Security Basics mailing list archives

Previous By Date Next
Previous By Thread Next

Re: how to find a static IP

From: "Tim Clewlow" <tim () clewlow org>
Date: Fri, 17 Jul 2009 04:34:59 +1000 (EST)

Hi there, I managed to extract an IP address using the following
method - and its nice and quick too. I used FreeBSD to do this, but
I'm guessing it should work on any *nix based system.

To start, comment out all the networking stuff in your rc files and
reboot, this will give you a nice clean, ie empty, arp table to work
from. I'll also show you what 'ifconfig' says about my network card
at the moment so you can see how things change as we play with it.

# ifconfig
em0: flags=8802<BROADCAST,SIMPLEX,MULTICAST> metric 0 mtu 1500
        options=9b<RXCSUM,TXCSUM,VLAN_MTU,VLAN_HWTAGGING,VLAN_HWCSUM>
        ether 00:0d:60:77:fc:f1
        media: Ethernet autoselect (100baseTX <full-duplex>)
        status: active
#

Ok, you can see the device is named 'em0' and has a MAC address of
00:0d:60:77:fc:f1 - also it is active, which means it is plugged
into something, ie the other device with currently unknown IP.

Now we are going to search the first half of all inet4 number ranges
by assigning rather unusual parameters to the network card:

# ifconfig em0 0.0.0.1 netmask 128.0.0.0
#

# ifconfig
em0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu
1500
        options=9b<RXCSUM,TXCSUM,VLAN_MTU,VLAN_HWTAGGING,VLAN_HWCSUM>
        ether 00:0d:60:77:fc:f1
        inet 0.0.0.1 netmask 0x80000000 broadcast 127.255.255.255
        media: Ethernet autoselect (100baseTX <full-duplex>)
        status: active
#

Now you see it has address 0.0.0.1 and broadcasts on 127.255.255.255
- in other words it will cover the first half of the inet4 numbered
domain. Next, use netstat to trigger some arp requests:

# netstat -a -I em0
Name    Mtu Network       Address
em0    1500 <Link#1>      00:0d:60:77:fc:f1
                          01:00:5e:00:00:01
em0    1500 0.0.0.0/1     0.0.0.1
                          224.0.0.1
#

And finally use the 'arp' command to query the arp table to see what
we got:

# arp -a
#

Nothing there ?!!?!? - that's ok, we only searched the first half
remember, now we will set up to check the second half of the inet4
domain.

# ifconfig em0 128.0.0.1 netmask 128.0.0.0
#

# ifconfig
em0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu
1500
        options=9b<RXCSUM,TXCSUM,VLAN_MTU,VLAN_HWTAGGING,VLAN_HWCSUM>
        ether 00:0d:60:77:fc:f1
        inet 128.0.0.1 netmask 0x80000000 broadcast 225.255.255.255
        media: Ethernet autoselect (100baseTX <full-duplex>)
        status: active
#

Now you see it has address 128.0.0.1 and broadcasts on
225.255.255.255 - in other words it will cover the second half of
the inet4 numbered domain. Again, use netstat to trigger some arp
requests:

# netstat -a -I em0
Name    Mtu Network       Address
em0    1500 <Link#1>      00:0d:60:77:fc:f1
                          01:00:5e:00:00:01
em0    1500 0.0.0.0/1     128.0.0.1
                          224.0.0.1
#

And the 'arp' command to query the arp table to see what we got this
time:

# arp -a
? (192.168.1.1) at 00:40:f4:98:96:1f on em0 [ethernet]
#

He he, that's my gateway - note the '?' at the front of the line - I
guess that means we arent exactly doing normal things here, but who
cares, we found what we are looking for, we got an IP and a MAC
address - now it shouldn't be to hard to figure out the mask :-D

Cheers, Tim.



One caveat to this I think, you'd need to be sniffing the target
device
side of the router for the scan reply, because the target likely has
no
route to the scanning laptop through the router, the target is going
to
likely try to arp it's default gateway once it gets a valid scan
packet
with the right target IP in it, that's what it will need to do to
try to
reply, that's how you'll know you stumbled onto the target's IP
address.

If this logic is wrong I'd love to hear from someone so I know for
future reference... I am basing this on my knowledge of how packets
are
constructed for this puzzle.

-Mark Coleman



Mark wrote:

I think the answer might be this:

Get a router, one armed is OK.

One side of the router will be your scanning laptop.  Make up IP
addresses, for example make laptop 10.10.10.1 and router
10.10.10.2.
Use 10.10.10.2 as your default gateway in the laptop.

The second port (or second network on same port if one armed) of
the
router, make up another address.  Say, 20.20.20.1.  Add a static
arp
in the router for 20.20.20.2 to be the MAC address of the target
you
are trying to identify, then make the default gateway of the
router
20.20.20.2 (so your scanning packets will hit your target
regardless
of what the dest IP is, and the router will construct every packet
with the dest MAC of your target machine).

I'd think that a long long scan of private networks would
eventually
reveal the IP of the host.

If you know you didn't use a deep CIDR on the mask, you could also
just scan (or just ping?)  the broadcasts of each network instead
of
every IP in each network (192.168.1.255, 192.168.2.255, etc etc).
Use the above config and then instead of nmap just try pinging
192.168.1.255, 192.168.2.255 etc etc and find what network it's in
for
starters.

If this works let us know, as I am sure we're all curious.

