Solved

Network/Security locate rogue device

Posted on 2011-09-15
7
415 Views
Last Modified: 2012-05-12
We are trying to find a device on our network. Symantec endpoint management is telling us that a device doesn't have antivirus. All it gives us is the IP and the MAC address.
I cannot ping, telnet, RDP/VNC or connect to the device via the web browser.
Knowing the mac address I connected to the switch of the segment it was on and ran the command #show Mac-address-table. The output displayed the macs of all devices connected to the switch however this device's mac address didn't seem to appear.
I'm at a loss as to what to try next.
The device mac address shows that it is a Phoebe Micro Inc. device.

Any help would be greatly appreciated.
0
Comment
Question by:edalzell
  • 4
  • 2
7 Comments
 
LVL 5

Expert Comment

by:mbkitmgr
ID: 36546607
1. I would 1st set a reservation for it IN DHCP, if it is acquiring an address, that way you will always know which IP you are hunting.

2. Plug in a laptop to the switch on which the rogue device is connected, open a command prompt and use "ping ipaddress -t" to the rogue's address
 
3.  Progressively disconnect / reconnect connections at the switch until you find the port on which the rogue is connected to.

4. use your LAN cabling map to id where the cable that port serves goes to.

5. Grab your softball bat and go pay em a visit :)
0
 

Author Comment

by:edalzell
ID: 36546775
Thanks, I'll give it a try and report back! :-)
0
 

Author Comment

by:edalzell
ID: 36546810
Quick question..... when our symantec endpoint management tells us about the device, we are unable to PING it. No sure if the device has ICMP turned off? Must have.... so, I think PING is out of the question. (looks likeit might be a wireless access point...)

I've done a NMAP scan... results attached.

SEPM report...
Computer Detected without Symantec Client Software
IP Address MAC
192.168.50.50 00-21-2f-2f-ab-6d

Any thoughts? :-)
Clipboard01.jpg
0
PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

 

Author Comment

by:edalzell
ID: 36546813
Note - not sure what the remark about 'system route' means. That just referring to the fact the there's no connectivity? Thx!
0
 
LVL 25

Expert Comment

by:Fred Marshall
ID: 36546983
Phoebe products appear to be used in AirLink products like wireless cameras, wireless routers, wireless access points, etc.

If it's a wireless access point and your environment isn't TOO clogged with signals then you might use a reasonable monitoring program to find the signal, etc.
0
 
LVL 5

Accepted Solution

by:
mbkitmgr earned 500 total points
ID: 36547005
We need to determine what type of device.

Q1 - is the machine getting an IP via DHCP (Check in dhcp to see if the reservation is active)
It is possible the device isnt currently connected, and has shown up some time earlier.  if it is getting an IP via DHCP, then above will tell you if its on now.

Q2 - Go to your server and do an arp -a to see if it exists in its arp table.  This may help determine if the device has active sessions with the server.  If it is in the arp table.

Q3 - if you can, check for any sessions in "Computer Management\Shared Folders\Sessions"  Look to see iof that IP has an open file or a connection to a share.  With a bit of luck a username will be shown too.

Q4 - if you cant find it, at least make it hard for the device to connect to resources.  I'd block the IP at the Internet Firewall, and on the server firewall.  Without access to these it certainly limits the resources a rogue device can access.
0
 

Author Closing Comment

by:edalzell
ID: 36709431
Great suggestions... although sad to report, the device seems to have disappeared. :-(

Thanks for the great input!
0

Featured Post

Use Case: Protecting a Hybrid Cloud Infrastructure

Microsoft Azure is rapidly becoming the norm in dynamic IT environments. This document describes the challenges that organizations face when protecting data in a hybrid cloud IT environment and presents a use case to demonstrate how Acronis Backup protects all data.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

There is a question posted at http://www.experts-exchange.com/OS/Microsoft_Operating_Systems/Server/Windows_Server_2008/Q_28324159.html (http://www.experts-exchange.com/OS/Microsoft_Operating_Systems/Server/Windows_Server_2008/Q_28324159.html) and i…
Read about achieving the basic levels of HRIS security in the workplace.
Email security requires an ever evolving service that stays up to date with counter-evolving threats. The Email Laundry perform Research and Development to ensure their email security service evolves faster than cyber criminals. We apply our Threat…
Finds all prime numbers in a range requested and places them in a public primes() array. I've demostrated a template size of 30 (2 * 3 * 5) but larger templates can be built such 210  (2 * 3 * 5 * 7) or 2310  (2 * 3 * 5 * 7 * 11). The larger templa…

786 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question