Solved

Network/Security locate rogue device

Posted on 2011-09-15
7
416 Views
Last Modified: 2012-05-12
We are trying to find a device on our network. Symantec endpoint management is telling us that a device doesn't have antivirus. All it gives us is the IP and the MAC address.
I cannot ping, telnet, RDP/VNC or connect to the device via the web browser.
Knowing the mac address I connected to the switch of the segment it was on and ran the command #show Mac-address-table. The output displayed the macs of all devices connected to the switch however this device's mac address didn't seem to appear.
I'm at a loss as to what to try next.
The device mac address shows that it is a Phoebe Micro Inc. device.

Any help would be greatly appreciated.
0
Comment
Question by:edalzell
  • 4
  • 2
7 Comments
 
LVL 5

Expert Comment

by:mbkitmgr
ID: 36546607
1. I would 1st set a reservation for it IN DHCP, if it is acquiring an address, that way you will always know which IP you are hunting.

2. Plug in a laptop to the switch on which the rogue device is connected, open a command prompt and use "ping ipaddress -t" to the rogue's address
 
3.  Progressively disconnect / reconnect connections at the switch until you find the port on which the rogue is connected to.

4. use your LAN cabling map to id where the cable that port serves goes to.

5. Grab your softball bat and go pay em a visit :)
0
 

Author Comment

by:edalzell
ID: 36546775
Thanks, I'll give it a try and report back! :-)
0
 

Author Comment

by:edalzell
ID: 36546810
Quick question..... when our symantec endpoint management tells us about the device, we are unable to PING it. No sure if the device has ICMP turned off? Must have.... so, I think PING is out of the question. (looks likeit might be a wireless access point...)

I've done a NMAP scan... results attached.

SEPM report...
Computer Detected without Symantec Client Software
IP Address MAC
192.168.50.50 00-21-2f-2f-ab-6d

Any thoughts? :-)
Clipboard01.jpg
0
The Eight Noble Truths of Backup and Recovery

How can IT departments tackle the challenges of a Big Data world? This white paper provides a roadmap to success and helps companies ensure that all their data is safe and secure, no matter if it resides on-premise with physical or virtual machines or in the cloud.

 

Author Comment

by:edalzell
ID: 36546813
Note - not sure what the remark about 'system route' means. That just referring to the fact the there's no connectivity? Thx!
0
 
LVL 26

Expert Comment

by:Fred Marshall
ID: 36546983
Phoebe products appear to be used in AirLink products like wireless cameras, wireless routers, wireless access points, etc.

If it's a wireless access point and your environment isn't TOO clogged with signals then you might use a reasonable monitoring program to find the signal, etc.
0
 
LVL 5

Accepted Solution

by:
mbkitmgr earned 500 total points
ID: 36547005
We need to determine what type of device.

Q1 - is the machine getting an IP via DHCP (Check in dhcp to see if the reservation is active)
It is possible the device isnt currently connected, and has shown up some time earlier.  if it is getting an IP via DHCP, then above will tell you if its on now.

Q2 - Go to your server and do an arp -a to see if it exists in its arp table.  This may help determine if the device has active sessions with the server.  If it is in the arp table.

Q3 - if you can, check for any sessions in "Computer Management\Shared Folders\Sessions"  Look to see iof that IP has an open file or a connection to a share.  With a bit of luck a username will be shown too.

Q4 - if you cant find it, at least make it hard for the device to connect to resources.  I'd block the IP at the Internet Firewall, and on the server firewall.  Without access to these it certainly limits the resources a rogue device can access.
0
 

Author Closing Comment

by:edalzell
ID: 36709431
Great suggestions... although sad to report, the device seems to have disappeared. :-(

Thanks for the great input!
0

Featured Post

Connect further...control easier

With the ATEN CE624, you can now enjoy a high-quality visual experience powered by HDBaseT technology and the convenience of a single Cat6 cable to transmit uncompressed video with zero latency and multi-streaming for dual-view applications where remote access is required.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Web Sense problem not able to block youtube 6 182
Protectings Systems from Malicous Users 4 147
IP Address -- lookup location ? 4 161
Home firewall recommendations 11 45
This paper addresses the security of Sennheiser DECT Contact Center and Office (CC&O) headsets. It describes the DECT security chain comprised of “Pairing”, “Per Call Authentication” and “Encryption”, which are all part of the standard DECT protocol.
Most of the applications these days are on Cloud. Cloud is ubiquitous with many service providers in the market. Since it has many benefits such as cost reduction, software updates, remote access, disaster recovery and much more.
With Secure Portal Encryption, the recipient is sent a link to their email address directing them to the email laundry delivery page. From there, the recipient will be required to enter a user name and password to enter the page. Once the recipient …
I've attached the XLSM Excel spreadsheet I used in the video and also text files containing the macros used below. https://filedb.experts-exchange.com/incoming/2017/03_w12/1151775/Permutations.txt https://filedb.experts-exchange.com/incoming/201…

808 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question