-Mark Coleman



Robin Wood wrote:

2009/7/15 Lord Lunatic <l0rd_lunatic () yahoo com>:


Get the mac address (if not via sniff there have to be some
stickers
with it on it) and make a static arp entry on your client with
an
free ip adress of your subnet.

 arp -s 10.128.1.1 00:90:33:ff:dd:11

Then you should be able to reach it



That would get traffic to the box but would the box then drop the
traffic higher up the stack as the IP address wouldn't match?

If this does work then I'll be putting it in my bag of tricks
because
it is a really useful idea.

Robin



Andre

-----Original Message-----
From: listbounce () securityfocus com
[mailto:listbounce () securityfocus com] On Behalf Of Cisternas
Marquez, Gonzalo
Sent: Dienstag, 14. Juli 2009 20:36
To: redhavoc; security-basics () securityfocus com
Subject: RE: how to find a static IP

Nick:

Use a cross cable with a Linux box and send "ping -b
255.255.255.255". "-b" for broadcast.

Usually the "Net management port" of SUN servers is 10Mb
autosense
only. Try to connect with the Serial managemente port (a ligth
blue
Cisco cable will work). The user could be "admin".

Using the sys-unconfig script will not erase the contentes of
the
RSC/ALOM/Ilom/ELOM/SXCP management port.

I Hope this could help.

G.C.
-----Mensaje original-----
De: listbounce () securityfocus com
[mailto:listbounce () securityfocus com] En nombre de redhavoc
Enviado el: Martes, 14 de Julio de 2009 11:46
Para: security-basics () securityfocus com
Asunto: how to find a static IP


Hello people,

I have inherited a new SUN server, and while running the
sys-unconfig command I have sort of messed it up. I know it has
an
ethernet management port configured with a static IP, but I do
not
know this IP.

My idea was to connect this server and a computer on to a
switch,
boot a linux and port scan every internet address. Since its a
private lan I would not be bothering anyone else. Since there is
no
dhcp and I want no routing I started the ethernet using
ifconfig eth0 1.1.1.1 netmask 0.0.0.0 up
The device started, but when I use nmap to scan IPs it does not
know
how to route packets.

So the question is ... how do I scan every possible address in a
private network. Also, is there a better way to find this static
IP ?

Regards
Nick





------------------------------------------------------------------------

Securing Apache Web Server with thawte Digital Certificate
In this guide we examine the importance of Apache-SSL and who
needs
an SSL certificate.  We look at how SSL works, how it benefits
your
company and how your customers can tell if a site is secure. You
will find out how to test, purchase, install and use a thawte
Digital Certificate on your Apache web server. Throughout, best
practices for set-up are highlighted to help you ensure
efficient
ongoing management of your encryption keys and digital
certificates.

http://www.dinclinx.com/Redirect.aspx?36;4175;25;1371;0;5;946;e13b6be442f727d1

------------------------------------------------------------------------





------------------------------------------------------------------------

Securing Apache Web Server with thawte Digital Certificate
In this guide we examine the importance of Apache-SSL and who
needs
an SSL certificate.  We look at how SSL works, how it benefits
your
company and how your customers can tell if a site is secure. You
will find out how to test, purchase, install and use a thawte
Digital Certificate on your Apache web server. Throughout, best
practices for set-up are highlighted to help you ensure
efficient
ongoing management of your encryption keys and digital
certificates.

http://www.dinclinx.com/Redirect.aspx?36;4175;25;1371;0;5;946;e13b6be442f727d1

------------------------------------------------------------------------






------------------------------------------------------------------------
Securing Apache Web Server with thawte Digital Certificate
In this guide we examine the importance of Apache-SSL and who
needs
an SSL certificate.  We look at how SSL works, how it benefits
your
company and how your customers can tell if a site is secure. You
will
find out how to test, purchase, install and use a thawte Digital
Certificate on your Apache web server. Throughout, best practices
for
set-up are highlighted to help you ensure efficient ongoing
management of your encryption keys and digital certificates.

http://www.dinclinx.com/Redirect.aspx?36;4175;25;1371;0;5;946;e13b6be442f727d1

------------------------------------------------------------------------







------------------------------------------------------------------------
Securing Apache Web Server with thawte Digital Certificate
In this guide we examine the importance of Apache-SSL and who needs
an SSL certificate.  We look at how SSL works, how it benefits your
company and how your customers can tell if a site is secure. You
will find out how to test, purchase, install and use a thawte
Digital Certificate on your Apache web server. Throughout, best
practices for set-up are highlighted to help you ensure efficient
ongoing management of your encryption keys and digital certificates.

http://www.dinclinx.com/Redirect.aspx?36;4175;25;1371;0;5;946;e13b6be442f727d1
------------------------------------------------------------------------





-- 
The code that never executes at all is the fastest.


------------------------------------------------------------------------
Securing Apache Web Server with thawte Digital Certificate
In this guide we examine the importance of Apache-SSL and who needs an SSL certificate.  We look at how SSL works, how 
it benefits your company and how your customers can tell if a site is secure. You will find out how to test, purchase, 
install and use a thawte Digital Certificate on your Apache web server. Throughout, best practices for set-up are 
highlighted to help you ensure efficient ongoing management of your encryption keys and digital certificates.

http://www.dinclinx.com/Redirect.aspx?36;4175;25;1371;0;5;946;e13b6be442f727d1
------------------------------------------------------------------------
Previous By Date Next
Previous By Thread Next

Current thread: