Search for computers that seize IP addresses in a LAN

 

How to seize others' IP addresses

In a LAN, because DHCP is not set up, IP addresses are often preemptible. How can we find this person? The general method is as follows:

1. vswitch port query: first obtain the mac address of the illegal ip address, and then use sh mac-address-table add 2.16.0000.0000 on the manageable cisco switch to view the vswitch port of the illegal mac address. Then, based on the topology, you can know where to connect and then gradually determine

2. ARP spoofing query: the following method can only be used to determine the region location of the illegal ip address, especially when a non-NMS switch is encountered and a more underlying interface cannot be found from the above, still cannot locate the owner. At this time, we can continue to search through packet capture: In the exchange network, we use a general sniffer packet capture tool to only capture broadcast packets, not other packets of a certain IP address, at this time, we use the cain software to spoof the packets from the other party's IP address. For example, we can know the IP address that the owner often accesses. This IP address may be the gateway, it may also be the Internet firewall, email server, financial application system, etc. Use the cain software to create access packages from illegal ip addresses to these ip addresses, and then use sniffer to analyze packet capture. The analysis method can be found based on the owner's employee ID, email content, user name accessing the system, and other details.

3. Mac address matching query: sometimes none of the above methods can be used: for example, a person has set others' IP addresses, but because the network has never been used, there is no traffic, therefore, packet capture with cain and sniffer is ineffective. Network administrators generally have an IP Address Allocation Table, indicating the relationship between IP addresses and personnel. At this time, you can scan the Local Area Network machine and use arp-a to check whether the invalid mac address matches another mac address. Generally, the START character of the mac address of the same Nic manufacturer is the same. You can use this method to find the relationship between the first few digits of the mac address and the invalid mac address, and find the owner. Of course, this method has a certain probability.