Identify device on local network based on IPv6 address

The Day™ has finally arrived. I’ve avoided IPv6 until now, but my blissful ignorance must end.

My ISP notified me that a device on my network performed a DNS lookup for one of the C&C servers taken offline in the recent law enforcement action against the Avalanche botnet. I need to find that device and deal with it, so I enabled logging on my DNS server. Finally after four days a matching DNS lookup request was made, but to my dismay the request came from the address fe80::113d:d91e:e685:943b. Crap. I’m a noob when it comes to IPv6 and I’ve got a machine on my 60+ node network that is part of a malware-spewing botnet.

I ran tracert and determined it’s on the local link and currently online:

Tracing route to fe80::113d:d91e:e685:943b over a maximum of 30 hops

  1     9 ms    <1 ms     1 ms  fe80::113d:d91e:e685:943b

With an IPv4 device I can look at my DHCP leases to get the device name. Failing that, I’d ping it, then run arp -a to get its MAC address, which at least gives me the manufacturer. But this network doesn’t have a IPv6 DHCP server and arp doesn’t seem to speak IPv6.

I attempted a crash course in IPv6 and learned that the fe80 prefix means the address is link-local and I can supposedly derive the MAC address from the address. I tried that and get the MAC 13:3d:d9:85:94:3b. None of the OUI lookup tools recognize it and it doesn’t appear in my IPv4 DHCP leases.

How can I determine which device on my network has this IPv6 address?

My servers and the machines where I do my troubleshooting are running Windows.

Answer

Thanks to this comment on another Super User answer, I discovered the command:

netsh int ipv6 show neighbors

To my great joy I discovered it tells me the MAC address of devices on the local link, just like arp -a does:

Interface 10: Local Area Connection

Internet Address                              Physical Address   Type
--------------------------------------------  -----------------  -----------
<redacted>
fe80::113d:d91e:e685:943b                     4c-72-b9-d2-b5-5d  Reachable
<redacted>

I was then able to compare the Physical Address to the IPv4 leases on my DHCP server and obtain the NetBIOS name of the offending device. Easy peasy.


I still don’t understand why this MAC address is resulting in this particular IPv6 Address. According to this online converter, its link local IPv6 address should be fe80::4e72:b9ff:fed2:b55d. But that’s another question…

Attribution
Source : Link , Question Author : I say Reinstate Monica , Answer Author : I say Reinstate Monica

Leave a Comment