Unknown Device on N...
 
Notifications
Clear all

Unknown Device on Network

12 Posts
6 Users
0 Likes
733 Views
(@minesh)
Posts: 75
Trusted Member
Topic starter
 

Hi,

We have a an unknown device's IP address, and unable to locate it, but have found the MAC address begins E2-12-1D (Unknown OUI). As yet, we are unable to identify what it is, or whether it is a spoofed MAC. It's showing up as an NTP server, but doesn't respond to pings etc.

Suggestions welcome,

Thanks

Minesh

EDIT Had to get onto Networking guys and they have pinpointed the location of the device… will investigate later.

 
Posted : 26/02/2008 4:55 pm
azrael
(@azrael)
Posts: 656
Honorable Member
 

First hit in Google ?

http//standards.ieee.org/regauth/oui/index.shtml

-P

 
Posted : 26/02/2008 5:03 pm
(@minesh)
Posts: 75
Trusted Member
Topic starter
 

Sorry, forgot to edit the first bit out my post.

I suppose the question is, does anyone know how we can identify this unknown device?

Minesh

 
Posted : 26/02/2008 5:11 pm
iruiper
(@iruiper)
Posts: 145
Estimable Member
 

And haven't you been able to traceroute it until some very specific point?

 
Posted : 26/02/2008 6:03 pm
(@minesh)
Posts: 75
Trusted Member
Topic starter
 

It didn't respond to pin or tracert. We tried all we can from our end, but in the end got the networking guys to pinpoint it's location.

Would be great if there was another way though.

Minesh

 
Posted : 26/02/2008 6:12 pm
keydet89
(@keydet89)
Posts: 3568
Famed Member
 

It didn't respond to pin or tracert. We tried all we can from our end, but in the end got the networking guys to pinpoint it's location.

Would be great if there was another way though.

In this thread so far, I've seen no mention of either SNMP or nmap.

Also, if this system was identified as an NTP server, how was this done? Traffic analysis? If so, you might consider using p0f and targeting just that system by IP.

 
Posted : 26/02/2008 6:47 pm
(@minesh)
Posts: 75
Trusted Member
Topic starter
 

Thanks Harlan…

NMAP has found that it's running XP Home in French Language, so that helps us a bit! The NTP server was discovered using the old sourceforge NetTime (why its still used I do not know). Will give p0f a go.

Totally forgot about NMAP!

Cheers

Minesh

 
Posted : 26/02/2008 7:42 pm
(@minesh)
Posts: 75
Trusted Member
Topic starter
 

Ok, so it may not be Windows at all… another scan shows QNX v4. The another says it can't identify it (which is the same result we got earlier)… despite nmap sugggesting that it's 100% accurate, lol.

Someone will go and see if it's where we were told.

Minesh

 
Posted : 26/02/2008 8:27 pm
(@bithead)
Posts: 1206
Noble Member
 

I love my Fluke OptiView for problems just like this.

 
Posted : 26/02/2008 8:49 pm
 ddow
(@ddow)
Posts: 278
Reputable Member
 

Minesh, any chance someone is running a honeypot and changing the simulated OS on you. This is kinda weird to be just some rogue system.

 
Posted : 26/02/2008 10:44 pm
Page 1 / 2
Share: