not get network adapter information!
10.0.0.14: Error getting BIOS information!
0
 
LVL 15

Expert Comment

by:wantabe2
ID: 24087053
Hmmm....have you ever used Ethereal (now its called Wireshark)? You can run a capture on the MAC...I'm not sure on the command but it will be something similar to ether mac xx:xx:xx:xx:xx:xx though. From the tools you've used, it sounds like this is not a computer. It could even be one of the newer cell phones or IPODS.
0
 
LVL 2

Author Comment

by:modest911
ID: 24087076
Yeah I tried running a paket capture and its not capturing anything. Its like its just sitting doing nothing. From that coffer link above it shows as a dell device. That is why I am thinking it might be a "personal" printer. I have one more persons office to check. I will post results.
0
Better Security Awareness With Threat Intelligence

See how one of the leading financial services organizations uses Recorded Future as part of a holistic threat intelligence program to promote security awareness and proactively and efficiently identify threats.

 
LVL 15

Expert Comment

by:wantabe2
ID: 24087144
If it's a Dell printer with an IP, you should be able to open your browser & type the IP in & go to the admin page.
0
 
LVL 2

Author Comment

by:modest911
ID: 24087163
Yeah - Maybe its not a printer then - I already tried to pull up a web browser admin page.

Weird thing just happend - I tried to ping the IP from the DHCP server and I cant ping it. But, I can ping it from my client. I am about to shut down my computer and see if I can ping the ip from another computer. Maybe it has something to do with me. I have no idea. haha
0
 
LVL 15

Expert Comment

by:wantabe2
ID: 24087193
Hmmm
Check you DNS server & make sure there is not 2 hostA records with the same IP address but with different names.
0
 
LVL 2

Author Comment

by:modest911
ID: 24087252
thats the weird thing - the ip in question is no where in DNS
0
 
LVL 2

Author Comment

by:modest911
ID: 24087352
Okay I can ping the questionable IP from just about every machine except one server that I said I couldnt ping form above. this server does have two nic' s - But, one of them is disabled with a"dummy" ip
0
 
LVL 2

Author Comment

by:modest911
ID: 24089299
Well I have accounted for all personal printers. So back to square one - I have no idea. haha
0
 
LVL 2

Author Comment

by:modest911
ID: 24137863
As you guessed it I still havent found the mystery IP. haha
0
 
LVL 2

Author Comment

by:modest911
ID: 24251627
Nope still havent found the IP - Weird thing is. I blocked access to any system resources internally and externally for this IP and I am not getting any alerts in the firewall for it. So, what ever it is - Its not doing anything, just sitting there.
0
 
LVL 2

Author Comment

by:modest911
ID: 24252032
I did figure this out in Ubuntu with networking tools lookup

Name: 0.0.10.in.addrarpa
TTL:3600
Address Type: In
Record:SOA
Address: myserver.domain.com.admin.domain.com 23586 900 600 86400 3600
0
 
LVL 2

Author Comment

by:modest911
ID: 24305563
Finally found the unknown IP. It is a BMC Remote Access card on one of my servers. I am going to split points because I learned some new ideas with this problem and help
0
 
LVL 2

Author Closing Comment

by:modest911
ID: 31567463
Giving points due to the fact I learned about new tools and ideas.
0

Featured Post

Free camera licenses with purchase of My Cloud NAS

Milestone Arcus software is compatible with thousands of industry-leading cameras for added flexibility. Upon installation on your My Cloud NAS, you will receive two (2) camera licenses already enabled in the software. And for a limited time, get additional camera licenses FREE.

Join & Write a Comment

Some time ago I was asked to set up a web portal PC to put at our entrance. When customers arrive, they could see a webpage 'promoting' our company. So I tried to set up a windows 7 PC as a kiosk PC.......... I will spare you all the annoyances I…
PRTG Network Monitor lets you monitor your bandwidth usage, so you know who is using up your bandwidth, and what they're using it for.
This video gives you a great overview about bandwidth monitoring with SNMP and WMI with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're looking for how to monitor bandwidth using netflow or packet s…
In this tutorial you'll learn about bandwidth monitoring with flows and packet sniffing with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're interested in additional methods for monitoring bandwidt…

758 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

23 Experts available now in Live!

Get 1:1 Help Now