Scanning Office: "Birmingham, AL"
Router: 66.113.24.1 and Switch: 66.113.24.2
MAC Address: 0004dc804ac0 IP: 66.113.24.2 Port: 0 Manufacturer: Nortel Networks
MAC Address: 00065ba2d734 IP: 66.113.24.242 Port: 7 Manufacturer: Dell Computer Corp.
MAC Address: 080046da3913 IP: 66.113.24.175 Port: 8 Manufacturer: Sony Corporation LTD.
MAC Address: 00065bea6579 IP: 66.113.24.182 Port: 9 Manufacturer: Dell Computer Corp.
MAC Address: 000874a5b56c IP: 66.113.24.71 Port: 3 Manufacturer: Dell Computer Corp.
MAC Address: 00055d6f0638 IP: 66.113.24.245 Port: 5 Manufacturer: D-Link Systems, Inc.
MAC Address: 000874f96725 IP: 66.113.24.243 Port: 2 Manufacturer: Dell Computer Corp.
MAC Address: 000874f96736 IP: 66.113.24.244 Port: 6 Manufacturer: Dell Computer Corp.
MAC Address: 000bdb28aa0c IP: 66.113.24.232 Port: 12 Manufacturer: Dell ESG PCBA Test
MAC Address: 000d5618b326 IP: 66.113.24.219 Port: 7 Manufacturer: Dell PCBA Test
MAC Address: 000d564a33c2 IP: 66.113.24.178 Port: 11 Manufacturer: Dell PCBA Test
MAC Address: 000e7f3a1b3a IP: 66.113.24.10 Port: 4 Manufacturer: Hewlett Packard
MAC Address: 00123f18da3f IP: 66.113.24.176 Port: 15 Manufacturer: Dell Inc
MAC Address: 00b0d013b9a3 IP: 66.113.24.248 Port: 10 Manufacturer: Dell Computer Corp.
MAC Address: 00b0d0a6597a IP: 66.113.24.70 Port: 18 Manufacturer: Dell Computer Corp.
Scan Completed.
Log Analysis – Router & Switch Logs – Physical Location
Router: 66.113.24.1 and Switch: 66.113.24.2
…
MAC Address: 00055d6f0638 IP: 66.113.24.245 Port: 5 Manufacturer: D-Link Systems, Inc.
…
**************************************************************************
Example #1 – Identification of Physical Location
You have now identified via the DHCP server that the machine used to compromise the servers was utilized MAC address “00055d6f0638” with IP address of “66.113.24.245”, how do you track this physical machine down in a country wide network?
Log Analysis – Router & Switch Logs – Fixed IP
Router: 66.113.24.1 and Switch: 66.113.24.2
…
MAC Address: 000e7f3a1b3a IP: 66.113.24.10 Port: 4 Manufacturer: Hewlett Packard
…
**************************************************************************
Example #2 – Finding machines with FIXED IPs
After examining the DHCP logs in detail, it does not seem that the attacker utilized DHCP to obtain their IP address. They must have utilized a FIXED IP address. How would you be able to determine their MAC address and physical location from another subnet in the same WAN?
Log Analysis – Router & Switch Logs – Unauthorized Devices
Router: 66.113.24.1 and Switch: 66.113.24.2
…
MAC Address: 00055d6f0638 IP: 66.113.24.245 Port: 5 Manufacturer: D-Link Systems, Inc.
MAC Address: 080046da3913 IP: 66.113.24.175 Port: 8 Manufacturer: Sony Corporation LTD.
…
**************************************************************************
Example #3 – Determination of Unauthorized Devices with Fixed IPs
How would you be able to tell if a person attached an unauthorized piece of equipment to the target network? By examining the above lines of the router & switch logs, you can determine that there were two devices that are “non-compliant” on the network. For example, the D-Link device is a wireless router. This could be the compromise point of the network. Also, since the corporation only purchases Dell computers, the connection of a Sony device is also suspicious.