Personal tools
You are here: Home Department IT Security Technical Staff Best Practices How to Locate a “Rogue” Host
Contact information
rusecure@rutgers.edu
(732) 445-8011

RU Secure Home
 
Document Actions

How to Locate a “Rogue” Host

last modified 2008-10-03 06:48

A variety of techniques to assist in locating a computer that you can not find.

1.               Ping the IP #

a.      Tells you if it is alive

                                                    i.     Be aware that a host based firewall may cause a “timed out” reply

b.     Test to see if it is the correct machine

                                                    i.     Go to the suspect machine,

                                                  ii.     pull the network cable

                                                iii.     see if a new ping no longer works

2.               Ping –a the IP #

a.      May bring back the host name from the machine

3.               Nslookup the IP #

a.      May bring back the host name from DNS

4.               Telnet

a.      May connect to the machine and bring up an information banner

5.               FTP

a.      May connect to the machine and bring up an information banner

6.               TraceRoute (Tracert in windows)

a.      May supply a machine name

7.               Arp –a

a.      May provide a ?

8.               nbtstat –A ip#

a.      May provide a NetBIOS name and MAC #

9.               L2/L3 lookup on Hostmaster web page of the IP address

http://hostmaster.rutgers.edu/tools/mapping-tool.html

            See the subnet it is located in

Get a Mac address

See if the Mac address jumps around (laptop or IP # jumper)

10.            L2/L3 lookup on Hostmaster web page of the MAC address

a.

11.            Lookup the MAC address for a manufacture’s

http://coffer.com/mac_find/

            This works best if you remove any dashes or quotes or :

            In other words just put in the 6 letters/numbers

http://standards.ieee.org/regauth/oui/index.shtml

May help to determine the manf. of the machine.

12.            Network monitoring tool (WhatUp Gold, NetworkView, etc.)

a.      Might return a NetBIOS name or other information like OS, user names, shares, etc

13.            Set up another machine with the same IP address

a.      Causes a popup window about a duplicate IP address

14.            Set up another machine with the same host name

a.      Causes a event to be written to Event Viewer on the local machine which included a MAC #

15.            Send net broadcast messages to the host

a.      Cause a problem on the user’s machine until they call for help…

16.            Locate the IP address on a router/switch using software

17.            Locate the IP address by accounting for active ports on your switch from an inventory

18.            Ask TD to have the port shut off

19.            Request TD’s help in locating the host

20.            Ask for MSSG (or Camden / Newark Helpdesk-Computer support)

21.            Your own Firewall/switch logs

22.            Check Event Logs

23.            Check for Wireless Access ports/transmitters

a.      Look at their logs

24.            Check your DHCP servers and their logs

25.            Run your favorite scanner software (Super scanner, Angry IP Scanner, etc)
Powered by Plone CMS, the Open Source Content Management System

This site conforms to the following standards: