Figuring MAC address from IP address?

[mpeg4v3]

I'm the RezCon Assistant for the dorm I'm in, and basically what that means is that I help all 560 of the residents here with their networking issues. As of yesterday, I spotted a rouge DHCP server on the network giving out 10.0.1.x IP addresses, which conflicted with our school's (SDSU) DHCP server. Furthermore, the rouge server isn't setup as a router; those getting IP addresses from it can't get out to the internet. So far it seems like most people are using the school's server, but changing my IP quickly to the 10 range showed three who were, using the Angry IP Scanner. However, this IP Scanner didn't show the MAC address of the server, 10.0.1.1, only the IP address and the ping time.

Now, in order to take care of this DHCP server, I have to get the MAC address of the computer handing out addresses so that I can search our database for the jack that last used that MAC address. Does anyone have any recommendations on programs that can do this?

 

[Zlash]

arp -a 10.0.1.1

but shouldn't you know that?

 

[mpeg4v3]

I probably should have known that

edit: not like it mattered anyway... the MAC address isn't in the database. damnit, this is going to be more complicated than I thought to narrow down who this person is.

 

[SupaFly99]

I dont know all too much about catching rouge dhcp's... but can't you wait till late at night when most connections aren't being used and DOS that DHCP?... then you can look on the switch for which port has the most activity and plug it.

I guess it can be worth a shot... but like I said, i dont' know much about rooting out rouges like that...especially when i don't know what equip you have on hand.

 

[JTY]

If all the switches are managed, you could go hunting. The switches will know which MAC is on each port.

 

[SupaFly99]

Originally posted by JTY
If all the switches are managed, you could go hunting. The switches will know which MAC is on each port.

That's what I was thinking but I dont think they manage dorm room conectivity like that. I could be wrong.

 

[SJConsultant]

Have you tried port scanning the rogue system to see if there are any other open services that may provide a clue to the owner?

 

[mpeg4v3]

Well, we don't have physical access to the switch (that's a completely different division of our school, and it would take weeks to get them to do anything we request), so I can't do that. Besides, the network is getting hammered with virus activity anyway so pretty much all of the lights would be flashing mad any time of the day/night.
No clue if the switches are managed.
As for port scanning, I was going to do a full scan of all ports before I left for dinner. I did a quick first-1000 port scan and only 53 was open, which I believe is for DNS.
In a residence hall of 560, this is going to be hard to track down an exact person.

 

[SupaFly99]

Originally posted by mpeg4v3
Well, we don't have physical access to the switch (that's a completely different division of our school, and it would take weeks to get them to do anything we request), so I can't do that. Besides, the network is getting hammered with virus activity anyway so pretty much all of the lights would be flashing mad any time of the day/night.
No clue if the switches are managed.
As for port scanning, I was going to do a full scan of all ports before I left for dinner. I did a quick first-1000 port scan and only 53 was open, which I believe is for DNS.
In a residence hall of 560, this is going to be hard to track down an exact person.

Yeah that is going to be harder than normal then. I say just DOS the dhcp and hopefully the guy will get the hint.

 

[mpeg4v3]

Hrm, I'll talk to my boss and ask him about whether it's cool or not to DOS him. If needbe I'll even setup a dedicated box just to DOS him off the network.
Pondering getting a packet sniffer and seeing if it reveals anything. Ethereal is what I used to use in my high school networking class, it's still pretty decent, right?

 

[JTY]

Not sure how your network is structured, but you could always have that MAC address filtered.

 

[draconius]

solarwinds WAN killer baby!!!

 

[SJConsultant]

If you have the MAC address, then you could derive the NIC manufacturer if you have that as part of your records. But that assumes the person hasn't spoofed their MAC address.

Otherwise the suggestion of MAC filtering in the switches is just about the only option you may have.

 

[mpeg4v3]

Well, right before I was going to start my port scan, the IP address dropped off the network, so either a.) the person realized what he was doing, or b.) it's a computer that isn't always on, which is going to make this even more fun to deal with.

