tech101us Posted February 11, 2021 Share Posted February 11, 2021 I've got a device popping up on my wireless that I'm having a hard time identifying. I scanned it with NMAP and it identified itself as a Fortigate Device (see details below). I also tried to hit it with Nessus, but unfortunately whenever I attempt to scan the device for any period of time, it drops off the network. I've blocked it from any outbound traffic in my firewall an logging packets (so far none seen). I also created a static DHCP address for the MAC address so when it does come online, it always gets the same IP address. Trying to determine whether I have a wireless interloper or this is a valid device on my network. The MAC address is an odd IEEE registered address. Appreciate any thoughts anyone has. It does have an open HTTP port with a very basic browser page that says something to the effect "this page does not exist" and a link to go "home" which returns you to the same page. sudo nmap -sS -O xxx.xxx.xxx.xxx Starting Nmap 7.80 ( https://nmap.org ) at 2021-02-08 09:05 CST Nmap scan report for xxx.xxx.xxx.xxx Host is up (0.021s latency). Not shown: 849 filtered ports, 150 closed ports PORT STATE SERVICE 80/tcp open http MAC Address: CC:C2:61:50:0E:7C (Unknown) Device type: firewall Running (JUST GUESSING): Fortinet embedded (87%) OS CPE: cpe:/h:fortinet:fortigate_100d Aggressive OS guesses: Fortinet FortiGate 100D firewall (87%) No exact OS matches for host (test conditions non-ideal). Network Distance: 1 hop Link to comment Share on other sites More sharing options...
digininja Posted February 11, 2021 Share Posted February 11, 2021 Nmap's OS fingerprinting is not always accurate, especially when it says it is only 87% sure, so I'd not put much weight on that. The easiest thing to do is to change the wireless password and then see what happens. Only change the password on devices one or two at a time and see if it comes back. If it does, check on the last few you updated. If it is someone who managed to get your key, as long as you pick a good strong one this time you should be able to keep them off. At least for a while. Did you do any check of things like HTTP headers from the web server? Banner grabbing or info in the HTML header may tell you the OS or give some indication about the device. Link to comment Share on other sites More sharing options...
tech101us Posted February 11, 2021 Author Share Posted February 11, 2021 Thanks @digininja Didn't consider looking at the http headers. Changing my WPA2 password is something I'm due for. I just didn't want to totally disconnect this unknown device without trying to learn a bit more about it. Unfortunately, seems like whatever it is, it hasn't come back. So for the time being, I'll just change to wifi password and continue to keep an eye on things. Appreciate the feedback and the HAK5 forums for the same. Link to comment Share on other sites More sharing options...
tech101us Posted February 12, 2021 Author Share Posted February 12, 2021 Happy to share that I solved this one. Turns out that this is actual our Shark Robo-Vacuum. It dawned on me when the vacuum wasn't doing anything for a couple of days after I blocked it's access to the internet. Apparently I neutered it (yes, pun intended 😀 ) when I disabled its access to the cloud. I'll have to report this one to the NMAP folks. It's running some sort of embedded linux that doesn't respond well to NMAP scans. Link to comment Share on other sites More sharing options...
digininja Posted February 12, 2021 Share Posted February 12, 2021 Glad you got to the bottom of it. Link to comment Share on other sites More sharing options...
Recommended Posts
Archived
This topic is now archived and is closed to further replies.