[CLUE-Tech] Finding rogue IPs.
Tom Poindexter
tpoindex at nyx.net
Thu Nov 21 14:10:49 MST 2002
On Thu, Nov 21, 2002 at 01:38:32PM -0700, Jim Ockers wrote:
> > Suppose you have a network in your two story office building with around
> > 250 network drops (10/100BT hubs). Suppose one of your servers becomes
> > unreachable and you find that arp gives you a different MAC address than
> > you expect.
>
> > How would you find the rogue machine to fix the problem?
> A destructive (disruptive) test is one way to do this. Start by
> identifying which hub it's plugged into:
There's also a software approach, nmap is your friend. Find which ports
are open, start exploring. Make sure your real server is off the network
first. I've also used scotty/tkined for network discovery with great
success. Or perhaps tcpdump or ethereal to see other machines to which the
machine in question is talking, look at raw packets for clues.
Once you find open ports and know what nmap reports:
Unix target: telnet, ssh, ftp, rusers.
Windows target: smbclient
--
Tom Poindexter
tpoindex at nyx.net
http://www.nyx.net/~tpoindex/
More information about the clue-tech
mailing list