Track Down Rogue Network Devices

JockVSJock

This is my first time doing this, and I'm going off memory as I'm no longer at work and writing this from home.

Our network scanner has detected 4 devices that on the network broadcasting some sort or rlogon vulnerability. My boss wanted me to track them down quickly before anyone else's scanner found them. This is what I did from Linux (RHEL v5.8 x86_64)

-ping and traceroute to confirm they are on and confirm the subnet
-nmap -O and and -sT and -O detected RHEL v4.11 x86_64
-MAC address into Wireshark OUI tool and can't remember the name of the company...some sort of embedded serial console or router/switch...
-nmap -sT found rlogin, telnet and a few other ports are wide open
-I attemped a session from CLI to try and grab a banner and/or MOTD...nothing
-We contacted out NOC, and they came back with vague port info such as Smart Box and AWCS-1 and that one device was in 1/2 duplex mode and the Switch Port couldn't auto negotiate it. Advised us to look into a few of the telecom closets...

I did find this from here Using Nmap to Find Rogue Devices | Professor Messer IT Certification Training Courses

[COLOR=#333333][FONT=Courier New]nmap 192.168.0.* -p 80,8080,8088 -sV -vv[/FONT][/COLOR]

And of course I would replace the ip address and port numbers above with the open ports running on these devices.

Is there anything else I can do to find the smoking gun? I'm using Linux, with CLI, I can pretty much do anything...however I don't want to run the risk of getting fired.

colemic

Unless I am missing something, why can't you get the port on the switch, and then trace it back to a location (assuming you have drawing that detail drop locations)?

Mow

If you have access to the switches, find the mac address of the host in the switches with show mac address-table | i XXXX, where XXXX i the last 4 of the mac address. This will tell you what port it is plugged in. If it is a trunk port on the switch, you can then move on to the next switch, look at the mac address table again, rinse, repeat, until you find the offender.

JockVSJock

colemic wrote: »

Unless I am missing something, why can't you get the port on the switch, and then trace it back to a location (assuming you have drawing that detail drop locations)?

Exactly.

I was thinking about the same thing this weekend. We've made the request again to our NOC.

Also we put the ip addresses into a web browser and they came back with the device manfacture: Digi

Again, this is the first time I've had to do this in an enterprise environment, so this has been great experience.

alias454

Digi are used for remote terminal sessions http://www.digi.com/products/serialservers/
Is that what these devices are?

Since you have the IP can you at least get a general idea of the devices location based on its VLAN?

JockVSJock

Based in the OUI, 00:40:9d, I'm thinking they are Digi One SP.

Digi One SP - Compact Serial Server - Digi International

The challenge is trying to find them. No one is maintaining any documentation on rooms and drops or saying it is someone else's responsibility to document, so we are going room to room in a pretty big building trying to find them.

cyberguypr

If I can't find a rogue device in a few minutes, that port is going down. Let someone complain when stuff doesn't work so we can bust their chops. This is a textbook example on how companies could get compromised and no one will notice the breach for months. Then the one guy who saw something out of place got ignored. Classic.

Any chance this is a .edu or .gov environment?

joelsfood

Considering a Digi termainl server, can give out of band access to devices on your network, I'd turn off the port and start from there, if no one knows wwhat they're there for.

That being said, Digi doesn't just make terminal servers, also makes ethernet-USB bridges and other devices.