An interesting scenario and ask for help

[jordan12]

So I have a large network. I have a machine that it on the network, but has spyware. All I have is an IP and MAC address for the device. How would I go about finding which network port that machine is plugged into?

 

[Cmustang87]

Oh, boy...

What kind of switches do you use in your infrastructure? You can probably isolate it down to a few possibilities of an access switch somewhere based on its subnet, etc..? This is all seriously going to depend on the switches you have.

 

[stormy1]

Windows computer?
Domain?
I would start with a nslookup and see if it gives you the name.
http://smallbusiness.chron.com/hostname-ip-address-47400.html

Once you have that this tool should be able to tell you who is logged into that computer:
https://technet.microsoft.com/en-us/sysinternals/psloggedon.aspx

PsLoggedon.exe
Find out who is logged on onto a local computer

PsLoggedon.exe \\computer-name
Find out who is logged on onto a remote computer

PsLoggedon.exe user.name
Find all computers where a user is logged on

 

[Cmustang87]

Yea, a reverse lookup could help in this scenario if it is a domain member.

 

[bloodypulp]

If it's a managed enterprise-type switch, you should be able to use LLDP commands to list the Neighbors and match the MAC.

 

[goodcooper]

prob a raspi in an attic somewhere

 

[SJConsultant]

So I have a large network. I have a machine that it on the network, but has spyware. All I have is an IP and MAC address for the device. How would I go about finding which network port that machine is plugged into?

If you have smart or managed switches then you can look at the MAC table of each switch to locate the specific port the device is connected to.