Solved

How to find physical location of network device

Posted on 2014-09-25
11
614 Views
Last Modified: 2014-09-28
Surely this has been asked before.  I have identified some devices on my network, they would be physically plugged in to our network.  I need to find out where they are physically located.  I use Spiceworks to inventory my network and all those it can identify, it tells me which switch they are connected to - which is great, but some devices cannot be identified, I get a host name and an IP address and from these, I can also get a MAC address (from DHCP server).

I know our switches show mac addresses (Netgear GS724T) but even though I found a MAC address I was trying to identify, it simply showed port l1 - which means nothing to me.

Has anyone got any other ideas?

Thanks
0
Comment
Question by:fuzzyfreak
  • 4
  • 3
  • 2
  • +1
11 Comments
 
LVL 12

Expert Comment

by:Vaseem Mohammed
ID: 40344079
One of the dirty way that my colleague used was in a scenario with multiple buildings and multiple switches, login to the managed switch and shutdown the uplink port to those switches which you can't find, the users connected to it will surely call help desk, this way we can't pinpoint but at least we can search in area nearby :-)
0
 
LVL 4

Author Comment

by:fuzzyfreak
ID: 40344097
Ha ha, unfortunately this is not a practical solution.
0
 
LVL 12

Expert Comment

by:Vaseem Mohammed
ID: 40344103
Right :-)
0
 
LVL 9

Expert Comment

by:gregcmcse
ID: 40344113
You can disconnect the device in question from your switch and either trace the wire with a probe or just wait to see who notices.  This probably isn't a good idea if you think the device might be important -- but if you think it's a rogue device and have accounted for everything important, it's not a terrible strategy.

One other thought is that you can run a port scan against that IP address and see what ports it is listening on.  That will at least tell you what type of device it is.  You can also attempt to look up the MAC address on any of a number of sites.  Several sites can be found easily with a Google search for "mac address lookup".  The IEEE and Wireshark sites would be highly authoritative.
0
 
LVL 10

Expert Comment

by:Maclean
ID: 40344170
If its a computer remote into it, and crank up some sounds on it on high volume if it has speakers ;) But that won't help with switches and all that.
You could try running netscan including the oobe.txt file to identify vendors etc of the appliance, which could help in identifying whether it is a dell, apc, Konica, or other brand.
You could than either log into the device via SSH, http, RDP or whatever it supports, and get some more info to assist in identifying it. But physical location is harder with unmanaged switches. Normally on a managed switch I would look at which port the device is connected to on the switch. From there you trace the lead back to the patch rack, and on the patch rack you check which outlet is marked on it. You then walk to the location in your business with that outlet number on it, and that should do it.
0
What Should I Do With This Threat Intelligence?

Are you wondering if you actually need threat intelligence? The answer is yes. We explain the basics for creating useful threat intelligence.

 
LVL 4

Author Comment

by:fuzzyfreak
ID: 40344230
Greg
You can disconnect the device in question from your switch
what do you mean?
Maclean - you cannot remote to a computer without knowing the passwords.
I am sure Spiceworks is telling em everything it knows about these devices.
One in particular is named win8-cit_1- it is a windows machine and we only have one Win8 machine but this is not it - does anyone know if Windows 8 could be broadcasting itself across the network as a media device or something??
0
 
LVL 10

Assisted Solution

by:Maclean
Maclean earned 250 total points
ID: 40344568
You could logon with a domain admin account. Presuming the device is on the domain.
If you use any management tools such as Kaseya or labtech, you can even create a new local account on the system in question. You could also download psexec to remotely add a user.

Make sure you have psexec.exe on your computer
http://technet.microsoft.com/en-us/sysinternals/bb896649

I put them in my root directory.

2.      
Open a command prompt
CD to where the psexec.exe resides

3.      
Create user:

psexec \\PCNAME net user xxx ppp /add

4.

