User Tools

Site Tools


Action disabled: recent
find_ip

Finding IP addresses

Let's assume you must work in a network but they forgot to tell you the ip address range.

Passive sniffing

  • Simply use tcpdump, wireshark or any sniffer that displays the IP addresses of existing packets.
  • Eg:
# tcpdump -nnei eth1
13:46:05.577596 00:1a:73:3f:7a:9d > 00:03:6f:e1:5b:21, ethertype IPv4 (0x0800), length 74: 192.168.0.194.33387 > 80.58.32.97.53:  5597+ A? www.google.com. (32)
13:46:05.676650 00:03:6f:e1:5b:21 > 00:1a:73:3f:7a:9d, ethertype IPv4 (0x0800), length 142: 80.58.32.97.53 > 192.168.0.1 94.33387:  5597 4/0/0 ...

In this example, 192.168.0.194 is a host in the network, and 00:03:6f:e1:5b:21 is the mac address of the gateway. We don't know the ip address of the gateway yet, that would probably require waiting for an arp packet, or try guess it, or active scan.

DHCP discovery

  • If DHCP is enabled on the network, use a dhcp client or a fast discovery tool like DHD.
  • Eg:
# dhd
Sniffing on any
Injecting on eth1 (00:0b:16:a1:b2:c3)

 #0:
        SERVER-MAC: 00:03:6f:e1:5b:21
               IP: 192.168.0.1
        CLIENT-MAC: 00:0b:16:a1:b2:c3
               IP: 192.168.0.195
               MASK: 255.255.255.0
        GW: 192.168.0.1
        DNS: 192.168.0.1

 >> "0  "0  "0  "0

In this example, 192.168.0.1 with mac address 00:03:6f:e1:5b:21 is the gateway.

Active scan

  • Use a fast ARP scanner like netdiscover, or a multipurpose one like nmap, ettercap, etc.
  • Eg:
  # netdiscover -i eth1
  Currently scanning: 192.168.1.0/16   |   Our Mac is: 00:0b:16:a1:b2:c3

  2 Captured ARP Req/Rep packets, from 2 hosts.   Total size: 102
  _____________________________________________________________________________
   IP            At MAC Address      Count  Len   MAC Vendor
  -----------------------------------------------------------------------------
  192.168.0.1     00:03:6f:e1:5b:21    01    042   Telsey SPA
  192.168.0.194   00:1a:73:3f:7a:9d    01    060   Unknown vendor

In this example, there are 2 hosts from which 192.168.0.1 with mac address 00:03:6f:e1:5b:21 seems to be the gateway.

find_ip.txt · Last modified: 2008/02/17 13:58 by latinsud