Geek pop quiz.

[theweaselking]

I have a MAC (and an IP, but the IP is dynamic and has changed)

I don't have a list of MACs for computers on the network.

I want to know which computer this MAC is associated with.

What's the *fastest* way to find this out? Broadcast ping then "arp -a"? Run MS Baseline Security Analyzer on the whole network? Brute force remoting to every machine with a network admin account and running ipconfig /all?

Help me, oh lazyweb. Make my lazy life more lazy.

Comments

[jsbowden.livejournal.com]

Windows machines don't respond to broadcast pings, so that may not work if it's a Winderz box. I always log in to the Catalyst all the servers and our primary internet connection are all plugged in to and show the ARP table there.

[jsbowden.livejournal.com]

Oh, and the DHCP server should tell you what IPs it has assigned to which MAC addresses if you have access to that.

[catsidhe.livejournal.com]

Could such info be living in dhcpd.leases?
Do you have access to same?

ARP cache

[skippy-fluff.livejournal.com]

If you have access to anything with an arp cache for that network, it should have the data you need. arp -a from the command line of a linux or mac box on the network may tell you. If this is a windows setup (as several folks have inferred), this hint may help: http://www.microsoft.com/technet/scriptcenter/resources/qanda/jun05/hey0614.mspx

Good luck.

Re: ARP cache

[theweaselking.livejournal.com]

The target is almost certainly a Windows box.

And I have root access to the comand line of the linux machine that is the master WINS server.

I just want to know how to *best* identify the culprit.

[theweaselking.livejournal.com]

Hmm. The router is a nice big scary SonicWall appliance o' doom. It'll certainly get me a current IP if the machine is on when I look.

Once I've got a current IP, I can do all kinds of evil - remoting in, portscanning, or even simply blocking internet access and seeing who complains first.

I just want to find *the easiest* way to do it.

[theweaselking.livejournal.com]

Phenomenal Cosmic Powers are all mine.

But, once I have an IP, what's the fastest way to get, say, a computer name, or the identity of a logged-in user?

[theweaselking.livejournal.com]

PS: The machine is not on a Domain, only on a workgroup wherein I control the DHCP server. Blocking the MAC on the server and seeing who complains is an option, but that's inelegant.

[jsbowden.livejournal.com]

nslookup nnn.nnn.nnn.nnn

[catsidhe.livejournal.com]

If your dhcpd is a unix daemon, doing a locate should tell you where dhcpd.leases is hiding, and you should find MAC and IP salted away in there.

If you are serving dhcp from a Winderz server, may Goddess have mercy on your soul. I've got nothing in that case.

[cmseward.livejournal.com]

Sounds like the most fun, though.

[elffin.livejournal.com]

what jsbowden mentioned above is the easiest way to do it without doing something scripting-based, presuming that the SonicWALL has a reasonable configuration of DHCP feeding DNS concurrently.

To get the name of the logged-in user, you'll need another Windows box and probably an account that's been given Administrator access on the target box.

There's a utility called "System Information for Windows" or "SIW" that is /very much worth/ putting on a USB stick; I got mine by visiting Daily Cup of Tech, where they have that and some other useful-or-not-so-much-useful utilities packaged all together,
http://www.dailycupoftech.com/usb-drive-systems/3/

also here:
http://www.gtopala.com/index.html

They have other nifty utilities that are small and can be dropped onto a USB stick.

[elffin.livejournal.com]

Forgot to mention: SIW has a Network -> Neighborhood Scan , which will net you host names, IP addresses, and MAC all together (if the machine is running) as well as such useful niftiness as RDP scanning (to find machines left open to older remote desktop )
And a connect-to-remote-machine feature which can retrieve all the listed user accounts (but won't tell you who is logged on).
For that, you still need an account with admin privileges on that target machine.

[theweaselking.livejournal.com]

It does. It's very tempting.

[theweaselking.livejournal.com]

I've got a variant on that toolkit - from here.
http://www.technibble.com/computer-repair-utility-kit/

It includes SIW (which I didn't realise has a network scan - kinda neat) and also something called SoftPerfect Network Scan.

And Network Scan includes an option to resolve MACs.

So I think that's easiest. Too bad, though. Using an application like that feels like cheating.

[elffin.livejournal.com]

I am wounded, /wounded/, sir, by your implication that I cheat.

heheheheheh

[theweaselking.livejournal.com]

Love the icon.

And I wasn't suggesting that you cheat. I was suggesting that this feels like cheating, because it's too easy. Too easy means not fun.

[theweaselking.livejournal.com]

Serving DHCP from a router, actually - the aforementioned Big Scary Network Appliance Of Doom. But I can simply read the IP out of the table, just the same. The next question was, what's the coolest way to learn everything *else* about the machine?

Re: your icon

[torrain.livejournal.com]

Oh God kill it with fire!

'kay. That was all.

[cmseward.livejournal.com]

Especially if you need to know this because they are doing something they aren't supposed to.

[theweaselking.livejournal.com]

That is, in fact, exactly what's happening.

[catsidhe.livejournal.com]

That's exactly what we do. We tell people when they get accounts that if we detect that someone is playing funny buggers from a given IP, then that machine gets a private address until someone gives us a Good Reason why it should be allowed out to play again.

That is the warning.

[catsidhe.livejournal.com]

Doing samba authentication? Try checking against logon/logoff/access timestamps, if the logs go into that sort of detail.