Network Utp Cable

REFORMAT.COMPUTER

Identifying Unknown IPs on Your Company Network

Written by

reformatcomputer

, ,

DISCLAIMER: This is for standard day to day use for sysadmins. If you are being attacked by a threat actor, then many of these may be manipulated.

As a sysadmin I could not tell you how many times the network team or infosec has come to me to because of odd traffic and ask me “what is at <IP>?” Below is my quick workflow to determine what it may be.

1. Look for an RDP Certificate

First off, if you’re a windows shop and just have a very large number of windows servers or windows endpoint, you likely have RDP enabled. Easiest thing to do is quickly look at the RDP certificate of the IP. You can do this by going on a web browser and using the HTTPS protocol to see the certificate on the RDP port. For example, if IP is 192.168.1.54, then in a web browser go to https://192.168.1.54:3389

Right away you’ll get a warning message on the browser. Do not click continue just look at the certificate in your browser to see the hostname.

Image
Example of viewing page in Edge
Image
Clicking “Not secure” to the left of the URL will pop this up. Then hit “Your connection to this site isn’t secure”
Image
Here you can click the certificate icon to the left of the x to view the certificate
Image
Common Name is usual the Hostname of the computer

2. Examine its TTL on Ping

Many people are not aware of this, but the TTL value when pinging an object is usually set by the OS. To determine if you’re dealing with windows or linux, you can ping it an compare its value

Image

In the image above the TTL is 128. Looking at a chart like this will tell you it is windows.

3. Look up the Manufacturer of its MAC Address

Each network adapter has a MAC address, which is a hardware identifier. The prefix of it can tell you what the manufacturer is. Sometimes it is generic and doesn’t tell you much, but sometimes it can tell you more precisely.

Finding the MAC Address from Ping

  1. Ping the Device: First, you need to ping the device to get its IP address. Open a command prompt or terminal and type:
   ping [IP address]

Replace [IP address] with the actual IP address of the device you want to identify.

  1. Use ARP Command: After pinging the device, use the ARP (Address Resolution Protocol) command to find the MAC address associated with the IP address. In the command prompt or terminal, type:
   arp -a

This command will display a list of IP addresses and their corresponding MAC addresses. Look for the IP address you pinged and note the MAC address next to it.

Looking Up the MAC Vendor

Once you have the MAC address, you can determine the manufacturer of the device by looking up the MAC vendor. The first three bytes of the MAC address, known as the Organizationally Unique Identifier (OUI), indicate the manufacturer.

  1. Identify the OUI: The MAC address is typically formatted as XX:XX:XX:YY:YY:YY. The first three bytes (XX:XX:XX) represent the OUI.
  2. Use an Online OUI Lookup Tool: There are several online tools available to look up the OUI. Simply enter the first three bytes of the MAC address into the tool, and it will display the manufacturer. Some popular OUI lookup tools include:

By following these steps, you can easily find the MAC address of a device on your network and determine its manufacturer. This information can help you manage your network more effectively and ensure that all devices are accounted for.

At this point these are the main methods used and can be done quickly. For more in-depth follow-up, you can always do port scans and try and identify it by its services. However, a port scan is intrusive and if you don’t know exactly what you are doing you may disrupt the network or device. Hope this is helpful!