Solved

Network/Security locate rogue device

Posted on 2011-09-15
7
420 Views
Last Modified: 2012-05-12
We are trying to find a device on our network. Symantec endpoint management is telling us that a device doesn't have antivirus. All it gives us is the IP and the MAC address.
I cannot ping, telnet, RDP/VNC or connect to the device via the web browser.
Knowing the mac address I connected to the switch of the segment it was on and ran the command #show Mac-address-table. The output displayed the macs of all devices connected to the switch however this device's mac address didn't seem to appear.
I'm at a loss as to what to try next.
The device mac address shows that it is a Phoebe Micro Inc. device.

Any help would be greatly appreciated.
0
Comment
Question by:edalzell
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 4
  • 2
7 Comments
 
LVL 7

Expert Comment

by:mbkitmgr
ID: 36546607
1. I would 1st set a reservation for it IN DHCP, if it is acquiring an address, that way you will always know which IP you are hunting.

2. Plug in a laptop to the switch on which the rogue device is connected, open a command prompt and use "ping ipaddress -t" to the rogue's address
 
3.  Progressively disconnect / reconnect connections at the switch until you find the port on which the rogue is connected to.

4. use your LAN cabling map to id where the cable that port serves goes to.

5. Grab your softball bat and go pay em a visit :)
0
 

Author Comment

by:edalzell
ID: 36546775
Thanks, I'll give it a try and report back! :-)
0
 

Author Comment

by:edalzell
ID: 36546810
Quick question..... when our symantec endpoint management tells us about the device, we are unable to PING it. No sure if the device has ICMP turned off? Must have.... so, I think PING is out of the question. (looks likeit might be a wireless access point...)

I've done a NMAP scan... results attached.

SEPM report...
Computer Detected without Symantec Client Software
IP Address MAC
192.168.50.50 00-21-2f-2f-ab-6d

Any thoughts? :-)
Clipboard01.jpg
0
Supports up to 4K resolution!

The VS192 2-Port 4K DisplayPort Splitter is perfect for anyone who needs to send one source of DisplayPort high definition video to two or four DisplayPort displays. The VS192 can split and also expand DisplayPort audio/video signal on two or four DisplayPort monitors.

 

Author Comment

by:edalzell
ID: 36546813
Note - not sure what the remark about 'system route' means. That just referring to the fact the there's no connectivity? Thx!
0
 
LVL 26

Expert Comment

by:Fred Marshall
ID: 36546983
Phoebe products appear to be used in AirLink products like wireless cameras, wireless routers, wireless access points, etc.

If it's a wireless access point and your environment isn't TOO clogged with signals then you might use a reasonable monitoring program to find the signal, etc.
0
 
LVL 7

Accepted Solution

by:
mbkitmgr earned 500 total points
ID: 36547005
We need to determine what type of device.

Q1 - is the machine getting an IP via DHCP (Check in dhcp to see if the reservation is active)
It is possible the device isnt currently connected, and has shown up some time earlier.  if it is getting an IP via DHCP, then above will tell you if its on now.

Q2 - Go to your server and do an arp -a to see if it exists in its arp table.  This may help determine if the device has active sessions with the server.  If it is in the arp table.

Q3 - if you can, check for any sessions in "Computer Management\Shared Folders\Sessions"  Look to see iof that IP has an open file or a connection to a share.  With a bit of luck a username will be shown too.

Q4 - if you cant find it, at least make it hard for the device to connect to resources.  I'd block the IP at the Internet Firewall, and on the server firewall.  Without access to these it certainly limits the resources a rogue device can access.
0
 

Author Closing Comment

by:edalzell
ID: 36709431
Great suggestions... although sad to report, the device seems to have disappeared. :-(

Thanks for the great input!
0

Featured Post

[Live Webinar] The Cloud Skills Gap

As Cloud technologies come of age, business leaders grapple with the impact it has on their team's skills and the gap associated with the use of a cloud platform.

Join experts from 451 Research and Concerto Cloud Services on July 27th where we will examine fact and fiction.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

It’s 2016. Password authentication should be dead — or at least close to dying. But, unfortunately, it has not traversed Quagga stage yet. Using password authentication is like laundering hotel guest linens with a washboard — it’s Passé.
Getting hacked is no longer a matter or "if you get hacked" — the 2016 cyber threat landscape is now titled "when you get hacked." When it happens — will you be proactive, or reactive?
If you're a developer or IT admin, you’re probably tasked with managing multiple websites, servers, applications, and levels of security on a daily basis. While this can be extremely time consuming, it can also be frustrating when systems aren't wor…
There's a multitude of different network monitoring solutions out there, and you're probably wondering what makes NetCrunch so special. It's completely agentless, but does let you create an agent, if you desire. It offers powerful scalability …

617 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question