Find the network host location
Find the network host location
I apologize if this belongs in another section...due to the issues, networking seemed most appropriate. I am currently searching for a couple unknown hosts on a network that consists of more than 60 subnets with almost as many physical locations. All remote locations connect back to the core with MPLS. Normally, I can follow the L3 or L2 information back through the infrastructure to discover the source. However, the hosts in question are using a network that does not exist within the architecture and can only be seen sending traffic to addresses that are very similar to my DNS servers. By similar, I mean they share the same last two octets, but not the first two. I was able to create routes to direct the DNS traffic towards a sink hole in order to capture the packets and see the contents of the requests...but this only yielded queries for windows time servers, NCSI servers, and other windows based system services without any host information. Since there is no preexisting network route (static or shared), there is no trail to follow back to the host. Any L2 information in the captured packets only show the MAC from the forwarding gateway, as expected from L2 logic. Unless my brain is misfiring, the host would have to be configured with a gateway that falls within it's IP subnet (especially for a windows host) in order to properly forward any non-lan requests to external networks. Since the network is not one that "exists" in the architecture, this leads to a bit of assumption that another router would have to be in place (not using NAT unless dynamic is being used since I have two different source addresses) in order for the hosts to send the traffic to its gateway, which can then send the traffic into my other networks assuming next hop information has been added (or the routing device is pulling a DHCP lease). Creating SPAN ports on the core infrastructure devices is not a possibility due to even the slightest risk of network degradation. A tap is possible, but I think I would end up with the same information from my pseudo honeypot/sinkhole. Anyone have any advice that would save me from touching every device at all 60 locations? I am going to dig through the leases to see if any hostnames might stand out, but this is still tedious. While I realize there are a million technologies for asset management that would assist with this, the company in question has never really cared about proper infrastructure maintenance and monitoring...which is why this is being done by hand.
Access the ARP tables on your switches, save the data, then extract MAC addresses from your DHCP/IPAM records. Compare the two sets. If a DHCP IP is assigned, it means you're within a valid subnet—tools like nmap or zenmap (Windows) can efficiently scan your ranges. This approach works best when devices respond to pings for fast scans. PDQ inventory offers a 14-day trial that could be useful.
You can script SSH to loop through all 100 switches, assuming they're identical brands. This could be a good opportunity to configure a syslog server for later use. There are configuration management tools available for nearly every switch, allowing you to apply settings across all devices at once. A more permanent approach might involve implementing a network access control system, which would be quite complex. If the switches aren't connected to your gateway, you rely solely on them for data, even if you're methodically checking each one. Just make sure they're all from the same brand.
Consider another idea, if you're reviewing your DHCP logs and believe all 60 sites use the same endpoint type—sort by MAC address. Unless they match your devices in brand and generation, it gets complicated. Some DHCP servers let you assign IPs based only on the info from the device requesting them—you might adjust settings and reduce lease durations. For instance, you could restrict IPs to only Windows 10 devices, etc. Be very cautious with this approach. Are you testing it by choice or has something unusual come up that raises concerns about unauthorized devices?
I didn't think about a script for any reason. I'll focus on that now. Thanks! People keeping choices in mind are pushing to move forward with 802.1x, ISE, or any NAC solution... but they're focusing on costs and administrative work. Fortunately, we share the same vendor for our hardware. They haven't been well maintained, and centralized management or logging has been inconsistent during installations.
I've thought about it, but the company rules on network usage are relatively lenient, which complicates things for me. Some options, like leasing, I've already tackled. The devices in question were flagged by our IPS/IDS and tracked through our edge firewall. While I can block them digitally, locating them physically would be ideal. With limited resources, I might have to stick with the digital approach...but that's a possibility!
Hopefully this works, someone probably already has a version that needs minor adjustments. ISE would be nice but adds significant expense. The early setup and device checks become tedious. It's important to consider the worth of insider threat protection. Luckily, basic CLI commands for digging information stay consistent, so your script should function regardless of minor version differences. If NAC causes issues, I'd strongly advocate for centralized logging.
It’s helpful to know their IP or MAC addresses. I’m not sure about your IDS/IPS setup, but if it’s inline, these devices definitely go through a gateway. If they’re using mirrored ports or flow data, it might not be the case. You can increase log detail temporarily for a specific period when you anticipate these connections.