Home / server / Questions / 377263
In Process
ryandenki
Asked: 2012-04-06 22:16:49 +0800 CST

Unknown device on network with strange ports open. Trying to find it

  • 772

Situation:

We recently turned off DHCP in favor of fixed IP addresses, and in the middle of the old DHCP range for the legacy network segment, we found a device responding to ping but without any of our normal remote access services running (SSH, RDP, SMB/etc).

NMap version identification fails to find anything, and we get the following results:

PROTOCOL STATE         SERVICE
1        open          icmp
4        open|filtered ip
6        open          tcp
17       open          udp
66       open|filtered rvd
96       open|filtered scc-sp
136      open|filtered unknown
157      open|filtered unknown
214      open|filtered unknown
235      open|filtered unknown
251      open|filtered unknown
MAC Address: B8:AC:6F:95:06:64 (Dell)

We don't get anything back on connecting to any of these open ports, and there is no documentation that any device should be there. All of our known devices are documented, so the existence of this device is a mystery.

I don't like mysterious devices.

Questions:

Does anybody know what device might have all of these strange ports open?

We have a lot of DELL workstations and servers, but we've checked against every single known asset.

Can anybody suggest a way to access the device?

Or, can anybody suggest how to physically find it other than yanking cables from various hub segments until it becomes unreachable and narrowing down from there?

networking network-monitoring

2 Answers

  1. This is why I don't bother with unmanaged switches these days... it's just too darned convenient to be able to ask my SMNP-generated network map "which port of which switch is this MAC address coming from?".

    Since it sounds like you're in an office environment, I'd just wait until everyone's gone home for the day and then start pulling cables -- it really is the simplest option. If that really doesn't suit, fire up a flood ping to the device and chase the path by looking for which ports' link lights are going nuts, and chase it down from there.

    As far as "what is it?", you really haven't given any useful information to go on. That nmap says that it responds to ICMP, UDP, and TCP is hardly news -- there aren't a lot of IP-capable devices that wouldn't. You want to map the TCP and UDP ports that are open, rather than the protocols.

    • 4

  2. Shown numbers are not the open ports, that is the protocol familys IDs. Your device pass all icmp/tcp/udp packets and block some ip packets (probably ARP).

    That may be a WiFi access point acting in dumb wireless switch mode - with no IP-address, with no launched services.

    • 3