Track Down Rogue Network Devices
JockVSJock
Member Posts: 1,118
in Off-Topic
This is my first time doing this, and I'm going off memory as I'm no longer at work and writing this from home.
Our network scanner has detected 4 devices that on the network broadcasting some sort or rlogon vulnerability. My boss wanted me to track them down quickly before anyone else's scanner found them. This is what I did from Linux (RHEL v5.8 x86_64)
-ping and traceroute to confirm they are on and confirm the subnet
-nmap -O and and -sT and -O detected RHEL v4.11 x86_64
-MAC address into Wireshark OUI tool and can't remember the name of the company...some sort of embedded serial console or router/switch...
-nmap -sT found rlogin, telnet and a few other ports are wide open
-I attemped a session from CLI to try and grab a banner and/or MOTD...nothing
-We contacted out NOC, and they came back with vague port info such as Smart Box and AWCS-1 and that one device was in 1/2 duplex mode and the Switch Port couldn't auto negotiate it. Advised us to look into a few of the telecom closets...
I did find this from here Using Nmap to Find Rogue Devices | Professor Messer IT Certification Training Courses
And of course I would replace the ip address and port numbers above with the open ports running on these devices.
Is there anything else I can do to find the smoking gun? I'm using Linux, with CLI, I can pretty much do anything...however I don't want to run the risk of getting fired.
Our network scanner has detected 4 devices that on the network broadcasting some sort or rlogon vulnerability. My boss wanted me to track them down quickly before anyone else's scanner found them. This is what I did from Linux (RHEL v5.8 x86_64)
-ping and traceroute to confirm they are on and confirm the subnet
-nmap -O and and -sT and -O detected RHEL v4.11 x86_64
-MAC address into Wireshark OUI tool and can't remember the name of the company...some sort of embedded serial console or router/switch...
-nmap -sT found rlogin, telnet and a few other ports are wide open
-I attemped a session from CLI to try and grab a banner and/or MOTD...nothing
-We contacted out NOC, and they came back with vague port info such as Smart Box and AWCS-1 and that one device was in 1/2 duplex mode and the Switch Port couldn't auto negotiate it. Advised us to look into a few of the telecom closets...
I did find this from here Using Nmap to Find Rogue Devices | Professor Messer IT Certification Training Courses
[COLOR=#333333][FONT=Courier New]nmap 192.168.0.* -p 80,8080,8088 -sV -vv[/FONT][/COLOR]
And of course I would replace the ip address and port numbers above with the open ports running on these devices.
Is there anything else I can do to find the smoking gun? I'm using Linux, with CLI, I can pretty much do anything...however I don't want to run the risk of getting fired.
***Freedom of Speech, Just Watch What You Say*** Example, Beware of CompTIA Certs (Deleted From Google Cached)
"Its easier to deceive the masses then to convince the masses that they have been deceived."
-unknown
"Its easier to deceive the masses then to convince the masses that they have been deceived."
-unknown
Comments
-
colemic Member Posts: 1,569 ■■■■■■■□□□Unless I am missing something, why can't you get the port on the switch, and then trace it back to a location (assuming you have drawing that detail drop locations)?Working on: staying alive and staying employed
-
Mow Member Posts: 445 ■■■■□□□□□□If you have access to the switches, find the mac address of the host in the switches with show mac address-table | i XXXX, where XXXX i the last 4 of the mac address. This will tell you what port it is plugged in. If it is a trunk port on the switch, you can then move on to the next switch, look at the mac address table again, rinse, repeat, until you find the offender.
-
JockVSJock Member Posts: 1,118Unless I am missing something, why can't you get the port on the switch, and then trace it back to a location (assuming you have drawing that detail drop locations)?
Exactly.
I was thinking about the same thing this weekend. We've made the request again to our NOC.
Also we put the ip addresses into a web browser and they came back with the device manfacture: Digi
Again, this is the first time I've had to do this in an enterprise environment, so this has been great experience.***Freedom of Speech, Just Watch What You Say*** Example, Beware of CompTIA Certs (Deleted From Google Cached)
"Its easier to deceive the masses then to convince the masses that they have been deceived."
-unknown -
alias454 Member Posts: 648 ■■■■□□□□□□Digi are used for remote terminal sessions http://www.digi.com/products/serialservers/
Is that what these devices are?
Since you have the IP can you at least get a general idea of the devices location based on its VLAN?“I do not seek answers, but rather to understand the question.” -
JockVSJock Member Posts: 1,118Based in the OUI, 00:40:9d, I'm thinking they are Digi One SP.
Digi One SP - Compact Serial Server - Digi International
The challenge is trying to find them. No one is maintaining any documentation on rooms and drops or saying it is someone else's responsibility to document, so we are going room to room in a pretty big building trying to find them.***Freedom of Speech, Just Watch What You Say*** Example, Beware of CompTIA Certs (Deleted From Google Cached)
"Its easier to deceive the masses then to convince the masses that they have been deceived."
-unknown -
cyberguypr Mod Posts: 6,928 ModIf I can't find a rogue device in a few minutes, that port is going down. Let someone complain when stuff doesn't work so we can bust their chops. This is a textbook example on how companies could get compromised and no one will notice the breach for months. Then the one guy who saw something out of place got ignored. Classic.
Any chance this is a .edu or .gov environment? -
joelsfood Member Posts: 1,027 ■■■■■■□□□□Considering a Digi termainl server, can give out of band access to devices on your network, I'd turn off the port and start from there, if no one knows wwhat they're there for.
That being said, Digi doesn't just make terminal servers, also makes ethernet-USB bridges and other devices.