Improve company productivity with a Business Account.Sign Up

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 436
  • Last Modified:

Network/Security locate rogue device

We are trying to find a device on our network. Symantec endpoint management is telling us that a device doesn't have antivirus. All it gives us is the IP and the MAC address.
I cannot ping, telnet, RDP/VNC or connect to the device via the web browser.
Knowing the mac address I connected to the switch of the segment it was on and ran the command #show Mac-address-table. The output displayed the macs of all devices connected to the switch however this device's mac address didn't seem to appear.
I'm at a loss as to what to try next.
The device mac address shows that it is a Phoebe Micro Inc. device.

Any help would be greatly appreciated.
0
edalzell
Asked:
edalzell
  • 4
  • 2
1 Solution
 
mbkitmgrCommented:
1. I would 1st set a reservation for it IN DHCP, if it is acquiring an address, that way you will always know which IP you are hunting.

2. Plug in a laptop to the switch on which the rogue device is connected, open a command prompt and use "ping ipaddress -t" to the rogue's address
 
3.  Progressively disconnect / reconnect connections at the switch until you find the port on which the rogue is connected to.

4. use your LAN cabling map to id where the cable that port serves goes to.

5. Grab your softball bat and go pay em a visit :)
0
 
edalzellAuthor Commented:
Thanks, I'll give it a try and report back! :-)
0
 
edalzellAuthor Commented:
Quick question..... when our symantec endpoint management tells us about the device, we are unable to PING it. No sure if the device has ICMP turned off? Must have.... so, I think PING is out of the question. (looks likeit might be a wireless access point...)

I've done a NMAP scan... results attached.

SEPM report...
Computer Detected without Symantec Client Software
IP Address MAC
192.168.50.50 00-21-2f-2f-ab-6d

Any thoughts? :-)
Clipboard01.jpg
0
Managing Security Policy in a Changing Environment

The enterprise network environment is evolving rapidly as companies extend their physical data centers to embrace cloud computing and software-defined networking. This new reality means that the challenge of managing the security policy is much more dynamic and complex.

 
edalzellAuthor Commented:
Note - not sure what the remark about 'system route' means. That just referring to the fact the there's no connectivity? Thx!
0
 
Fred MarshallPrincipalCommented:
Phoebe products appear to be used in AirLink products like wireless cameras, wireless routers, wireless access points, etc.

If it's a wireless access point and your environment isn't TOO clogged with signals then you might use a reasonable monitoring program to find the signal, etc.
0
 
mbkitmgrCommented:
We need to determine what type of device.

Q1 - is the machine getting an IP via DHCP (Check in dhcp to see if the reservation is active)
It is possible the device isnt currently connected, and has shown up some time earlier.  if it is getting an IP via DHCP, then above will tell you if its on now.

Q2 - Go to your server and do an arp -a to see if it exists in its arp table.  This may help determine if the device has active sessions with the server.  If it is in the arp table.

Q3 - if you can, check for any sessions in "Computer Management\Shared Folders\Sessions"  Look to see iof that IP has an open file or a connection to a share.  With a bit of luck a username will be shown too.

Q4 - if you cant find it, at least make it hard for the device to connect to resources.  I'd block the IP at the Internet Firewall, and on the server firewall.  Without access to these it certainly limits the resources a rogue device can access.
0
 
edalzellAuthor Commented:
Great suggestions... although sad to report, the device seems to have disappeared. :-(

Thanks for the great input!
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

Free Tool: ZipGrep

ZipGrep is a utility that can list and search zip (.war, .ear, .jar, etc) archives for text patterns, without the need to extract the archive's contents.

One of a set of tools we're offering as a way to say thank you for being a part of the community.

  • 4
  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now