Hi,
We have a an unknown device's IP address, and unable to locate it, but have found the MAC address begins E2-12-1D (Unknown OUI). As yet, we are unable to identify what it is, or whether it is a spoofed MAC. It's showing up as an NTP server, but doesn't respond to pings etc.
Suggestions welcome,
Thanks
Minesh
EDIT Had to get onto Networking guys and they have pinpointed the location of the device… will investigate later.
First hit in Google ?
http//
-P
Sorry, forgot to edit the first bit out my post.
I suppose the question is, does anyone know how we can identify this unknown device?
Minesh
And haven't you been able to traceroute it until some very specific point?
It didn't respond to pin or tracert. We tried all we can from our end, but in the end got the networking guys to pinpoint it's location.
Would be great if there was another way though.
Minesh
It didn't respond to pin or tracert. We tried all we can from our end, but in the end got the networking guys to pinpoint it's location.
Would be great if there was another way though.
In this thread so far, I've seen no mention of either SNMP or nmap.
Also, if this system was identified as an NTP server, how was this done? Traffic analysis? If so, you might consider using p0f and targeting just that system by IP.
Thanks Harlan…
NMAP has found that it's running XP Home in French Language, so that helps us a bit! The NTP server was discovered using the old sourceforge NetTime (why its still used I do not know). Will give p0f a go.
Totally forgot about NMAP!
Cheers
Minesh
Ok, so it may not be Windows at all… another scan shows QNX v4. The another says it can't identify it (which is the same result we got earlier)… despite nmap sugggesting that it's 100% accurate, lol.
Someone will go and see if it's where we were told.
Minesh
I love my Fluke OptiView for problems just like this.
Minesh, any chance someone is running a honeypot and changing the simulated OS on you. This is kinda weird to be just some rogue system.