Can't identify IP device on my network
I have an internal IP address that when I enter it into IE it comes up a REALM1, then asks for a user name and password. Any idea what a REALM1 is?
To answer your question about identifying an IP address on your network, there are several methods you can use...
Try to resolve the DNS name of the machine, look for clues...
ping -a #.#.#.#
Decode the MAC address and look for the manufacturer...
arp -a
Look for the IP address entry in question and identify the MAC address correlation (i.e. e0-5f-b9-xx-xx-xx). The first three hex values (or six digits) actually identifies the manufacturer of the network adapter (NIC), also known as the IEEE OUI/'Company_id' assignment.
You can look up these values here.
This may or may not provide clues as to the devices purpose. Note that MAC addresses can be spoof so there isn't necessarily an iron clad method.
Perform a port scan and look for identifying banners...
nmap, etc.
Perform an OS fingerprint scan...
nmap, xprobe2, etc.
If you can identify the OS there are other tools which can identify the machine name, logged on user, etc. If you can remotely run a process you could run a program to repeatedly beep the computer or play a sound file, etc.
Try to resolve the DNS name of the machine, look for clues...
ping -a #.#.#.#
Decode the MAC address and look for the manufacturer...
arp -a
Look for the IP address entry in question and identify the MAC address correlation (i.e. e0-5f-b9-xx-xx-xx). The first three hex values (or six digits) actually identifies the manufacturer of the network adapter (NIC), also known as the IEEE OUI/'Company_id' assignment.
You can look up these values here.
Here are the results of your search through the public section of the IEEE Standards OUI database report for e0-5f-b9:
E0-5F-B9 (hex) Cisco Systems
E05FB9 (base 16) Cisco Systems
80 West Tasman Dr.
SJCM/2
San Jose CA 95134
UNITED STATES
This may or may not provide clues as to the devices purpose. Note that MAC addresses can be spoof so there isn't necessarily an iron clad method.
Perform a port scan and look for identifying banners...
nmap, etc.
Perform an OS fingerprint scan...
nmap, xprobe2, etc.
If you can identify the OS there are other tools which can identify the machine name, logged on user, etc. If you can remotely run a process you could run a program to repeatedly beep the computer or play a sound file, etc.
If your objective is to identify the device then you might do this:
1) ping the IP address .. whether it replies or not.
2) run another command:
arp -a
Now you should see the MAC address along side the IP address of interest in the list you get back.
Look up the MAC address on line on a site providing translation such as:
http://www.adminsub.net/mac-address-finder
If the device is a computer then the manufacturer of the interface probably won't tell you much. But, if it's a network device or similar (which it sounds like) at least then you'll have the manufacturer's name to go further.
1) ping the IP address .. whether it replies or not.
2) run another command:
arp -a
Now you should see the MAC address along side the IP address of interest in the list you get back.
Look up the MAC address on line on a site providing translation such as:
http://www.adminsub.net/mac-address-finder
If the device is a computer then the manufacturer of the interface probably won't tell you much. But, if it's a network device or similar (which it sounds like) at least then you'll have the manufacturer's name to go further.
There's lots of things you can do:
--------------------------
NBTstat -a (the IP address)
This displays the Netbios table of that computer and should provide a host name.
--------------------------
Ping -a (the IP address)
This provides a reverse DNS lookup of the computer by using the IP address. However, if this host record is not found in the DNS reverse lookup zone, you will not get the right answer (or if it's not in cache)
--------------------------
I usually map to it:
\\(the IP address)\c$
This allows me to see what's on their hard drive for files
--------------------------
You can try to remote desktop to it by IP address and then if accessed, go to the command prompt and type (Hostname)
--------------------------
You can deny service:
Go to the DHCP server and give that IP a reservation to a MAC address. Then, the user of that PC will come looking for you..
--------------------------
You can download a small program called ANGRYIPSCAN.. This can be used as a hacking utility to find available hosts. But it's also used by admins as a tool to scan computers via IP addresses and get host names, last logon times, users of the puters, etc...
--------------------------
You can deny that person service to the internet:
Go to the router and create an ACL to block that IP from allowing any outbound IP traffic.. Then, the user will seek you out and say """ WHAT'S UP""""!
--------------------------
You can download a protocol analyzer like wireshark or Netflow analyzer from Solar Winds Web site. I highly recommend Netflow Analizer if you don't have it already.
--------------------------
NBTstat -a (the IP address)
This displays the Netbios table of that computer and should provide a host name.
--------------------------
Ping -a (the IP address)
This provides a reverse DNS lookup of the computer by using the IP address. However, if this host record is not found in the DNS reverse lookup zone, you will not get the right answer (or if it's not in cache)
--------------------------
I usually map to it:
\\(the IP address)\c$
This allows me to see what's on their hard drive for files
--------------------------
You can try to remote desktop to it by IP address and then if accessed, go to the command prompt and type (Hostname)
--------------------------
You can deny service:
Go to the DHCP server and give that IP a reservation to a MAC address. Then, the user of that PC will come looking for you..
--------------------------
You can download a small program called ANGRYIPSCAN.. This can be used as a hacking utility to find available hosts. But it's also used by admins as a tool to scan computers via IP addresses and get host names, last logon times, users of the puters, etc...
--------------------------
You can deny that person service to the internet:
Go to the router and create an ACL to block that IP from allowing any outbound IP traffic.. Then, the user will seek you out and say """ WHAT'S UP""""!
--------------------------
You can download a protocol analyzer like wireshark or Netflow analyzer from Solar Winds Web site. I highly recommend Netflow Analizer if you don't have it already.
