Tracking an internal IP address


qbui

New Member
Jan 7, 2008
3
0
#1
Is there a way for me to track down which computer/device is using a particular IP address? I've been looking everywhere but can't find out who or what is using a few IP addresses.
Thanks!
 
Jul 22, 2007
90
0
#2
Basically, the solution you seek, if available, calls for utilization of a number of networking skills. I've had success with identifying the source of an IP address when I had access to a PC on the same subnet. I pinged the broadcast address for the subnet and then used the arp -a command to view the ARP (address resolution protocol) cache to find the MAC address associated with that PC. You can also try using the tracert command as in "tracert 192.168.1.103". Sometimes, if name resolution is available, the tracert command will return a machine name associated with the specified IP address. Of course, if you are attempting to identify a device that is behind some type of NAT (Network Address Translation) the IP address on your side of the NAT device will be different that the one the device is using. I noticed that you said "computer/device". If the address is being used by a router or other non-PC device, you may find success in using the Telnet command and seeing what message the device returns. Some devices such as some routing equipment will return a logon prompt and the name of the device.
 

mialta

New Member
Nov 20, 2007
48
0
#3
If you are using windows ping the address then type arp -a.

This should give you a Mac Address.

You can then look up the manufacturer for the Mac address and narrow the search down to a vendor.

a vendor lookup site can be found at coffer.com.

If you still can't find them try sniffing packets with wireshark and looking for identifiable information in the traces.

Happy hunting.

Mike
 

cybercop

Administrator
Oct 31, 2005
1,660
0
#5
Well, the solution is fairly simple. You have an IP, you just don't know what hardware it is associated with. Time to break out NMAP and scan it. If you are not familiar with NMAP, there is a good GUI frontend for it at Source Forge called NMAP Configurator. Anyway, NMAP will give you quite a bit of info about the device if it can find any open ports. If it is a rogue AP, you will find out about it using NMAP. Also, try to telnet to the device. Many routers are configurable through telnet.
 
Sep 2, 2004
70
6
#6
qbui said:
Is there a way for me to track down which computer/device is using a particular IP address? I've been looking everywhere but can't find out who or what is using a few IP addresses.
It depends on the environment that you're in. Your subject line mentions "internal", but your post doesn't elaborate...I'll assume that you're referring to an internal corporate IP address.

The first place I'd start looking is DHCP logs, if the environment uses DHCP. Then I'd go with "nbtstat -A" to see if I can get some info about the system...like the name. Depending on the environment, the name (due to the corporate naming convention) or a tracert command will give you some information as to where the system itself is located.

Hope that helps.

Harlan
 

About us

  • Our community began in 2004. Since this time, we have grown to have over 29,000+ members within the DFIR & Cyber Security community.

    We are happy to announce that this forum is now under new ownership with the goal to once again become the main Digital Forensics Forum on the internet for DFIR, OSINT and Cyber Security.

    If you can think of ways to help us improve, please let us know.

    We pride ourselves on offering unbiased, critical discussion among people of all different backgrounds.

    We are working every day to make sure our community is one of the best.

Quick Navigation

User Menu