We help IT Professionals succeed at work.

Can't identify IP device on my network

3,658 Views
Last Modified: 2012-02-15
I have an internal IP address that when I enter it into IE it comes up a REALM1, then asks for a user name and password.  Any idea what a REALM1 is?
Comment
Watch Question

CERTIFIED EXPERT

Commented:
To answer your question pertaining to realm, that's merely a definable HTTP header relating to authentication on a web server.

Here is an example in PHP using basic authentication and a realm name of "My Realm"...

Basic HTTP Authentication example
<?php
if (!isset($_SERVER['PHP_AUTH_USER'])) {
    header('WWW-Authenticate: Basic realm="My Realm"');
    header('HTTP/1.0 401 Unauthorized');
    echo 'Text to send if user hits Cancel button';
    exit;
} else {
    echo "<p>Hello {$_SERVER['PHP_AUTH_USER']}.</p>";
    echo "<p>You entered {$_SERVER['PHP_AUTH_PW']} as your password.</p>";
}
?>

Open in new window

CERTIFIED EXPERT

Commented:
To answer your question about identifying an IP address on your network, there are several methods you can use...

Try to resolve the DNS name of the machine, look for clues...
ping -a #.#.#.#

Decode the MAC address and look for the manufacturer...
arp -a
Look for the IP address entry in question and identify the MAC address correlation (i.e. e0-5f-b9-xx-xx-xx).  The first three hex values (or six digits) actually identifies the manufacturer of the network adapter (NIC), also known as the IEEE OUI/'Company_id' assignment.

You can look up these values here.

Here are the results of your search through the public section of the IEEE Standards OUI database report for e0-5f-b9:

E0-5F-B9   (hex)            Cisco Systems
E05FB9     (base 16)            Cisco Systems
                        80 West Tasman Dr.
                        SJCM/2
                        San Jose CA 95134
                        UNITED STATES

This may or may not provide clues as to the devices purpose.  Note that MAC addresses can be spoof so there isn't necessarily an iron clad method.

Perform a port scan and look for identifying banners...
nmap, etc.

Perform an OS fingerprint scan...
nmap, xprobe2, etc.

If you can identify the OS there are other tools which can identify the machine name, logged on user, etc.  If you can remotely run a process you could run a program to repeatedly beep the computer or play a sound file, etc.
Fred MarshallPrincipal
CERTIFIED EXPERT

Commented:
If your objective is to identify the device then you might do this:

1) ping the IP address .. whether it replies or not.
2) run another command:
arp -a

Now you should see the MAC address along side the IP address of interest in the list you get back.

Look up the MAC address on line on a site providing translation such as:
http://www.adminsub.net/mac-address-finder

If the device is a computer then the manufacturer of the interface probably won't tell you much.  But, if it's a network device or similar (which it sounds like) at least then you'll have the manufacturer's name to go further.

Commented:
There's lots of things you can do:

--------------------------------------------------------
NBTstat -a (the IP address)

This displays the Netbios table of that computer and should provide a host name.
-------------------------------------------------------
Ping -a (the IP address)

This provides a reverse DNS lookup of the computer by using the IP address. However, if this host record is not found in the DNS reverse lookup zone, you will not get the right answer (or if it's not in cache)
------------------------------------
I usually map to it:

\\(the IP address)\c$

This allows me to see what's on their hard drive for files

------------------------------------
You can try to remote desktop to it by IP address and then if accessed, go to the command prompt and type (Hostname)

------------------------------------
You can deny service:

Go to the DHCP server and give that IP a reservation to a MAC address. Then, the user of that PC will come looking for you..
-----------------------------------
You can download a small program called ANGRYIPSCAN.. This can be used as a hacking utility to find available hosts. But it's also used by admins as a tool to scan computers via IP addresses and get host names, last logon times, users of the puters, etc...

--------------------------------
You can deny that person service to the internet:

Go to the router and create an ACL to block that IP from allowing any outbound IP traffic.. Then, the user will seek you out and say """ WHAT'S UP""""!
-----------------------------
You can download a protocol analyzer like wireshark or Netflow analyzer from Solar Winds Web site. I highly recommend Netflow Analizer if you don't have it already.

Commented:
OOPS the DHCP reservation will not work, the person will just get a different IP.
CERTIFIED EXPERT

Commented:
I propose a more prudent course would be to determine what type of network device you're dealing with prior to implementing OS specific solutions, or solutions which could potentially block legitimate traffic from a potentially unmanned production device or server (i.e. printer, switch/router, access point, etc.)

Listing a remote machine's name table (nbtstat), using Remote Desktop Protocol (RDP), and attempting to connect by OS specific UNC paths (or long UNC/UNCW paths for that matter) all make the assumption the IP address is associated with a Windows based host.

