This guide explains how to quickly identify a compromised host from the IP address present in the Event.
There are two relevant addresses in Local Area Networks:
- MAC at layer 2 should never change, for example 1A:2B:3C:4D:5E:6F
- IP at layer 3, can change depending on network config, looks like 192.168.1.100
Our Honeypots operate at OSI Layer3, therefore they do not know about MAC addresses.
Retrieve the MAC Address
Let's assume the offending IP in the Event is 10.0.0.100
The following commands work for Windows, Linux and Mac.
ping -c 1 10.0.0.100
arp -a 10.0.0.100
Now that you have the MAC, search for the associated host in your asset inventory
It is strongly advised, and required by both Security Frameworks and legislation, to have an asset inventory that lists all company devices. This should include the MAC as it's a unique identifier.
If you do not have the Asset Inventory
The following covers a few ways to identify a LAN host in Human understandable way via the IP or MAC. It is divided by Operative System as commands vary.
WARNING: the success of the commands is not guaranteed. It depends on host and network configuration, such as the presence of internal DNS resolution.
First, the initial 3 bytes of the MAC can identify the producer, helping narrow down the search. We recommend using MAC Lookup service for that.
Windows
Press WINDOWS_KEY + R then type cmd and hit Enter to open the Command Prompt.
Queries DNS for a PTR (reverse) record.
nslookup 10.0.0.100
Name: john_workstation.corp.local
Address: 10.0.0.100
Retrieves NetBIOS name table from the remote system.
nbtstat -A 10.0.0.100
NetBIOS Remote Machine Name Table
Name Type Status
---------------------------------------------
JOHN_WORKSTATION <00> UNIQUE Registered
CORP <00> GROUP Registered
PowerShell – Reverse DNS lookup
Resolve-DnsName 10.0.0.100
Name Type TTL Section NameHost
---- ---- --- ------- --------
100.0.0.10.in-addr.arpa PTR 1200 Answer john_workstation.corp.local
Linux
Open the Terminal and run
Reverse DNS
$ getent hosts 10.0.0.100
10.0.0.100 john_workstation
$ nslookup 10.0.0.100
100.0.0.10.in-addr.arpa name = john_workstation.
$ dig -x 10.0.0.100 +short
john_workstation.
mDNS / Avahi
$ avahi-resolve-address 10.0.0.100
john_workstation.
NetBIOS (for Windows hosts, if enabled)
$ nbtscan 10.0.0.100
Doing NBT name scan for addresses from 10.0.0.100
IP address NetBIOS Name Server User MAC address
------------------------------------------------------------------------------
10.0.0.100 JOHN_WORKSTATION <00> UNIQUE 00:11:22:33:44:55
Query service ports with netcat, for example 22, 80, 443, 445, 3389, and read the banner
$ nc 10.0.0.100 PORT