 

[MentallyDisturbed]

net send 10.0.1.1 please call the RezCon Assisstant immediately!

try running that from your dos prompt? worth a shot anyway

 

[AtomicFire]

Originally posted by MentallyDisturbed

net send 10.0.1.1 please call the RezCon Assisstant immediately!

try running that from your dos prompt? worth a shot anyway

Only works for windoze boxen and linux boxen with SMB properly configured.

If there are intelligent routers on the network, tracert it and localize where it could be. =) my .02

 

[mpeg4v3]

Yeah, I already tried net sending.
I've been able to figure out from using a packet sniffer that it's an Airport Base Station, or at least I believe it to be, as one of the packets from the source address had Base_Station and .airport in it.
Another problem is that the correct assigned ip addresses are on a different subnet than the wrong assigned ips so I can't ping or anything of the sort.

Since I've got my Laptop of Justice (TM) I think I may go walking around the halls later tonight scanning for wireless signals and seeing if anything pops up, since it is an airport station. Does anyone know what the default SSID is of ABS's?

 

[SJConsultant]

Originally posted by mpeg4v3
Since I've got my Laptop of Justice (TM) I think I may go walking around the halls later tonight scanning for wireless signals and seeing if anything pops up, since it is an airport station. Does anyone know what the default SSID is of ABS's?

Airport or something like it........ also be sure to check the MAC address of any APs you pick up, your more than likely to identify the culprit than relying on SSID.

 

[mpeg4v3]

Yeah, I plan to, but I'm not entirely sure yet how to do so using OS X.

edit: nm, I guess the terminal holds much of the same tools linux/unix does- won't be that hard to figure out afterall.

I guess I'll just find the signal, and figure out what room the signal comes in strongest near.

I also have permission from my boss to DOS it off the network if need be... fun fun.

 

[bdavids1]

Ok, I'll bite.. what about:

ping 10.1.2.3
arp -a (and look for the IP) or arp 10.1.2.3

If your computer doesn't know the MAC address of that IP then it will send out an ARP request first. If that computer is on the same network you are on (that's a big if, which I don't recall you mentioning), and it has an IP address, then it will respond with an arp-reply.

This ping, then arp combination will work even for systems which are using a firewall that drops ping requests. IP won't work without ARP, so the ARP request will always work. Quite useful for finding "hidden" systems.

If you're not on the same network, then there's no way for you to get the MAC address.

 

[RiDDLeRThC]

Mac Stumbler will help you scan for the wireless network using OS X, i use it all the time at school because our net admin is dumb and everytime he finds out i know the base stations ssid he changes it not thinking that i can just look for it again *like i said hes dumb*

 

[mpeg4v3]

Ah ha! I found it.
I was walking around the halls, and I got to the 11th floor (the very top floor.... had been going floor by floor by stairs) and spotted an Apple wireless network with a MAC Address similiar to (but not identical to) the one I was looking for. It then dawned on me that they were likely to have different MAC addresses since one was running off the NIC with an ethernet jack plugged into the wall, while the other was running off a wireless access point with a different MAC address. The door to the room was open as I walked by, and a guy walked out just as I passed with the signal bumping up to 60%, so I asked him if he'd recently setup an Apple base station in his room, and he said no, but his roommate did, yesterday, which was when the rouge DHCP server first popped up. I got his roommate's name and room number and am going to call him tomorrow about it all. And thus, my bit of sleuthing for the night is over.

 

[mpeg4v3]

Even better; the base station is using the default password, so I can login to it remotely and turn off the DHCP assignment settings tonight, instead of having to go through the whole call-and-wait process.

 

[Blitzrommel]

Originally posted by mpeg4v3
Even better; the base station is using the default password, so I can login to it remotely and turn off the DHCP assignment settings tonight, instead of having to go through the whole call-and-wait process.

Sweet, I'm glad you finally found the culprit.

Isn't administration fun?

 

[mpeg4v3]

Originally posted by Blitzrommel
Sweet, I'm glad you finally found the culprit.

Isn't administration fun?

Indeed. Actually, I did have a lot of fun doing this. Gave me a very odd feeling of accomplishment in the end. And, no one had to have their internet shut off.