11

We have had a BT engineer visit recently, trying to solve a problem with our IP phone system.

One point they made was that we had four DHCP servers running on the network. I have disabled two of them (one of them should be running) and tested everything is working as it should. However, the fourth DHCP server eludes me!

The device has an IP address of 192.168.1.59, I can successfully ping the IP address.

If I run 'nbtstat -a 192.168.1.59' I get the following result:

$ nbtstat -a 192.168.1.59
$ Local Area Connection:
$ Node IpAddress: [192.168.1.45] Scope Id: []
$ Host not found.

If I run RDP or VNC Viewer for the IP address they don't connect.

Is there any other way I can find out more about the device?

dannymcc
  • 2,677
  • 10
  • 46
  • 72

3 Answers3

12

nmap is great for this. Besides letting you know which ports the server is listening on (which is often enough to identify its operating system) it can also do OS fingerprinting which is usually quite good. The OS fingerprinting can often even identify printer models.

Try nmap -A -v 192.168.1.59

Ladadadada
  • 25,847
  • 7
  • 57
  • 90
6

You can check your arp tables for the MAC address, which on UNIX is done with

arp -a -n | grep 192.168.1.59

I presume Windows has an analogue.

You can then cross-reference the first three octets of the MAC address with a vendor identification lookup, of which there are many on the web. One such is here (I know nothing about it, it just came up first in a google search). That should tell you who made the piece of equipment, which often helps in identifying it.

If you have manageable switches, you can also cross-reference that mac address with the spanning tree on the switch, which will tell you which switch port that MAC address appears on, which often identifies the individual cable that has the thing on the other end. How to talk to your managed switch depends on who made it, and is beyond the scope of a simple SF answer. This is the fastest method of finding a box in these cases, but it does require some network smarts and manageable switches.

Failing all that, you can try telneting to well-known ports; I often try 139 (getting a connection means it's either a Windows box or it's a unix box running SaMBa), 22 (the ssh banner can give hints as to the manufacturer) and 80 (if there's a web server running, typing GET /<CR><CR> often returns useful error text.

MadHatter
  • 78,442
  • 20
  • 178
  • 229
2

Your nbtstat output seems to suggest that the device isn't a Windows host. Could it be a router, switch, firewall, WAP, etc?

In addition, there shouldn't be anything wrong with running multiple DHCP servers as long as they're configured correctly and don't have any overlapping Scopes.

joeqwerty
  • 108,377
  • 6
  • 80
  • 171