I just noticed that I have a Mikrotik device appearing in my DHCP table.
As far as I knew:
I only had two Mikrotik devices on-site.
Both were not connected.
Both were assigned static IPs when in use (prior to disconnection).
I’ve tried:
Connecting to the IP address of this device, and I get a RouterOS login page (with version 6.40.9).
Inputting the default “admin” username and blank password of a new device.
Inputting the on-file usernames and passwords of the two known devices.
I can’t get into the admin page of this device. This is a very curious situation (and a little bit worrisome).
My first step would be to see if I can physically locate the device on-site, but it would help a lot if I knew what I was looking for. This is especially true because I am not physically on-site but rather remotely directing other people to help me solve this mystery.
Based on the MACID provided in the DHCP table, it is possible to at least determine what class of Mikrotik device I’m dealing with?
The MACID prefix (first 6 digits) of b8:69:f4 definitely indicate it is a RouterBoard device.
Use ARP tables and bridge-hosts tables to locate the connection at L2.
Use Mikrotik IP Neighborgs to discover more info.
Do an Snmpwalk on the device.
Use “Scan” and “Snooper” to see if it is active in wifi.
“Torch” or even “Packet Sniffer” the traffic and block traffic device if not found.
I’ve got a hAP ac2 whose MAC addresses start with the same prefix. However it came with ROS 6.42.3 as factory software version and I think my device is an early one (with 256 MB RAM). I also think that 6.42 was the oldest ROS supporting that device model.
Which means MAC prefix won’t exactly help you identify device model.
Check the ip/neighbors on router for full details this device is sending: there should be name of the board, name of the device, assigned IPs, license ID, name of interface, uptime…
If speedtest server is enabled on the device, you can try running speedtest and then locating it based on packet counters on switches or routers.
Pinging it and then turning off ports until it stops responding also works, but it’s more tedious and better done at 3AM…
Finding a port where it’s connected should be a good first step in finding where it actually is.
Don’t waste your time too much on things like trying to login or using some fancy tools.
Do like was suggested earlier : logon onto you (hopefully) managed LAN-switches and simply locate the physical ports this Mikrotik MAC is seen (if you use VLAN’s trace it further down to the access-switch where the MAC is seen).
Then ask somebody onsite to follow the cable…it should lead to the mysterious box.
If the unit is running such old RouterOS it might be completely compromised / hacked if it was ever accessible from the outside world…