Question

Locked

Rogue LAN device: I'm stumped

By robo_dev ·
This is a medium sized LAN, about 1,500 nodes on ten floors of a building, all Cisco gear. Network is mostly flat, except for a handful of VLANs.

Cisco port security is enabled on each port. Only the assigned mac address can connect to a switch port, except that conference rooms get assigned a list of mac addresses. Only company PCs are allowed on the lan, no exceptions.

Regular sweeps are performed to ensure that there is no WLAN here and the Disknet LAN security tool disables WLAN and bluetooth interfaces on all laptops (as well as USB jump drives, CD-ROMs, DVDs, floppys, ipods, etc).

With Cisco port security, a WLAN AP or router would not work, since the port would get disabled when the rogue AP or router was plugged into the network, since the mac address would be wrong.

When running a Wireshark trace from a switched port on the main VLAN, I noticed three workstations that appear to be Sony laptops (by their OUID) that I could see are sending TCP packets and doing Netbios queries from an IP address that is not part of the network, and a mac address which is also not on the ACL for any of the switches.

The ip address range for the main network is 135.x.x.x, vlans are 10.x and 192.x.

This rogue device is a 12.x.x.x address. (IP space registered to AT&T). I tried setting my workstation to a 12.x address, tried nmapping the rogue device, but no joy. I can see some netbios info, but the workgroup name is 'workgroup' and the netbios name that is being queried is something I never heard of "COANT4.VICP.NET" (this is a NetBios name, query, not DNS).

At this point I'm stumped. My guesses are:

a) a rogue laptop, like a contractor, is somehow plugged into a port that somehow has security turned off. Note that firewall rules would not give this device internet access, since that is granted explicitly from firewall rules.

b) Several misconfigured laptops are somehow bridging it's WLAN or Cellular-modem to the ethernet interface.

c) same as above, but one misconfigured laptop, bridging it's wlan interface to the ethernet interface, and the multiple rogue IP addresses are WLAN clients on a remote wireless LAN.

Next stop is to walk the building to look for Sony laptops.

This conversation is currently closed to new comments.

11 total posts (Page 1 of 2)   01 | 02   Next
| Thread display: Collapse - | Expand +

All Answers

Collapse -

cloned MAC addresses

by CG IT In reply to Rogue LAN device: I'm stu ...

routers can clone mac addresses. there are ways to change the mac address on a NIC though your not supposed to be able to do that.

if you use your cell phone as a internet link and connect that to your laptop via USB, then connect the laptop ethernet to the network, you've got a rougue computer trying something.

The netbios name is a giveaway in that someone is trying to use your network and they are savy enough to know about the port security on a Cisco device. If the port security protect? or shutdown? If it was me, I'd change the switchport port on all the switches running config to be switchport port-security violation shutdown.

That will shutdown the port and you will have to manually use the no shut command to get it back up. That way you'll know what switch, what switchport, what vlan and what location someone plugged in that shouldn't have.

What other methods are there to keep intruders that can have physical access out?

The IP addressing isn't going to let them have network access, different subnet. It won't let them get to the internet if the ACL doesn't allow that subnet.

The only thing they might be able to do is try and hack in and drop a malicious payload.

Collapse -

Can you pin them down by physical ports

by NetMan1958 In reply to Rogue LAN device: I'm stu ...

If you can obtain their MAC addresses using Wireshark, then log in to the main switch and "show mac-address-table | include xxxx.xxxx.xxxx" where the "x's" represent the mac address of the laptop. If the port they show up on uplinks to another switch, log in to that switch and repeat until you pin it down to an access port.

Collapse -

port security

by shasca In reply to Rogue LAN device: I'm stu ...

Can you disable the affected ports? Would Company policy allow for you to diasble access on the affected ports temporarily to see who if anyone screams? That is if you can isolate it to specifics.

Collapse -

play dirty...?

by ---TK--- In reply to Rogue LAN device: I'm stu ...

Add that MAC address into a reserved IP (different scope, which gives them nothing)... Same IP... When they boot up or request a new IP, you should be able to dish them an IP.. From cmd run shutdown -s -m \\IP_Address -t 05 ...

added: or call AT&T, explain the situation... its their IP on your LAN... Which is causing issues... They might be able to assist you. But if its a spoofed IP.. thats a different ball game...

Collapse -

New update: Eureka....one of these IPs was pinged by a Korean IP

by robo_dev In reply to play dirty...?

ding ding ding.

I'm looking at an ICMP packet that hopped the firewall at attempted to ping one of those addresses. Holy Bat guano.... Gonna save that sniffer trace.

The IP is 58.122.120.102 which is Seoul.

This looks like a specially crafted ICMP packet, as the contents look weird.....

Oh sh____, one just got a hit from China on port 1433 on one of those IP addresses.

I was hoping for a dull Friday afternoon!

Collapse -

sick-em

by shasca In reply to New update: Eureka....one ...

Sick-em Robo Sick-em.

Collapse -

an ICMP ping packet hopped the firewall?

by CG IT In reply to New update: Eureka....one ...

if the pings are coming in consistently, put up a honeypot..... if you know what I mean...

:)

given them something they can't refuse to not open and look it.... :)

I like the skull and crossbones :)

and then... :)

Collapse -

I see a stone-cold can of

by seanferd In reply to New update: Eureka....one ...

whoop-*** opening in the near future. Get 'em!

Collapse -

SQL attack

by kevaburg In reply to New update: Eureka....one ...

Someones trying to access your SQL server on that port so beware SQL injections at this stage. This link gives some more details.

www.linklogger.com/TCP1433.htm

Good luck and keep us posted!

Collapse -

Sounds like a recce

by kevaburg In reply to Rogue LAN device: I'm stu ...

It seems like someone might be doing a recce on your network! One of the other posts suggested doing a port security violation shutdown and to be honest, I agree.

Back to Networks Forum
11 total posts (Page 1 of 2)   01 | 02   Next

Related Discussions

Related Forums