RE: tracking down an workstation

Subject: RE: tracking down an workstation
From: Mike Barsalou (mbarsalou@aidea.org)
Date: Wed Nov 07 2001 - 08:49:59 AKST

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
• Next message: Mike Barsalou: "XML configuration files"
• Previous message: Leif Sawyer: "RE: tracking down an workstation"
• Maybe in reply to: Mike Barsalou: "tracking down an workstation"
• Maybe reply: Mike Barsalou: "RE: tracking down an workstation"
• Reply: Mike Barsalou: "RE: tracking down an workstation"

Cool, nmap worked great!

It is an HP Jetdirect printer. I will send a message directly to the
printer!

Mike

-----Original Message-----
From: Leif Sawyer [mailto:lsawyer@gci.com]
Sent: Wednesday, November 07, 2001 8:43 AM
To: Mike Barsalou; 'aklug@aklug.org'
Subject: RE: tracking down an workstation

Mike Barsalou writes:
>
> I have a entry in my dhcp leases file that points to an IP
> address but has
> no hostname. I want to try and figure out which device this
> is. Because of
> the dhcp leases file I know the IP address and the MAC address.
>
> What is the best way to go about doing this?
>
> I can ping the device and it responds.
> I tried to telnet to it, but it refused the connection.
> traceroute produces nothing useful.
> I have used tcpdump, but because of switches, there is no traffic.
>
> I supposed I could set a machine to have the same IP address
> and see what breaks.

Well, you've got a couple issues:

1) What is the machine
2) Where is the machine

Based on the MAC address, you can find out what the ethernet card
is -- this will get you started on the long road to determine the machine.

Using a tool called NMAP you can probe the machine to determine what OS
it's running (within reason)

From there, depending on what information you get from NMAP (open ports as
well!)
you may find that it's a windows machine, and you'll want smbclient to get
the
WINS information -- that'll get you even closer, because you could send a
win popup
message to the box.

At the very least, you'll want to telnet to the switch that it's connected
to (you are using
managed switches, and not dumb hubs, right?) look at the arp entries and
find out what
port it's connected to. From there it's a simple matter to track down the
offending person
based on your wiring closet data (it's all documented, right?)

Of course, if you're using a dumb hub, you could always just try DOS'ing the
IP address and
look at which port on the hub maxes out (besides the uplink port that is)
which is nearly as good
as the previous.

• Next message: Mike Barsalou: "XML configuration files"
• Previous message: Leif Sawyer: "RE: tracking down an workstation"
• Maybe in reply to: Mike Barsalou: "tracking down an workstation"
• Maybe reply: Mike Barsalou: "RE: tracking down an workstation"
• Reply: Mike Barsalou: "RE: tracking down an workstation"

This archive was generated by hypermail 2a23 : Wed Nov 07 2001 - 08:57:51 AKST