Re: Strange logon attempts

In article <1150296936.147687.252050@xxxxxxxxxxxxxxxxxxxxxxxxxxxx>,
Matt <matthewsatkins@xxxxxxxxx> wrote:
I have recently taken over a network. I started to audit failed logon
attempts and am finding a particular computer trying to log on as my
desktop tech once or twice a day. The attempts are coming from a
computer name that I do not recognize. When this first started
happening, I couldn't find a reference for this computer anywhere in my
network. Just yesterday, I found that it was given an IP address lease
a few days ago. What can I do to find where this PC is??

If you have managed switches or routers:

- ping the IP address, and then examine your arp table to determine
the MAC address. Then use SNMP to poll all of your managed switches
and routers, looking for that MAC address in the port tables.
Note that the switch port ARP tables might expire within a few minutes,
so you might have to monitor for some time in order to determine
the port locations.


If you do not have managed switches:
- first install managed switches; then apply procedure above ;-)


On the SNMP side, you want ipNetToMediaTable entries if you can
get them, but you will probably only get useful ones on routers.
devices like printers are more likely to have atTable entries, which
are about as useful, but again you usually don't get useful
entries from switches. (It can be useful to poll service devices
such as servers and printers, because the target host might be
talking to one of them at times it doesn't happen to be talking
to anything topologically "near" you.)

For the switches I was using, the most likely OID to be useful was
..1.3.6.1.2.17.4.3.1 which looked like this:

17.4.3.1.1.0.80.186.72.179.154 = Hex: 00 50 BA 48 B3 9A
17.4.3.1.2.0.80.186.72.179.154 = 48

The .1 or .2 is followed in the OID by the *decimal* expansion of
the target device MAC. The .1 entry then reproduces that MAC
except in Hex (which might be easier for you to read), and
the .2 entry is the port number the device was attached to.

Note that the above OIDs are not standardized ones, and the
treatment of MAC entries within VLANs varies depending on manufacturer
and SNMP MIBs adhered to.

Useful descriptions of the interfaces is at
..1.3.6.1.2.1.2.31.1.1.1.1 for some switches and routers, and more
standardly (but sometimes less usefully) at .1.3.6.1.2.1.2.2.1.2
.

Relevant Pages

  • Re: MAC to IP
    ... Solarwinds Engineer Tools can do it. ... you have managed switches you can do it as well. ... table and trace to the port, show the port info and it should show the IP ... > only have the Switchport and thus the MAC. ...
    (microsoft.public.windows.server.networking)
  • Re: MAC to IP
    ... > get the netbt status of the rmeote machine whihc will give you back the MAC ... > adress for that remote machine.. ... >> you have managed switches you can do it as well. ... >> table and trace to the port, show the port info and it should show the IP ...
    (microsoft.public.windows.server.networking)
  • Re: MAC to IP
    ... If so you can do nbtstat -a to get the netbt status of the rmeote machine whihc will give you back the MAC adress for that remote machine.. ... you have managed switches you can do it as well. ... table and trace to the port, show the port info and it should show the IP ...
    (microsoft.public.windows.server.networking)
  • Re: Identifying a computer
    ... Stop thinking at the IP level and start thinking at the MAC level. ... But this does mean that they might still flood ping your server itself. ... Next step is to stop it from using your internal network. ... * If you dont have managed switches, now's the time to go get one. ...
    (Security-Basics)
  • RE: Network sniffing on the wire - managed switches
    ... There is potential of sniffing by either ARP spoofing or MAC flooding. ... Most managed switches provide protection mechanisms for both through ... some sort of port protection. ... When you are doing any sort of pen testing or sniffing on the wire, ...
    (Security-Basics)