How to identify a network device based solely on its IP or MAC Address?

Saajid

Expert Member
Joined
Aug 8, 2008
Messages
4,516
#1
So I have an unknown device on our company network, I and have no other information about it, other than it's IP address and MAC address. The network is quite big, and trying to physically locate the device is a mission.

It seems to have a statically assigned IP address, as the address has remained the same for a long time, and is outside of the DHCP range which is handled by the router/firewall/gateway. I have blocked the device from accessing the internet through our firewall, but it was showing zero internet traffic even before doing this. It doesn't have a NetBIOS name or hostname.

The device responds to ping requests. Trying to browse to the device on port 80 through a web browser yields nothing. Doing a trace route is pointless, because the device is inside a very large network, whose only router is the one connecting the network to the internet. Switches do not show up on a trace route (as far as I am aware), only routers.

Some ideas that I've had, which I haven't gotten down to testing:

- Change the SSID or key on the wireless network, in case the device is connected wirelessly. This will just disconnect the device, but won't help me find it, unless someone comes to me with a complaint, or something important breaks. It also means a ton of work to reconnect all our other wireless devices. And it won't help at all if the device is wired into the network.

- Is there some type of MAC Address global lookup table, which would tell me who the manufacturer is and/or the type of device? This might give me a clue as to what it is, and where to look for it.

- Is there some other way of connecting to it? Perhaps running a port scanner, to see which ports are open? Perhaps using telnet or SSH? I (shockingly) don't have much experience in this department. Some guidance would be appreciated.
 

ponder

Honorary Master
Joined
Jan 22, 2005
Messages
73,525
#5
What's the MAC address?

Do you have managed switches? If yes you can easily trace it via the switch's MAC/CAM table.
 
Last edited:

kianm

Honorary Master
Joined
Jan 13, 2014
Messages
10,280
#7
What's the MAC address?

Do you have managed switches? If yes you can easily trace it via the switch's MAC/CAM table.
+1 , do you have managed switches? Should be your starting point if so. If it's on wifi the mac table will show the mac address is connected to the port where your wap is
 
Last edited:

lsheed_cn

Expert Member
Joined
Sep 14, 2008
Messages
2,711
#8
I usually use nmap to scan an ip for open services.
Readily available for most operating systems, even the lesser ones like windows.

http://nmap.org/download.html

To scan for all open ports at a given ip: nmap <ip> -p0-65535
To do fingerprinting add -O
eg

nmap 192.168.1.1 -p0-65535 -O

Sample report (for my router)

Nmap scan report for router.lan (192.168.1.1)
Host is up (0.0012s latency).
Not shown: 994 closed ports
PORT STATE SERVICE
22/tcp open ssh
53/tcp open domain
80/tcp open http
111/tcp open rpcbind
443/tcp open https
5000/tcp open upnp
MAC Address: EC:17:2F:F3:0F:A7 (Tp-link Technologies CO.)
Device type: general purpose
Running: Linux 2.6.X|3.X
OS CPE: cpe:/o:linux:linux_kernel:2.6 cpe:/o:linux:linux_kernel:3
OS details: Linux 2.6.32 - 3.9
Network Distance: 1 hop


MAC addresses are indeed issued by company, if you have the Mac address, we can psuedo identify the device.
nmap can also have a go at identifying the device for you (as you can see above).
Its not 100%, but it can usually identify what sort of device/os it is.
 

Saajid

Expert Member
Joined
Aug 8, 2008
Messages
4,516
#10
Thanks. This helped. The device turns out to be a Samsung device, which indicates that it might be something on the IP-based telephone system, or one of the printers. I don't recall having any other Samsung devices. Actually on second thought, it could be a smartphone or tablet.

Will try nmap first (thanks lsheed_cn), then check the switches (yes they are managed, thanks ponder).
 
Last edited:

syntax

Executive Member
Joined
May 16, 2008
Messages
7,680
#11
What's the MAC address?

Do you have managed switches? If yes you can easily trace it via the switch's MAC/CAM table.
Why you are ignoring the best piece of advice here (quoted above) is beyond me.

Just trace the mac address via the switches, it will tell you which physical port the device is connected on.

If it is connected via the wireless, it probably has a separate wireless IP range than that of your wired (hopefully) which automatically eliminates the wired network
Then you can at least trace to which AP it is connected on (via mac address) which will give you an approximate area.

NMAP scan will give a rough estimation of the device type.

Considering you are worried about a "rogue" device on the network, you should look at ways of securing access.
802.1x implementations are fairly easy and can be integrated with NAC devices to enforce company policies and ensure only company resources can access certain area's of the network
 

Tinuva

The Magician
Joined
Feb 10, 2005
Messages
8,326
#12
I agree, tracing MAC address to find the exact port it is connected to, is the way to go. Anything else is just shooting random things in the dark.
 

Saajid

Expert Member
Joined
Aug 8, 2008
Messages
4,516
#13
Why you are ignoring the best piece of advice here (quoted above) is beyond me.
I agree, tracing MAC address to find the exact port it is connected to, is the way to go. Anything else is just shooting random things in the dark.
Noted. I'm just being lazy, because there are about 20 switches on the network, and not all of them have been assigned IP addresses as yet. It's on my to do list to inventory everything. I doubt its a rogue device, just a device that I don't know about yet. Once everything is inventoried and I have a clearer picture of what the network actually looks like, I will be looking at 802.1x/EAP and MAC filtering. Finding this unknown device is priority though, as I am trying to organise the network into more logical IP ranges..
 
Last edited:
Joined
Jan 18, 2005
Messages
14,237
#15
I have this item on my one network:

192.168.0.4 == SAMSUNG ELECTRONICS CC

It is the PABX management interface. Ports open are:

21 (ftp), 23 (telnet), 80 (http), 199 (smux), 443 (https)


https://192.168.0.4 gives me the interface web page. Try that on your browser - the secure port.
 

Saajid

Expert Member
Joined
Aug 8, 2008
Messages
4,516
#17
So I managed to identify the device, and locate it physically.

It turned out to be an SVMi card (voicemail & auto-attendant services) on the Samsung PABX. Thanks everyone for your advice.
 
Joined
Jan 18, 2005
Messages
14,237
#18
So I managed to identify the device, and locate it physically.

It turned out to be an SVMi card (voicemail & auto-attendant services) on the Samsung PABX. Thanks everyone for your advice.
Did you happen to figure out its username and password to access that interface?


Great - always the first suspect and always just a matter of finding the damn offender.
 

Saajid

Expert Member
Joined
Aug 8, 2008
Messages
4,516
#19
Did you happen to figure out its username and password to access that interface?


Great - always the first suspect and always just a matter of finding the damn offender.
I didn't try. There's no web interface. You've got to use Samsung's proprietary software to manage the device and change settings, which our service provider usually handles.
 
Top