Jump to content

Rogue Router??


puzOpia
 Share

Recommended Posts

:angry: Today at work, I discovered what appears to be a rogue Linksys router plugged in to my network. I found it by booting my virtual PC and it got a DHCP address from the "rogue". I was able to get admin privileges to the device because the dope left the pw as default. If this is truly someone trying to do something they shouldn't, is there a way that I can identify where this is on my LAN before I shut them down? For now I am going to try to find the MAC address in the routing tables on my switches. The last time I did that it took a while.

Got any ideas?

Link to comment
Share on other sites

Traceroute would show you the different hops a packet would take. If you can relate the IP of your switches to their physical location you should be able to determine where the router is.

Say you traceroute google.com and your results are:

1.1.1.1

1.1.1.2

192.168.2.1

1.1.1.3

google.com (could be several different IPs because google is huge)

And the IP you were assigned by DHCP is something like 192.168.2.2 then you would know that the router lies somewhere between the switch with IP 1.1.1.2 and the switch with the IP of 1.1.1.3

Link to comment
Share on other sites

Thanks for the responses guys. We actually believe we found it. Our WAN guy found it's MAC address on a port of a switch in another building. The room that it feeds happens to be the home of a particularly bothersome moron over there. As it also turns out, the 192.168.1.1 address it has is a duplicate of an interface of a switch already on our LAN so you can imagine how it is screwing things up. For now, I am disabling DHCP and changing the password and the IP it has. In the morning my boss wants to go over there with me to do a physical inspection and hopefully punch this guy in the face.

I'll let you know how it turns out...

Link to comment
Share on other sites

Haha don't you love that.

Glad you got it solved. I was going to throw in my 2 cents anyway. The best way i found was to yes... find what MAC address is associated to a switch port, then trace it to your patch panel and find exactly where it is. If you have numerous switches it could be a daunting task, i wonder if there is a way to dump running config of the mac address table from a switch. There probably is. If there was, you could dump the logs off all of your switches into a directory and run a grep or search through them all for the offending MAC address. (If anyone knows of such a tool to use for cisco switches let me know :) im curious )

Link to comment
Share on other sites

(If anyone knows of such a tool to use for cisco switches let me know :) im curious )

You can trace it manually by doing 'show mac-address-table' and then following the trail. Look for the MAC address of the rogue device and then follow the port number to the next switch, repeat again until you reach the rogue device. I just tested this in packet tracer and it works great.

68751134.png

Link to comment
Share on other sites

You can trace it manually by doing 'show mac-address-table' and then following the trail. Look for the MAC address of the rogue device and then follow the port number to the next switch, repeat again until you reach the rogue device. I just tested this in packet tracer and it works great.

68751134.png

If you do have Cisco switches there, start using the port security feature. When the port detects a new MAC address, that now exceeds the specified limit of MAC addresses allowed (usually 1), it shuts down the port. You have to manually open it back up, but you'll know somebody did something because your phone will ring and the user will complain.

It's a pain in ass to manage on a large scale, but it will be the most sure-fire way to find out who is plugging new devices into the network, and fast.

Other ideas... limit the scope of the network with VLANs. You then have to manually configure a DHCP helper address (your own DHCP server) in each VLAN. The rougue DHCP broadcasts won't leak out of the VLAN and you have a smaller area to search for rouge devices.

Link to comment
Share on other sites

The way I usually try to find a problem device is by segmenting the network. I have used this to find bad switches, bad NICs, and a rouge dhcp. I will usually setup something like a continuous ping, wireshark or dhcpfind by roadkill. then I start at the fiber and disconnect a building at a time till i know which building. Then I go to that building and disconnect a switch at a time till I find which switch then unplug each jack until I know which jack the device is plugged into, look up the location of that jack and go get the device. The downside of this technique is you are disconnecting a lot of users. The upside is you will have the device in you hand in about 5 minutes, and you didn't need to use any fancy software or hardware.

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...