[CLUE-Tech] Finding rogue IPs.

Sean LeBlanc seanleblanc at americanisp.net
Tue Nov 26 10:39:28 MST 2002 

On 11-26 09:28, David Anselmi wrote:
> Jim Ockers wrote:
> [...]
> 
> >A destructive (disruptive) test is one way to do this.  Start by 
> >identifying which hub it's plugged into:
> 
> Thanks everyone for the good ideas.  Jim's was what I went with when the 
> problem came back yesterday.  Here's some more info.
> 
> The hubs (3com) have a console port on the back, but they require a 
> management module to be "managed".  I'll have to plug in and see if the 
> port does anything without it.  I've always wondered what you could do 
> with a managed hub, have to spend some time and see.
> 
> I did try Nessus first.  I can't say I like it very much--doesn't seem 
> to say much about what it's doing.  I should get nmap instead.  When I 
> ran it I got ambiguous results (e.g. ssh and Win terminal server).  But 
> I'm sure that leaving the original box running on the same IP didn't 
> help much (or does that matter since arp only maps to one MAC?)
> 
> The bad machine seems to be very good at stealing the IP.  I would think 
> there would be some randomness to which box answers the arp request for 
> the IP first, but there doesn't seem to be.
> 
> I haven't tried disconnecting the drop or blocking the IP yet.  I'd like 
> to find the culprit without announcing that I'm searching--it isn't any 
> of the admins so it may be someone doing something they shouldn't be.
> 
> I got lucky when searching for the port--2nd hub, 3rd port.  The drop is 
> clearly numbered, but unfortunately it's not on our cable map.  So it 
> may have been run after the rest of the offices were wired.  Sigh.  I 
> think I'll try sniffing for hints on who might be using the machine 
> before I starting tracing wires.  Got to remember to switch the good 
> machine to a different IP first.


I don't know if knowing the OS or NIC would give you any clues, but nmap
could fingerprint the OS and ettercap also identifies the NIC. Ettercap also
can ID OS, but I think it wasn't as good as showing the guess (if it has to
guess) as nmap was, even though I believe it uses the same db as nmap. 

Also: would this kind of behavior be caused by someone doing ARP poisoning?
Ettercap has an option(c) to check for poisoning, too. 

-- 
Sean LeBlanc:seanleblanc at americanisp.net  
http://users.americanisp.net/~seanleblanc/
Get MLAC at: http://sourceforge.net/projects/mlac/
Truth is always the enemy of power. And power the enemy of truth.

More information about the clue-tech mailing list