1

I use a network scanner to scan my network, 10 office locations, each morning and during the day to show me quickly what’s on my network. since spiceworks only scans what I defined, this was my way of finding other devices.

I discovered 2 devices, 192.168.4.74 and .242 no mac address - no clue where or what it is.

tried to access them through various services. no go.

I created a rule / service definition on my firewall to drop that entire subnet but curious if anybody has some insight how to track these down.

Thanks

6 Spice ups
2

I’m going to assume that 192.168.4.x is a valid IP address for your environment. If so, have you tried getting onto any device in that same subnet, pinging the unknown addresses, and then running the arp -a command to see if the IPs are listed there with a MAC?

1 Spice up
3

Do they have any open port?

1 Spice up
4

Other ideas/approaches:

–Put a device in that IP range, and then running a fill port scan against those IPs.

– Check the MAC tables of your switches and looking for anomalies (compare the MAC list to your DHCP tables, etc.)

2 Spice ups
5

Ooooh! Another idea. Wireshark the IP addresses. Then, look at the captured packets for any useful info (once again, primarily MACs).

1 Spice up
6

yes, tried that. no entries found.

there are only those 2 in this subnet and it isn’t one i use. so my assumption is that someone has a device that has a statically assigned device.

7

How long have they been around? Just today? A few days? If they stick around for days, then you might need to take a walk around the building to see if you could identify any unrecognizable devices.

8

Also, I’m going to guess that ping and tracert go nowhere.

1 Spice up
9

tracert his the hp switch, firewall, public ip (TW) the the 192.168.4.242

I’ll try the port scan and wireshark to see what i can discover.

1 Spice up
10

Do you have location they were asking for better wireless coverage and didn’t get it? can you find them on the same port of the same switch?

I think you could have a rogue access point. Check your arp table for a mac belonging to consumer grade vendors: linksys, d-link, etc.

1 Spice up
11

erm… Okay. Wow. Yeah. That is weird.

I’m intrigued. I’ll keep checking in on this thread in anticipation of the Wireshark results.

12

i used nmap also to portscan etc. it is more guessing but saying it looks like a linux 3.10 - 4.1 box

port 80/tcp open but nothing really accessible.

from the map it looks like it’s hanging of my main switch.

Starting Nmap 7.12 ( https://nmap.org ) at 2016-07-27 11:46 Mountain Daylight Time

NSE: Loaded 138 scripts for scanning.

NSE: Script Pre-scanning.

Initiating NSE at 11:46

Completed NSE at 11:46, 0.00s elapsed

Initiating NSE at 11:46

Completed NSE at 11:46, 0.00s elapsed

Initiating Ping Scan at 11:46

Scanning 192.168.4.242 [4 ports]

Completed Ping Scan at 11:46, 0.02s elapsed (1 total hosts)

Initiating Parallel DNS resolution of 1 host. at 11:46

Completed Parallel DNS resolution of 1 host. at 11:46, 0.05s elapsed

Initiating SYN Stealth Scan at 11:46

Scanning 192.168.4.242 [65535 ports]

Discovered open port 80/tcp on 192.168.4.242

SYN Stealth Scan Timing: About 23.78% done; ETC: 11:48 (0:01:39 remaining)

SYN Stealth Scan Timing: About 60.10% done; ETC: 11:48 (0:00:41 remaining)

Completed SYN Stealth Scan at 11:47, 87.13s elapsed (65535 total ports)

Initiating Service scan at 11:47

Scanning 1 service on 192.168.4.242

Completed Service scan at 11:48, 38.64s elapsed (1 service on 1 host)

Initiating OS detection (try #1) against 192.168.4.242

Retrying OS detection (try #2) against 192.168.4.242

Initiating Traceroute at 11:48

Completed Traceroute at 11:48, 0.03s elapsed

Initiating Parallel DNS resolution of 2 hosts. at 11:48

Completed Parallel DNS resolution of 2 hosts. at 11:48, 6.55s elapsed

NSE: Script scanning 192.168.4.242.

Initiating NSE at 11:48

Completed NSE at 11:49, 64.34s elapsed

Initiating NSE at 11:49

Completed NSE at 11:49, 0.10s elapsed

Nmap scan report for 192.168.4.242

Host is up (0.0047s latency).

Not shown: 65534 filtered ports

PORT STATE SERVICE VERSION

80/tcp open http?

Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port

Aggressive OS guesses: Linux 3.10 - 4.1 (90%), Linux 3.16 - 3.19 (90%), Linux 3.2 - 4.4 (90%), Linux 3.11 (89%), Linux 3.12 (89%), Linux 3.13 (89%), Linux 3.13 or 4.2 (89%), Linux 3.16 (89%), Linux 3.18 (89%), Epson Stylus Pro 400 printer (88%)

No exact OS matches for host (test conditions non-ideal).

Uptime guess: 28.712 days (since Tue Jun 28 18:45:10 2016)

Network Distance: 2 hops

TCP Sequence Prediction: Difficulty=258 (Good luck!)

IP ID Sequence Generation: All zeros

TRACEROUTE (using port 80/tcp)

HOP RTT ADDRESS

1 1.00 ms 192.168.1.253

2 0.00 ms 192.168.4.242

NSE: Script Post-scanning.

Initiating NSE at 11:49

Completed NSE at 11:49, 0.00s elapsed

Initiating NSE at 11:49

Completed NSE at 11:49, 0.00s elapsed

Read data files from: C:\Program Files\Nmap

OS and Service detection performed. Please report any incorrect results at Nmap OS/Service Fingerprint and Correction Submission Page .

Nmap done: 1 IP address (1 host up) scanned in 202.75 seconds

Raw packets sent: 131214 (5.777MB) | Rcvd: 119 (5.492KB)

13

If you do the scan from the same subnet (or look at the arp table on the switch) you can find the MAC address of the device. Then look to see if it is a MAC on an existing system. Also hunt down what switch port that MAC address is on. Either via the switch, or find a time you can unplug a all cables on the switch until that system stops being scan-able. Then trace that cable to what is plugged in to it.

A manageable switch really helps!