OOPS the DHCP reservation will not work, the person will just get a different IP.
I propose a more prudent course would be to determine what type of network device you're dealing with prior to implementing OS specific solutions, or solutions which could potentially block legitimate traffic from a potentially unmanned production device or server (i.e. printer, switch/router, access point, etc.)
Listing a remote machine's name table (nbtstat), using Remote Desktop Protocol (RDP), and attempting to connect by OS specific UNC paths (or long UNC/UNCW paths for that matter) all make the assumption the IP address is associated with a Windows based host.
If a port scanner (for example) revealed 137/UDP (name services) as being opened, then NBTSTAT is a good choice. 138/UDP (datagram services) would indicate NET SEND (or other datagram) messages could potentially be received, 139/TCP (session services) or 445/TCP would indicate negotiating a file sharing connection may be possible using NET USE or UNC/UNCW paths, etc., and 3389/TCP (RDP) would indicate potential remote desktop connection ability. Any or all of these ports being opened would infer a windows based host, or one designed to take on the appearance of Windows at least. Then Windows OS specific methods could come into play.
On the other side of the coin these ports could appear closed when in fact you are dealing with windows machine which has a firewall or disable services, etc.
While the unknown host may have statically configured network addressing information, it could be worth checking your DHCP and/or DNS server to look for name registrations.
Personally, I would avoid ACL rules or other methods limiting or terminating communication on the unknown host until you've determined whether or not it's a legitimate production server or networking device. These type of tactics give IT a bad name and create unnecessary tension with end users and management.
Protocol analysis is only as good as your understanding of it... not just interpreting packets, but ideal placement of the necessary hardware... such as whether or not you have access to hub, managed or unmanaged switch, network tap, etc. Understanding of this is prerequisite as you'll need to know your options... is port mirroring (Cisco calls it SPAN) available on your switch? Do you understand the advantages of an aggregation tap? If you simply install wireshark (or another packet sniffer) on your own PC you'll only be able to capture your own traffic and minimal other traffic (broadcasts, etc.). Even if your NIC supports "promiscious mode" you'll most be limited to seeing traffic on your physical network segment only (unless everything is connected via hub, which is unlikely.)
Listing a remote machine's name table (nbtstat), using Remote Desktop Protocol (RDP), and attempting to connect by OS specific UNC paths (or long UNC/UNCW paths for that matter) all make the assumption the IP address is associated with a Windows based host.
If a port scanner (for example) revealed 137/UDP (name services) as being opened, then NBTSTAT is a good choice. 138/UDP (datagram services) would indicate NET SEND (or other datagram) messages could potentially be received, 139/TCP (session services) or 445/TCP would indicate negotiating a file sharing connection may be possible using NET USE or UNC/UNCW paths, etc., and 3389/TCP (RDP) would indicate potential remote desktop connection ability. Any or all of these ports being opened would infer a windows based host, or one designed to take on the appearance of Windows at least. Then Windows OS specific methods could come into play.
On the other side of the coin these ports could appear closed when in fact you are dealing with windows machine which has a firewall or disable services, etc.
While the unknown host may have statically configured network addressing information, it could be worth checking your DHCP and/or DNS server to look for name registrations.
Personally, I would avoid ACL rules or other methods limiting or terminating communication on the unknown host until you've determined whether or not it's a legitimate production server or networking device. These type of tactics give IT a bad name and create unnecessary tension with end users and management.
Protocol analysis is only as good as your understanding of it... not just interpreting packets, but ideal placement of the necessary hardware... such as whether or not you have access to hub, managed or unmanaged switch, network tap, etc. Understanding of this is prerequisite as you'll need to know your options... is port mirroring (Cisco calls it SPAN) available on your switch? Do you understand the advantages of an aggregation tap? If you simply install wireshark (or another packet sniffer) on your own PC you'll only be able to capture your own traffic and minimal other traffic (broadcasts, etc.). Even if your NIC supports "promiscious mode" you'll most be limited to seeing traffic on your physical network segment only (unless everything is connected via hub, which is unlikely.)
ASKER
It turns out it is a Rompager Server. Do you know what that is?
It's an embedded web server, which is likely used to administrate a networked hardware device (such as a cable modem, router, DVR, etc.)
See if SNMP, Telnet, or SSH ports are open. If so they may help to identify the actual make/model of the device.
See if SNMP, Telnet, or SSH ports are open. If so they may help to identify the actual make/model of the device.
Try the following username:password combinations:
admin:admin
admin:
:admin
admin:1234
user:user
Also, if you post the first three hex digits of the MAC address we can likely deduce the manufacturer (and then determine default password lists for the various devices offered by said manufacturer, or at least identify the physical device you're looking for so you can reset the a changed default password.)
admin:admin
admin:
:admin
admin:1234
user:user
Also, if you post the first three hex digits of the MAC address we can likely deduce the manufacturer (and then determine default password lists for the various devices offered by said manufacturer, or at least identify the physical device you're looking for so you can reset the a changed default password.)
ASKER
admin didn't work. How do I get the MAC address?
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
00-90-8f-15-c5-39
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Try Admin for both the username and password, using an uppercase A
ASKER
Thanks so much. that is our internal device for faxing.
Just to make sure I'm fair on awarding the points, since you identified it, they should go to the last post, correct?
Just to make sure I'm fair on awarding the points, since you identified it, they should go to the last post, correct?
Yes, that works for me. Glad to help.
ASKER
thanks to everyone
Here is an example in PHP using basic authentication and a realm name of "My Realm"...
Basic HTTP Authentication example
Open in new window