How To Figure Out What Lives At An IP Address

0

Got a weird one here.

I've got an IP address in my subnet that is alive and responds to ping requests, but I can't figure out what device actually live at that address. I've tried a couple of IP scanners that usually list hostnames and open ports / services, I've tried connecting to that address via http, https, telnet, SSH, but nothing responds and I don't have anything in DNS at that address.

We have no records or documentation of any device existing at this address and I'm at a bit of a loss because I need to expand my DHCP range, and this address is in the way.

Anyone know of a better way to interrogate that address to figure out what it is?

Thanks!

EDIT: I don't really see how this is a duplicate since that other question is from a completely different case [He has data from Advanced IP Scanner and I don't, he's using VMs, and I'm not] and that thread also has no answer. But it doesn't really matter because I found the offending device due to some great advice and good utilities in this thread. Thanks everyone!

Catatonic27

Posted 2017-05-05T12:29:24.353

Reputation: 611

Question was closed 2017-05-05T15:06:39.247

Find out the port it's connected to and follow the cable. – Seth – 2017-05-05T12:33:35.553

I'd be okay with that, but my network has like 25 different switches and poor documentation. Any suggestions on how I might go about figuring out where it's plugged in? – Catatonic27 – 2017-05-05T12:34:51.567

What is the result if you do ping -a [ip address] ? It will attempt to resolve the ip address to a hostname. – LPChip – 2017-05-05T12:42:09.423

If they're really just dumb switches there isn't much you can do. If they're managed switches you might be able to use some script to ask them for information. – Seth – 2017-05-05T12:46:36.363

1Ping the device by IP address, then do an arp -a from a command line to find out the MAC address. Put the first three octets of the MAC address in Google or an OUI search site and it will tell you the manufacturer of the NIC. It's possible to spoof this info but it may give you a clue. – LawrenceC – 2017-05-05T13:02:00.147

In the marked duplicate there is a potential option of ping flooding the device and seeing which led is brightest to trace the network port, this will only work if your switch/hub has link activity indicators but is a tidy solution – Mokubai – 2017-05-05T15:11:13.893

Answers

5

Your objective is to find the device which is running in the specific IP address. For this I would recommend you to use nmap. Let's take for an example that the ipaddress is 192.168.1.7 in your network.

  • If you want to know the OS information
    nmap -A 192.168.1.7
  • Search for open port
    • nmap 192.168.1.7

    When you scan for the open port, if any port is open then try to connect with that port (if the port is connectable). Or you can even use the port to get the information through that open port, like:
    nmap -p 80 192.168.1.7
    Here I am using port 80 to scan for the information. You can download nmap from here. There's ports for most of the popular desktop OSes (You've not mentioned what you use), so chances are you can run this on most PCs

    Prashant Dey

    Posted 2017-05-05T12:29:24.353

    Reputation: 109

    C:>nmap 'nmap' is not recognized as an internal or external command, operable program or batch file. – LPChip – 2017-05-05T12:44:21.257

    1@LPChip nmap is a well known scanner and the OP should know about it if he tried several. You will have to install it and there are Windows ports from what I know. – Seth – 2017-05-05T12:45:50.800

    @Seth my point is, that this is a Q&A site. Any software not native to your OS needs a link so someone who finds this post can understand that they need additional software. – LPChip – 2017-05-05T12:46:47.873

    So my OS could be Linux? There wasn't a mention anywhere of a OS. In addition I'd have a different opinion on this but this would be more suited for meta or chat. – Seth – 2017-05-05T12:50:23.123

    zenmap's a pretty nice frontend for it https://nmap.org/zenmap/

    – Journeyman Geek – 2017-05-05T12:53:07.010

    1Good stuff @Prashant Dey. I'm looking into this. nmap is telling me that https and ssh are open on this address but I can't connect to the host with either service. – Catatonic27 – 2017-05-05T13:11:01.540

    @Catatonic27 That is probably it has a firewall which is protecting you from connecting it. You should know the authentication (username and password) for that. – Prashant Dey – 2017-05-05T17:53:09.747

    @PrashantDey Turns out it was a malfunctioning switch. After reconfiguring it, it responds on those ports now. Thanks for the help! nmap was a lifesaver in the end. Definitely keeping that utility on hand for the future. – Catatonic27 – 2017-05-05T18:00:14.533

    0

    [...] my network has like 25 different switches and poor documentation.

    If your network doesn't need to be up 24/24: Unplug stuff from switches until you cannot longer ping the device in question. Follow the cable you just unplugged, rinse and repeat. While you are at it, make some notes so documentation gradually improves.

    dirkt

    Posted 2017-05-05T12:29:24.353

    Reputation: 11 627

    Asked: 2017-05-05T12:29:24.353

    Viewed: 798 times

    Active: 2017-05-05T17:58:35.547