0

Got a weird one here.

I've got an IP address in my subnet that is alive and responds to ping requests, but I can't figure out what device actually live at that address. I've tried a couple of IP scanners that usually list hostnames and open ports / services, I've tried connecting to that address via http, https, telnet, SSH, but nothing responds and I don't have anything in DNS at that address.

We have no records or documentation of any device existing at this address and I'm at a bit of a loss because I need to expand my DHCP range, and this address is in the way.

Anyone know of a better way to interrogate that address to figure out what it is?

Thanks!

EDIT: I don't really see how this is a duplicate since that other question is from a completely different case [He has data from Advanced IP Scanner and I don't, he's using VMs, and I'm not] and that thread also has no answer. But it doesn't really matter because I found the offending device due to some great advice and good utilities in this thread. Thanks everyone!

Catatonic27
  • 751
  • 2
  • 8
  • 16
  • Find out the port it's connected to and follow the cable. – Seth May 05 '17 at 12:33
  • I'd be okay with that, but my network has like 25 different switches and poor documentation. Any suggestions on how I might go about figuring out where it's plugged in? – Catatonic27 May 05 '17 at 12:34
  • What is the result if you do `ping -a [ip address]` ? It will attempt to resolve the ip address to a hostname. – LPChip May 05 '17 at 12:42
  • If they're really just dumb switches there isn't much you can do. If they're managed switches you might be able to use some script to ask them for information. – Seth May 05 '17 at 12:46
  • 1
    Ping the device by IP address, then do an `arp -a` from a command line to find out the MAC address. Put the first three octets of the MAC address in Google or an OUI search site and it will tell you the manufacturer of the NIC. It's possible to spoof this info but it may give you a clue. – LawrenceC May 05 '17 at 13:02
  • In the marked duplicate there is a potential option of ping flooding the device and seeing which led is brightest to trace the network port, this will only work if your switch/hub has link activity indicators but is a tidy solution – Mokubai May 05 '17 at 15:11

2 Answers2

5

Your objective is to find the device which is running in the specific IP address. For this I would recommend you to use nmap. Let's take for an example that the ipaddress is 192.168.1.7 in your network.

  • If you want to know the OS information
    nmap -A 192.168.1.7
  • Search for open port
    • nmap 192.168.1.7

    When you scan for the open port, if any port is open then try to connect with that port (if the port is connectable). Or you can even use the port to get the information through that open port, like:
    nmap -p 80 192.168.1.7
    Here I am using port 80 to scan for the information. You can download nmap from here. There's ports for most of the popular desktop OSes (You've not mentioned what you use), so chances are you can run this on most PCs
    Journeyman Geek
    • 127,463
    • 52
    • 260
    • 430
    Prashant Dey
    • 209
    • 2
    • 8
    • C:\>nmap 'nmap' is not recognized as an internal or external command, operable program or batch file. – LPChip May 05 '17 at 12:44
    • 1
      @LPChip `nmap` is a well known scanner and the OP should know about it if he tried several. You will have to install it and there are Windows ports from what I know. – Seth May 05 '17 at 12:45
    • @Seth my point is, that this is a Q&A site. Any software not native to your OS needs a link so someone who finds this post can understand that they need additional software. – LPChip May 05 '17 at 12:46
    • So my OS could be Linux? There wasn't a mention anywhere of a OS. In addition I'd have a different opinion on this but this would be more suited for meta or chat. – Seth May 05 '17 at 12:50
    • zenmap's a pretty nice frontend for it https://nmap.org/zenmap/ – Journeyman Geek May 05 '17 at 12:53
    • 1
      Good stuff @Prashant Dey. I'm looking into this. nmap is telling me that https and ssh are open on this address but I can't connect to the host with either service. – Catatonic27 May 05 '17 at 13:11
    • @Catatonic27 That is probably it has a firewall which is protecting you from connecting it. You should know the authentication (username and password) for that. – Prashant Dey May 05 '17 at 17:53
    • @PrashantDey Turns out it was a malfunctioning switch. After reconfiguring it, it responds on those ports now. Thanks for the help! nmap was a lifesaver in the end. Definitely keeping that utility on hand for the future. – Catatonic27 May 05 '17 at 18:00
    0

    [...] my network has like 25 different switches and poor documentation.

    If your network doesn't need to be up 24/24: Unplug stuff from switches until you cannot longer ping the device in question. Follow the cable you just unplugged, rinse and repeat. While you are at it, make some notes so documentation gradually improves.

    dirkt
    • 16,421
    • 3
    • 31
    • 37