Rogue Router??

[puzOpia]

Today at work, I discovered what appears to be a rogue Linksys router plugged in to my network. I found it by booting my virtual PC and it got a DHCP address from the "rogue". I was able to get admin privileges to the device because the dope left the pw as default. If this is truly someone trying to do something they shouldn't, is there a way that I can identify where this is on my LAN before I shut them down? For now I am going to try to find the MAC address in the routing tables on my switches. The last time I did that it took a while.

Got any ideas?

[VaKo]

Identify the users connecting to it? How manageable is your setup?

[H@L0_F00]

Traceroute would show you the different hops a packet would take. If you can relate the IP of your switches to their physical location you should be able to determine where the router is.

Say you traceroute google.com and your results are:

1.1.1.1

1.1.1.2

192.168.2.1

1.1.1.3

google.com (could be several different IPs because google is huge)

And the IP you were assigned by DHCP is something like 192.168.2.2 then you would know that the router lies somewhere between the switch with IP 1.1.1.2 and the switch with the IP of 1.1.1.3

[puzOpia]

Thanks for the responses guys. We actually believe we found it. Our WAN guy found it's MAC address on a port of a switch in another building. The room that it feeds happens to be the home of a particularly bothersome moron over there. As it also turns out, the 192.168.1.1 address it has is a duplicate of an interface of a switch already on our LAN so you can imagine how it is screwing things up. For now, I am disabling DHCP and changing the password and the IP it has. In the morning my boss wants to go over there with me to do a physical inspection and hopefully punch this guy in the face.

I'll let you know how it turns out...

[VaKo]

I would see if you can nuke the firmware on it, thus rendering it unusable.

[Trajik]

Haha don't you love that.

Glad you got it solved. I was going to throw in my 2 cents anyway. The best way i found was to yes... find what MAC address is associated to a switch port, then trace it to your patch panel and find exactly where it is. If you have numerous switches it could be a daunting task, i wonder if there is a way to dump running config of the mac address table from a switch. There probably is. If there was, you could dump the logs off all of your switches into a directory and run a grep or search through them all for the offending MAC address. (If anyone knows of such a tool to use for cisco switches let me know :) im curious )

[freeb]

(If anyone knows of such a tool to use for cisco switches let me know :) im curious )

You can trace it manually by doing 'show mac-address-table' and then following the trail. Look for the MAC address of the rogue device and then follow the port number to the next switch, repeat again until you reach the rogue device. I just tested this in packet tracer and it works great.

[Swathe]

we had three floors of building taken out once because some noob plugged in a router from home and smashed the dhcp.

[decepticon_eazy_e]

You can trace it manually by doing 'show mac-address-table' and then following the trail. Look for the MAC address of the rogue device and then follow the port number to the next switch, repeat again until you reach the rogue device. I just tested this in packet tracer and it works great.

If you do have Cisco switches there, start using the port security feature. When the port detects a new MAC address, that now exceeds the specified limit of MAC addresses allowed (usually 1), it shuts down the port. You have to manually open it back up, but you'll know somebody did something because your phone will ring and the user will complain.

It's a pain in ass to manage on a large scale, but it will be the most sure-fire way to find out who is plugging new devices into the network, and fast.

Other ideas... limit the scope of the network with VLANs. You then have to manually configure a DHCP helper address (your own DHCP server) in each VLAN. The rougue DHCP broadcasts won't leak out of the VLAN and you have a smaller area to search for rouge devices.

[soundguymike]

The way I usually try to find a problem device is by segmenting the network. I have used this to find bad switches, bad NICs, and a rouge dhcp. I will usually setup something like a continuous ping, wireshark or dhcpfind by roadkill. then I start at the fiber and disconnect a building at a time till i know which building. Then I go to that building and disconnect a switch at a time till I find which switch then unplug each jack until I know which jack the device is plugged into, look up the location of that jack and go get the device. The downside of this technique is you are disconnecting a lot of users. The upside is you will have the device in you hand in about 5 minutes, and you didn't need to use any fancy software or hardware.