[CLUE-Tech] Finding rogue IPs.
Sean LeBlanc
seanleblanc at americanisp.net
Tue Nov 26 10:39:28 MST 2002
On 11-26 09:28, David Anselmi wrote:
> Jim Ockers wrote:
> [...]
>
> >A destructive (disruptive) test is one way to do this. Start by
> >identifying which hub it's plugged into:
>
> Thanks everyone for the good ideas. Jim's was what I went with when the
> problem came back yesterday. Here's some more info.
>
> The hubs (3com) have a console port on the back, but they require a
> management module to be "managed". I'll have to plug in and see if the
> port does anything without it. I've always wondered what you could do
> with a managed hub, have to spend some time and see.
>
> I did try Nessus first. I can't say I like it very much--doesn't seem
> to say much about what it's doing. I should get nmap instead. When I
> ran it I got ambiguous results (e.g. ssh and Win terminal server). But
> I'm sure that leaving the original box running on the same IP didn't
> help much (or does that matter since arp only maps to one MAC?)
>
> The bad machine seems to be very good at stealing the IP. I would think
> there would be some randomness to which box answers the arp request for
> the IP first, but there doesn't seem to be.
>
> I haven't tried disconnecting the drop or blocking the IP yet. I'd like
> to find the culprit without announcing that I'm searching--it isn't any
> of the admins so it may be someone doing something they shouldn't be.
>
> I got lucky when searching for the port--2nd hub, 3rd port. The drop is
> clearly numbered, but unfortunately it's not on our cable map. So it
> may have been run after the rest of the offices were wired. Sigh. I
> think I'll try sniffing for hints on who might be using the machine
> before I starting tracing wires. Got to remember to switch the good
> machine to a different IP first.
I don't know if knowing the OS or NIC would give you any clues, but nmap
could fingerprint the OS and ettercap also identifies the NIC. Ettercap also
can ID OS, but I think it wasn't as good as showing the guess (if it has to
guess) as nmap was, even though I believe it uses the same db as nmap.
Also: would this kind of behavior be caused by someone doing ARP poisoning?
Ettercap has an option(c) to check for poisoning, too.
--
Sean LeBlanc:seanleblanc at americanisp.net
http://users.americanisp.net/~seanleblanc/
Get MLAC at: http://sourceforge.net/projects/mlac/
Truth is always the enemy of power. And power the enemy of truth.
More information about the clue-tech
mailing list