If a port scanner (for example) revealed 137/UDP (name services) as being opened, then NBTSTAT is a good choice. 138/UDP (datagram services) would indicate NET SEND (or other datagram) messages could potentially be received, 139/TCP (session services)  or 445/TCP would indicate negotiating a file sharing connection may be possible using NET USE or UNC/UNCW paths, etc., and 3389/TCP (RDP) would indicate potential remote desktop connection ability.  Any or all of these ports being opened would infer a windows based host, or one designed to take on the appearance of Windows at least.  Then Windows OS specific methods could come into play.

On the other side of the coin these ports could appear closed when in fact you are dealing with windows machine which has a firewall or disable services, etc.

While the unknown host may have statically configured network addressing information, it could be worth checking your DHCP and/or DNS server to look for name registrations.

Personally, I would avoid ACL rules or other methods limiting or terminating communication on the unknown host until you've determined whether or not it's a  legitimate production server or networking device.  These type of tactics give IT a bad name and create unnecessary tension with end users and management.

Protocol analysis is only as good as your understanding of it... not just interpreting packets, but ideal placement of the necessary hardware... such as whether or not you have access to hub, managed or unmanaged switch, network tap, etc.  Understanding of this is prerequisite as you'll need to know your options... is port mirroring (Cisco calls it SPAN) available on your switch?  Do you understand the advantages of an aggregation tap? If you simply install wireshark (or another packet sniffer) on your own PC you'll only be able to capture your own traffic and minimal other traffic (broadcasts, etc.).  Even if your NIC supports "promiscious mode" you'll most be limited to seeing traffic on your physical network segment only (unless everything is connected via hub, which is unlikely.)
J.R. SitmanIT Director

Author

Commented:
It turns out it is a Rompager Server.  Do you know what that is?
CERTIFIED EXPERT

Commented:
It's an embedded web server, which is likely used to administrate a networked hardware device (such as a cable modem, router, DVR, etc.)

See if SNMP, Telnet, or SSH ports are open.  If so they may help to identify the actual make/model of the device.
CERTIFIED EXPERT

Commented:
Try the following username:password combinations:

admin:admin
admin:
:admin
admin:1234
user:user


Also, if you post the first three hex digits of the MAC address we can likely deduce the manufacturer (and then determine default password lists for the various devices offered by said manufacturer, or at least identify the physical device you're looking for so you can reset the a changed default password.)
J.R. SitmanIT Director

Author

Commented:
admin didn't work.  How do I get the MAC address?
CERTIFIED EXPERT
Commented:
This one is on us!
(Get your first solution completely free - no credit card required)
UNLOCK SOLUTION
J.R. SitmanIT Director

Author

Commented:
00-90-8f-15-c5-39
CERTIFIED EXPERT
Commented:
This one is on us!
(Get your first solution completely free - no credit card required)
UNLOCK SOLUTION
CERTIFIED EXPERT

Commented:
Looks like a VoIP related device...

http://www.audiocodes.com/products-lobby
CERTIFIED EXPERT

Commented:
Try Admin for both the username and password, using an uppercase A
J.R. SitmanIT Director

Author

Commented:
Thanks so much. that is our internal device for faxing.

Just to make sure I'm fair on awarding the points, since you identified it, they should go to the last post, correct?
CERTIFIED EXPERT

Commented:
Yes, that works for me.  Glad to help.
J.R. SitmanIT Director

Author

Commented:
thanks to everyone

Gain unlimited access to on-demand training courses with an Experts Exchange subscription.

Get Access
Why Experts Exchange?

Experts Exchange always has the answer, or at the least points me in the correct direction! It is like having another employee that is extremely experienced.

Jim Murphy
Programmer at Smart IT Solutions

When asked, what has been your best career decision?

Deciding to stick with EE.

Mohamed Asif
Technical Department Head

Being involved with EE helped me to grow personally and professionally.

Carl Webster
CTP, Sr Infrastructure Consultant
Empower Your Career
Did You Know?

We've partnered with two important charities to provide clean water and computer science education to those who need it most. READ MORE

Ask ANY Question

Connect with Certified Experts to gain insight and support on specific technology challenges including:

  • Troubleshooting
  • Research
  • Professional Opinions
Unlock the solution to this question.
Join our community and discover your potential

Experts Exchange is the only place where you can interact directly with leading experts in the technology field. Become a member today and access the collective knowledge of thousands of technology experts.

*This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

OR

Please enter a first name

Please enter a last name

8+ characters (letters, numbers, and a symbol)

By clicking, you agree to the Terms of Use and Privacy Policy.