Page 1 of 4 123 ... LastLast
Results 1 to 10 of 35

Thread: Mystery Machine Invades Network?

  1. #1

    Mystery Machine Invades Network?

    Now THIS is making my morning interesting!

    I came into the office today to find a note from my boss showing that a machine with the IP of 192.168.1.200, named "MUJPOLEDNIK" has joined our LAN rather mysteriously. We have no idea what or where this machine is, much less where it came from or how it joined the LAN!

    So after having read a few handy AO tutorials, I finally got brave enough to bust out Nmap for some detective work for the first time. So I ran nmap -sS -O -v 192.168.1.200 and got this:

    Daylight Time
    Host MUJPOLEDNIK (192.168.1.200) appears to be up ... good.
    Initiating SYN Stealth Scan against MUJPOLEDNIK (192.168.1.200) at 10:20
    Adding open port 135/tcp
    Adding open port 139/tcp
    Adding open port 6346/tcp
    The SYN Stealth Scan took 1 second to scan 1659 ports.
    For OSScan assuming that port 135 is open and port 1 is closed and neither are f
    irewalled
    Interesting ports on MUJPOLEDNIK (192.168.1.200):
    (The 1656 ports scanned but not shown below are in state: closed)
    PORT STATE SERVICE
    135/tcp open msrpc
    139/tcp open netbios-ssn
    6346/tcp open gnutella
    Device type: general purpose
    Running: Microsoft Windows 2003/.NET
    OS details: Microsoft Windows .NET Enterprise Server (build 3604-3790)
    TCP Sequence Prediction: Class=truly random
    Difficulty=9999999 (Good luck!)
    IPID Sequence Generation: Incremental

    Nmap run completed -- 1 IP address (1 host up) scanned in 2.674 seconds
    Something is definately VERY fishy. What do you guys think?

  2. #2
    ********** |ceWriterguy
    Join Date
    Aug 2004
    Posts
    1,608
    I'm curious if this has something to do with the 'too many ip's' issue the other day. I mentioned zombie accounts and spoofers then...
    Even a broken watch is correct twice a day.

    Which coder said that nobody could outcode Microsoft in their own OS? Write a bit and make a fortune!

  3. #3
    Just Another Geek
    Join Date
    Jul 2002
    Location
    Rotterdam, Netherlands
    Posts
    3,401
    If you have managed switches it should be easy to trace the culprit.

    If you have a DHCP server running.. it's probably some external contractor that plugged his/her own laptop into your network..
    Oliver's Law:
    Experience is something you don't get until just after you need it.

  4. #4
    We do indeed have a DHCP server, and I'm about to look into that managed switch as we speak.

    Interesting, it's a Windows 2003 server of some sort according to nmap. Our is a Windows 2000 network...

  5. #5
    Senior Member
    Join Date
    Jul 2004
    Posts
    469
    How large is your network? I would suggest a physical inspection of all jacks on the network depending on the size and the equipment room to make sure everything is the way it should be. Looks for rogue hubs attached to network jacks. If you switch is managed try to narrow it down that way. Try to traceroute to it also if your network has any size to it.

  6. #6
    Just Another Geek
    Join Date
    Jul 2002
    Location
    Rotterdam, Netherlands
    Posts
    3,401
    No need to traceroute if you have managed switches. If done correctly you will find the switch and the port this user is using. After that you just need to follow the cable.
    Oliver's Law:
    Experience is something you don't get until just after you need it.

  7. #7
    Ok, whatever this IP belongs to, it doesn't appear to be attached to the switch, as it shows no connection between the two.

    Evidently it's talking to 224.0.0.251, so I ran nmap on that, and it came back as down, so now I'm running nmap -sS -O -v -P0 224.0.0.251, and as I write this it's still scanning (does show it as being up at least now), so we'll see what happens...

    So I wonder if somehow it's a wireless connection? Our wireless AP is protected by 128 bit encryption, but I presume it's within the realm of possibility.

  8. #8
    Just Another Geek
    Join Date
    Jul 2002
    Location
    Rotterdam, Netherlands
    Posts
    3,401
    224.0.0.251 is a multicast address.

    nbtstat -a 192.168.1.200 and note the mac address.
    Use the mac address to trace it on your switches.

    If nbtstat doesn't work look at your dhcp leases to get the mac.
    Oliver's Law:
    Experience is something you don't get until just after you need it.

  9. #9
    Senior Member
    Join Date
    Jul 2004
    Posts
    469
    How active is your WAP? Simple solution:

    Ping host - get response.
    Unplug WAP from network.
    Ping host

    If you get a responce still its not on the WAP, if you don't its on the WAP.

  10. #10
    Here's what nbtstat resulted in:

    Node IpAddress: [192.168.1.34] Scope Id: []

    NetBIOS Remote Machine Name Table

    Name Type Status
    ---------------------------------------------
    MUJPOLEDNIK <00> UNIQUE Registered
    WORKGROUP <00> GROUP Registered
    MUJPOLEDNIK <20> UNIQUE Registered
    WORKGROUP <1E> GROUP Registered
    WORKGROUP <1D> UNIQUE Registered
    ..__MSBROWSE__.<01> GROUP Registered

    MAC Address = 00-12-F0-04-19-11

    Time to start tracing then...

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •