Mystery Machine Invades Network?

Now THIS is making my morning interesting!

I came into the office today to find a note from my boss showing that a machine with the IP of 192.168.1.200, named "MUJPOLEDNIK" has joined our LAN rather mysteriously. We have no idea what or where this machine is, much less where it came from or how it joined the LAN!

So after having read a few handy AO tutorials, I finally got brave enough to bust out Nmap for some detective work for the first time. So I ran nmap -sS -O -v 192.168.1.200 and got this:

Quote:

---

Daylight Time
Host MUJPOLEDNIK (192.168.1.200) appears to be up ... good.
Initiating SYN Stealth Scan against MUJPOLEDNIK (192.168.1.200) at 10:20
Adding open port 135/tcp
Adding open port 139/tcp
Adding open port 6346/tcp
The SYN Stealth Scan took 1 second to scan 1659 ports.
For OSScan assuming that port 135 is open and port 1 is closed and neither are f
irewalled
Interesting ports on MUJPOLEDNIK (192.168.1.200):
(The 1656 ports scanned but not shown below are in state: closed)
PORT STATE SERVICE
135/tcp open msrpc
139/tcp open netbios-ssn
6346/tcp open gnutella
Device type: general purpose
Running: Microsoft Windows 2003/.NET
OS details: Microsoft Windows .NET Enterprise Server (build 3604-3790)
TCP Sequence Prediction: Class=truly random
Difficulty=9999999 (Good luck!)
IPID Sequence Generation: Incremental

Nmap run completed -- 1 IP address (1 host up) scanned in 2.674 seconds

---

Something is definately VERY fishy. What do you guys think?

I'm curious if this has something to do with the 'too many ip's' issue the other day. I mentioned zombie accounts and spoofers then...

If you have managed switches it should be easy to trace the culprit.

If you have a DHCP server running.. it's probably some external contractor that plugged his/her own laptop into your network..

We do indeed have a DHCP server, and I'm about to look into that managed switch as we speak.

Interesting, it's a Windows 2003 server of some sort according to nmap. Our is a Windows 2000 network...

How large is your network? I would suggest a physical inspection of all jacks on the network depending on the size and the equipment room to make sure everything is the way it should be. Looks for rogue hubs attached to network jacks. If you switch is managed try to narrow it down that way. Try to traceroute to it also if your network has any size to it.

No need to traceroute if you have managed switches. If done correctly you will find the switch and the port this user is using. After that you just need to follow the cable.

Ok, whatever this IP belongs to, it doesn't appear to be attached to the switch, as it shows no connection between the two.

Evidently it's talking to 224.0.0.251, so I ran nmap on that, and it came back as down, so now I'm running nmap -sS -O -v -P0 224.0.0.251, and as I write this it's still scanning (does show it as being up at least now), so we'll see what happens...

So I wonder if somehow it's a wireless connection? Our wireless AP is protected by 128 bit encryption, but I presume it's within the realm of possibility.

224.0.0.251 is a multicast address.

nbtstat -a 192.168.1.200 and note the mac address.
Use the mac address to trace it on your switches.

If nbtstat doesn't work look at your dhcp leases to get the mac.

How active is your WAP? Simple solution:

Ping host - get response.
Unplug WAP from network.
Ping host

If you get a responce still its not on the WAP, if you don't its on the WAP.

Here's what nbtstat resulted in:

Node IpAddress: [192.168.1.34] Scope Id: []

NetBIOS Remote Machine Name Table

Name Type Status
---------------------------------------------
MUJPOLEDNIK <00> UNIQUE Registered
WORKGROUP <00> GROUP Registered
MUJPOLEDNIK <20> UNIQUE Registered
WORKGROUP <1E> GROUP Registered
WORKGROUP <1D> UNIQUE Registered
..__MSBROWSE__.<01> GROUP Registered

MAC Address = 00-12-F0-04-19-11

Time to start tracing then...