User Tools

Site Tools


find_ip

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Next revision
Previous revision
find_ip [2008/02/17 13:40] – created latinsudfind_ip [2008/02/17 13:58] (current) – comment example latinsud
Line 1: Line 1:
 ====== Finding IP addresses ====== ====== Finding IP addresses ======
  
-Assume you must work in a network but they forgot to tell you the ip address range.+Let's assume you must work in a network but they forgot to tell you the ip address range. 
  
 ===== Passive sniffing ===== ===== Passive sniffing =====
  
   * Simply use tcpdump, wireshark or any sniffer that displays the IP addresses of existing packets.   * Simply use tcpdump, wireshark or any sniffer that displays the IP addresses of existing packets.
 +
 +  * Eg:
 +
 +  # tcpdump -nnei eth1
 +  13:46:05.577596 00:1a:73:3f:7a:9d > 00:03:6f:e1:5b:21, ethertype IPv4 (0x0800), length 74: 192.168.0.194.33387 > 80.58.32.97.53:  5597+ A? www.google.com. (32)
 +  13:46:05.676650 00:03:6f:e1:5b:21 > 00:1a:73:3f:7a:9d, ethertype IPv4 (0x0800), length 142: 80.58.32.97.53 > 192.168.0.1 94.33387:  5597 4/0/0 ...
 +In this example, ''192.168.0.194'' is a host in the network, and ''00:03:6f:e1:5b:21'' is the mac address of the gateway. We don't know the ip address of the gateway yet, that would probably require waiting for an arp packet, or try guess it, or active scan.
 +
  
 ===== DHCP discovery ===== ===== DHCP discovery =====
  
   * If DHCP is enabled on the network, use a dhcp client or a fast discovery tool like [[http://tv.latinsud.com/dhd/|DHD]].   * If DHCP is enabled on the network, use a dhcp client or a fast discovery tool like [[http://tv.latinsud.com/dhd/|DHD]].
 +
 +  * Eg:
 +<code>
 +# dhd
 +Sniffing on any
 +Injecting on eth1 (00:0b:16:a1:b2:c3)
 +
 + #0:
 +        SERVER-MAC: 00:03:6f:e1:5b:21
 +               IP: 192.168.0.1
 +        CLIENT-MAC: 00:0b:16:a1:b2:c3
 +               IP: 192.168.0.195
 +               MASK: 255.255.255.0
 +        GW: 192.168.0.1
 +        DNS: 192.168.0.1
 +
 + >> " " " "0
 +</code>
 +In this example, ''192.168.0.1'' with mac address ''00:03:6f:e1:5b:21'' is the gateway.
  
 ===== Active scan ===== ===== Active scan =====
Line 15: Line 43:
   * Use a fast ARP scanner like [[http://nixgeneration.com/~jaime/netdiscover/|netdiscover]], or a multipurpose one like nmap, ettercap, etc.   * Use a fast ARP scanner like [[http://nixgeneration.com/~jaime/netdiscover/|netdiscover]], or a multipurpose one like nmap, ettercap, etc.
  
 +  * Eg:
 +
 +<code>
 +  # netdiscover -i eth1
 +  Currently scanning: 192.168.1.0/16     Our Mac is: 00:0b:16:a1:b2:c3
 +
 +  2 Captured ARP Req/Rep packets, from 2 hosts.   Total size: 102
 +  _____________________________________________________________________________
 +   IP            At MAC Address      Count  Len   MAC Vendor
 +  -----------------------------------------------------------------------------
 +  192.168.0.1     00:03:6f:e1:5b:21    01    042   Telsey SPA
 +  192.168.0.194   00:1a:73:3f:7a:9d    01    060   Unknown vendor
 +</code>
 +In this example, there are 2 hosts from which ''192.168.0.1'' with mac address ''00:03:6f:e1:5b:21'' seems to be the gateway.
find_ip.1203252048.txt.gz · Last modified: 2008/02/17 13:40 by latinsud