If you ever have to guess a device on the network without logging into it via common protocols (e.g., HTTP, HTTPS, FTP, Telnet, SMTP, etc), you can actually find out its NIC vendor.
First ping the device to get it into your ARP cache.
C:\>ping 172.16.100.254
Pinging 172.16.100.254 with 32 bytes of data:
Reply from 172.16.100.254: bytes=32 time<1ms TTL=64
Reply from 172.16.100.254: bytes=32 time<1ms TTL=64
Reply from 172.16.100.254: bytes=32 time<1ms TTL=64
Reply from 172.16.100.254: bytes=32 time<1ms TTL=64
Ping statistics for 172.16.100.254:
Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 0ms, Maximum = 0ms, Average = 0ms
Then, leverage ARP to check it’s MAC address.
C:\>arp -a | find ".254"
172.16.100.254 00-90-7f-3c-e0-b8 dynamic
Then use Coffer’s MAC Find tool to find out the manufacturer using the first 6 digits of the MAC address.
Coffer's MAC Find lookup results |
I've had to leverage this many a time when hunting down rogue devices. Unfortunately, its less common for workstations to have a workstation OEM branded NIC, but embedded devices tend to yield more conclusive results.
No comments:
Post a Comment