|
-
May 9th, 2005, 04:54 PM
#11
Looking further into 224.0.0.251 I came across this.
That machine probably has AppleTalk installed.
Found this too.
Oliver's Law:
Experience is something you don't get until just after you need it.
-
May 9th, 2005, 04:59 PM
#12
Found it!
But the answer is WIERD.
I discovered that the MAC address I found was indeed connecting wirelessly. That meant it had to be one of our machines since I have MAC filtering enabled. Sure enough, that MAC belongs to one of our company laptops, however that laptop is NOT a Windows 2003 server (it's XP Pro) and is NOT named "MUJPOLEDNIK".
So I'm going to find out who has that laptop right now and take a look at it...
-
May 9th, 2005, 05:02 PM
#13
Your WIFI is on the same subnet as your wired hosts? You should have them on different subnets separated by a firewall... just in case something like this were to happen. then its easier to track down and lock out hosts on that subnet... 128bit encryption using WEP? The firewall between the subnets should limit the wireless hosts access to your wired lan.
like sirdice said... nbtstat -a 192.168.1.200 and get the mac. then you can match it up.
Since netbios is running, you can possibly get other useful info... such as user account logged in, which workgroup/domain it belongs to, etc. you can use nessus or languard or nbtstat or nbtscan, etc. there are a lot of tools out there that will give you that info.
From your nbtstat you can determine the following
Workstation Service
Belongs to the "Workgroup" domian/workgroup
Has file/print share service turned on
Participates in browser service elections
It is the master browser for that domain/workgroup
BTW: If you are using WEP... its not very difficult to break. And MAC filtering? Does no good... a simple MAC spoofing program can get around that. You need to be using WPA along with some type of authentication server (VPN or Radius)
Quitmzilla is a firefox extension that gives you stats on how long you have quit smoking, how much money you\'ve saved, how much you haven\'t smoked and recent milestones. Very helpful for people who quit smoking and used to smoke at their computers... Helps out with the urges.
-
May 9th, 2005, 05:09 PM
#14
And it just gets stranger...
That laptop that the MAC belongs to is turned off, sitting safely in a cabinet right now.
Could this mean someone's cracked our WEP and spoofed the MAC as phis mentioned then?
-
May 9th, 2005, 05:12 PM
#15
Looks like it, expect a letter from the Riaa. Lol
Your scan does show port 6346/tcp gnuttela as open.
What happens if a big asteroid hits the Earth? Judging from realistic simulations involving a sledge hammer and a common laboratory frog, we can assume it will be pretty bad. - Dave Barry
-
May 9th, 2005, 05:15 PM
#16
Your scan does show port 6346/tcp gnuttela as open.
So I don't know much about that. What's the purpose of that particular port?
-
May 9th, 2005, 05:18 PM
#17
Your scan does show port 6346/tcp gnuttela as open.
file sharing on the gnutella p2p network
http://www.gnutella.com/
Could this mean someone's cracked our WEP and spoofed the MAC as phis mentioned then?
Sure. Wep is easy to crack. It can be done in minutes. Valid MACs can be found in seconds... they are not encrypted...
Remove that MAC from your filters and see if they try to reconnect using a different MAC.
Quitmzilla is a firefox extension that gives you stats on how long you have quit smoking, how much money you\'ve saved, how much you haven\'t smoked and recent milestones. Very helpful for people who quit smoking and used to smoke at their computers... Helps out with the urges.
-
May 9th, 2005, 05:18 PM
#18
What happens if a big asteroid hits the Earth? Judging from realistic simulations involving a sledge hammer and a common laboratory frog, we can assume it will be pretty bad. - Dave Barry
-
May 9th, 2005, 06:11 PM
#19
AngelicK,
You have a physical or logical map of your network, no?
Let's say you do, that means all managed switches and servers will show on the map as static IPs, the rest of the network, maybe excluding printers, are DHCP.
With that information in hand, simply "tracert" the IP. (I'd suggest a GUI program that does the same thing but tracert is free).
Then go to the next "static" IP reported in the tracert output and "tracert" again.
If it gets too confusing, tracert from another couple locations on your network as a type of "triangulation".
If all tracert's go thru the WAP, then exclude that MAC and see who complains.
OR:
In the mean time, you can use another laptop booted up with Knoppix STD CD (free download) to use Kismet to physically track the offender.
Using Network Stumbler (runs under windows for free) to walk the general area looking for offending device will only give you active APs (with their MAC ID), sometimes you get the peer-to-peer connections, othertimes not.
I'd also contact whomever had been using the laptop.
It could be a former employee/technician who grabbed the data prior to leaving.
ZT3000
Beta tester of "0"s and "1"s"
-
May 9th, 2005, 08:30 PM
#20
So, mystery solved! Turns out it's a laptop that belongs to one of our employees. He changed the name of his machine to that weird name above, thus throwing me off all morning long. All it took was kicking that MAC off the AP for me to get the "I lost my connection!" phone call.
Posting Permissions
- You may not post new threads
- You may not post replies
- You may not post attachments
- You may not edit your posts
-
Forum Rules
|
|
Reply With Quote