Add user to local admin

psexec \\PCNAME net localgroup administrators /add

xxx = username, ppp = password
0
 
LVL 9

Accepted Solution

by:
gregcmcse earned 250 total points
ID: 40345370
Fuzzy:  I mean, you have the switch port narrowed down, it appears.  Disconnect the plugged-in cable from that switch port and plug it into/connect it to a toner/tone detector and trace the cable.  That's if you have no idea where the physical location that network cable goes to is.  Your network wiring guy should be able to do that in a heartbeat.

Again, if you have the MAC address, look it up in any of 20 search results you'll get with the search I mentioned.

Note:  If the device is called "win8-cit_1-" -- chances are it's someone's home laptop they're plugging in to your network.

If you are pretty sure it's a renegade device, create a poisonous DHCP reservation.  What I mean by that is copy the mac address and put it into a DHCP lease.  If the IP address is 10.11.12.13, make the 03 (Router/default gateway) record 10.11.12.13 as well.  Put a network mask like /31 (255.255.255.254) on it as well.  The guy will attempt to connect to the network but not be able to communicate at all with the bad DHCP reservation (well, perhaps with one other system with the adjacent IP address).  Or give it a default gateway on a non-existent subnet.

Once you've done that, one of three things will happen:
1.  The legit user/server owner who bypassed protocol will go to the help desk looking for help.
2.  The fool trying to use his home device secretly will give up.
3.  The tech geek trying to get away with something will change the name of his home device to "blend in" more and will change MAC addresses.

How big is your company?
0
 
LVL 4

Author Comment

by:fuzzyfreak
ID: 40345586
Hi guys, this is all brilliant stuff and Greg's MAC address search idea helped me locate this particular rogue laptop (by chance).  It was an Asus machine which we only have one of, so I went to that location and found the rogue laptop sitting behind it.  I say rogue, it is a legitimate business use laptop but was purchased without my knowledge, which as the IT Systems Manager, I don't like.  I now need to speak with management about the correct process - any tips to load my argument in my favour? - other than a) not being to manage it (which should be enough) and b) it having no AV on it.
0
 
LVL 4

Author Closing Comment

by:fuzzyfreak
ID: 40345587
I was provided some excellent ideas, all of which are very handy for the future and I shall refer back to this regularly.
0
 
LVL 9

Expert Comment

by:gregcmcse
ID: 40349338
Hi Fuzzy:

Sure, most companies larger than a couple of dozen employees have an IT policy in place that spells out several things:
- Thou shalt not purchase computer equipment without consulting with End User Computing/IT Management.
- Thou shalt not use computer software that has not been approved by End User Computing/IT Management.
- Thou shalt not connect anything to the corporate networks without gaining the approval of Network/IT Management.

The reasons for these rules are relatively simple:
1. End User Computing/IT can't support every brand of computer out there.  If everyone goes and buys their favorite brand on a whim, it costs the company in lost discounts from bulk-ordering from a single preferred vendor and prevents standardization and uniform computer management.
2. Anti-virus is a must in any company.
3. Undocumented hardware can go missing with company data without anyone knowing about it.
4. IT is ultimately responsible for ensuring software licensing and if software is loaded on an untracked/unmanaged laptop -- the company is liable.

I would be profoundly surprised if you get static attempting to enforce those simple rules -- but if you do, there is your ammo.  Good luck!
0

Featured Post

Find Ransomware Secrets With All-Source Analysis

Ransomware has become a major concern for organizations; its prevalence has grown due to past successes achieved by threat actors. While each ransomware variant is different, we’ve seen some common tactics and trends used among the authors of the malware.

Join & Write a Comment

You might have come across a situation when you have Exchange 2013 server in two different sites (Production and DR). After adding the Database copy in ECP console it displays Database copy status unknown for the DR exchange server. Issue is strange…
OfficeMate Freezes on login or does not load after login credentials are input.
This tutorial will walk an individual through the steps necessary to enable the VMware\Hyper-V licensed feature of Backup Exec 2012. In addition, how to add a VMware server and configure a backup job. The first step is to acquire the necessary licen…
This tutorial will walk an individual through setting the global and backup job media overwrite and protection periods in Backup Exec 2012. Log onto the Backup Exec Central Administration Server. Examine the services. If all or most of them are stop…

760 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

18 Experts available now in Live!

Get 1:1 Help Now