-
May 9th, 2005, 04:27 PM
#1
Mystery Machine Invades Network?
Now THIS is making my morning interesting!
I came into the office today to find a note from my boss showing that a machine with the IP of 192.168.1.200, named "MUJPOLEDNIK" has joined our LAN rather mysteriously. We have no idea what or where this machine is, much less where it came from or how it joined the LAN!
So after having read a few handy AO tutorials, I finally got brave enough to bust out Nmap for some detective work for the first time. So I ran nmap -sS -O -v 192.168.1.200 and got this:
Daylight Time
Host MUJPOLEDNIK (192.168.1.200) appears to be up ... good.
Initiating SYN Stealth Scan against MUJPOLEDNIK (192.168.1.200) at 10:20
Adding open port 135/tcp
Adding open port 139/tcp
Adding open port 6346/tcp
The SYN Stealth Scan took 1 second to scan 1659 ports.
For OSScan assuming that port 135 is open and port 1 is closed and neither are f
irewalled
Interesting ports on MUJPOLEDNIK (192.168.1.200):
(The 1656 ports scanned but not shown below are in state: closed)
PORT STATE SERVICE
135/tcp open msrpc
139/tcp open netbios-ssn
6346/tcp open gnutella
Device type: general purpose
Running: Microsoft Windows 2003/.NET
OS details: Microsoft Windows .NET Enterprise Server (build 3604-3790)
TCP Sequence Prediction: Class=truly random
Difficulty=9999999 (Good luck!)
IPID Sequence Generation: Incremental
Nmap run completed -- 1 IP address (1 host up) scanned in 2.674 seconds
Something is definately VERY fishy. What do you guys think?
-
May 9th, 2005, 04:31 PM
#2
I'm curious if this has something to do with the 'too many ip's' issue the other day. I mentioned zombie accounts and spoofers then...
Even a broken watch is correct twice a day.
Which coder said that nobody could outcode Microsoft in their own OS? Write a bit and make a fortune!
-
May 9th, 2005, 04:31 PM
#3
If you have managed switches it should be easy to trace the culprit.
If you have a DHCP server running.. it's probably some external contractor that plugged his/her own laptop into your network..
Oliver's Law:
Experience is something you don't get until just after you need it.
-
May 9th, 2005, 04:36 PM
#4
We do indeed have a DHCP server, and I'm about to look into that managed switch as we speak.
Interesting, it's a Windows 2003 server of some sort according to nmap. Our is a Windows 2000 network...
-
May 9th, 2005, 04:37 PM
#5
How large is your network? I would suggest a physical inspection of all jacks on the network depending on the size and the equipment room to make sure everything is the way it should be. Looks for rogue hubs attached to network jacks. If you switch is managed try to narrow it down that way. Try to traceroute to it also if your network has any size to it.
-
May 9th, 2005, 04:43 PM
#6
No need to traceroute if you have managed switches. If done correctly you will find the switch and the port this user is using. After that you just need to follow the cable.
Oliver's Law:
Experience is something you don't get until just after you need it.
-
May 9th, 2005, 04:45 PM
#7
Ok, whatever this IP belongs to, it doesn't appear to be attached to the switch, as it shows no connection between the two.
Evidently it's talking to 224.0.0.251, so I ran nmap on that, and it came back as down, so now I'm running nmap -sS -O -v -P0 224.0.0.251, and as I write this it's still scanning (does show it as being up at least now), so we'll see what happens...
So I wonder if somehow it's a wireless connection? Our wireless AP is protected by 128 bit encryption, but I presume it's within the realm of possibility.
-
May 9th, 2005, 04:49 PM
#8
224.0.0.251 is a multicast address.
nbtstat -a 192.168.1.200 and note the mac address.
Use the mac address to trace it on your switches.
If nbtstat doesn't work look at your dhcp leases to get the mac.
Oliver's Law:
Experience is something you don't get until just after you need it.
-
May 9th, 2005, 04:50 PM
#9
How active is your WAP? Simple solution:
Ping host - get response.
Unplug WAP from network.
Ping host
If you get a responce still its not on the WAP, if you don't its on the WAP.
-
May 9th, 2005, 04:53 PM
#10
Here's what nbtstat resulted in:
Node IpAddress: [192.168.1.34] Scope Id: []
NetBIOS Remote Machine Name Table
Name Type Status
---------------------------------------------
MUJPOLEDNIK <00> UNIQUE Registered
WORKGROUP <00> GROUP Registered
MUJPOLEDNIK <20> UNIQUE Registered
WORKGROUP <1E> GROUP Registered
WORKGROUP <1D> UNIQUE Registered
..__MSBROWSE__.<01> GROUP Registered
MAC Address = 00-12-F0-04-19-11
Time to start tracing then...
Posting Permissions
- You may not post new threads
- You may not post replies
- You may not post attachments
- You may not edit your posts
-
Forum Rules
|
|