Security Basics mailing list archives
Re: how to find a static IP
From: "Tim Clewlow" <tim () clewlow org>
Date: Fri, 17 Jul 2009 04:34:59 +1000 (EST)
Hi there, I managed to extract an IP address using the following method - and its nice and quick too. I used FreeBSD to do this, but I'm guessing it should work on any *nix based system. To start, comment out all the networking stuff in your rc files and reboot, this will give you a nice clean, ie empty, arp table to work from. I'll also show you what 'ifconfig' says about my network card at the moment so you can see how things change as we play with it. # ifconfig em0: flags=8802<BROADCAST,SIMPLEX,MULTICAST> metric 0 mtu 1500 options=9b<RXCSUM,TXCSUM,VLAN_MTU,VLAN_HWTAGGING,VLAN_HWCSUM> ether 00:0d:60:77:fc:f1 media: Ethernet autoselect (100baseTX <full-duplex>) status: active # Ok, you can see the device is named 'em0' and has a MAC address of 00:0d:60:77:fc:f1 - also it is active, which means it is plugged into something, ie the other device with currently unknown IP. Now we are going to search the first half of all inet4 number ranges by assigning rather unusual parameters to the network card: # ifconfig em0 0.0.0.1 netmask 128.0.0.0 # # ifconfig em0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500 options=9b<RXCSUM,TXCSUM,VLAN_MTU,VLAN_HWTAGGING,VLAN_HWCSUM> ether 00:0d:60:77:fc:f1 inet 0.0.0.1 netmask 0x80000000 broadcast 127.255.255.255 media: Ethernet autoselect (100baseTX <full-duplex>) status: active # Now you see it has address 0.0.0.1 and broadcasts on 127.255.255.255 - in other words it will cover the first half of the inet4 numbered domain. Next, use netstat to trigger some arp requests: # netstat -a -I em0 Name Mtu Network Address em0 1500 <Link#1> 00:0d:60:77:fc:f1 01:00:5e:00:00:01 em0 1500 0.0.0.0/1 0.0.0.1 224.0.0.1 # And finally use the 'arp' command to query the arp table to see what we got: # arp -a # Nothing there ?!!?!? - that's ok, we only searched the first half remember, now we will set up to check the second half of the inet4 domain. # ifconfig em0 128.0.0.1 netmask 128.0.0.0 # # ifconfig em0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500 options=9b<RXCSUM,TXCSUM,VLAN_MTU,VLAN_HWTAGGING,VLAN_HWCSUM> ether 00:0d:60:77:fc:f1 inet 128.0.0.1 netmask 0x80000000 broadcast 225.255.255.255 media: Ethernet autoselect (100baseTX <full-duplex>) status: active # Now you see it has address 128.0.0.1 and broadcasts on 225.255.255.255 - in other words it will cover the second half of the inet4 numbered domain. Again, use netstat to trigger some arp requests: # netstat -a -I em0 Name Mtu Network Address em0 1500 <Link#1> 00:0d:60:77:fc:f1 01:00:5e:00:00:01 em0 1500 0.0.0.0/1 128.0.0.1 224.0.0.1 # And the 'arp' command to query the arp table to see what we got this time: # arp -a ? (192.168.1.1) at 00:40:f4:98:96:1f on em0 [ethernet] # He he, that's my gateway - note the '?' at the front of the line - I guess that means we arent exactly doing normal things here, but who cares, we found what we are looking for, we got an IP and a MAC address - now it shouldn't be to hard to figure out the mask :-D Cheers, Tim.
One caveat to this I think, you'd need to be sniffing the target device side of the router for the scan reply, because the target likely has no route to the scanning laptop through the router, the target is going to likely try to arp it's default gateway once it gets a valid scan packet with the right target IP in it, that's what it will need to do to try to reply, that's how you'll know you stumbled onto the target's IP address. If this logic is wrong I'd love to hear from someone so I know for future reference... I am basing this on my knowledge of how packets are constructed for this puzzle. -Mark Coleman Mark wrote:I think the answer might be this: Get a router, one armed is OK. One side of the router will be your scanning laptop. Make up IP addresses, for example make laptop 10.10.10.1 and router 10.10.10.2. Use 10.10.10.2 as your default gateway in the laptop. The second port (or second network on same port if one armed) of the router, make up another address. Say, 20.20.20.1. Add a static arp in the router for 20.20.20.2 to be the MAC address of the target you are trying to identify, then make the default gateway of the router 20.20.20.2 (so your scanning packets will hit your target regardless of what the dest IP is, and the router will construct every packet with the dest MAC of your target machine). I'd think that a long long scan of private networks would eventually reveal the IP of the host. If you know you didn't use a deep CIDR on the mask, you could also just scan (or just ping?) the broadcasts of each network instead of every IP in each network (192.168.1.255, 192.168.2.255, etc etc). Use the above config and then instead of nmap just try pinging 192.168.1.255, 192.168.2.255 etc etc and find what network it's in for starters. If this works let us know, as I am sure we're all curious. -Mark Coleman Robin Wood wrote:2009/7/15 Lord Lunatic <l0rd_lunatic () yahoo com>:Get the mac address (if not via sniff there have to be some stickers with it on it) and make a static arp entry on your client with an free ip adress of your subnet. arp -s 10.128.1.1 00:90:33:ff:dd:11 Then you should be able to reach itThat would get traffic to the box but would the box then drop the traffic higher up the stack as the IP address wouldn't match? If this does work then I'll be putting it in my bag of tricks because it is a really useful idea. RobinAndre -----Original Message----- From: listbounce () securityfocus com [mailto:listbounce () securityfocus com] On Behalf Of Cisternas Marquez, Gonzalo Sent: Dienstag, 14. Juli 2009 20:36 To: redhavoc; security-basics () securityfocus com Subject: RE: how to find a static IP Nick: Use a cross cable with a Linux box and send "ping -b 255.255.255.255". "-b" for broadcast. Usually the "Net management port" of SUN servers is 10Mb autosense only. Try to connect with the Serial managemente port (a ligth blue Cisco cable will work). The user could be "admin". Using the sys-unconfig script will not erase the contentes of the RSC/ALOM/Ilom/ELOM/SXCP management port. I Hope this could help. G.C. -----Mensaje original----- De: listbounce () securityfocus com [mailto:listbounce () securityfocus com] En nombre de redhavoc Enviado el: Martes, 14 de Julio de 2009 11:46 Para: security-basics () securityfocus com Asunto: how to find a static IP Hello people, I have inherited a new SUN server, and while running the sys-unconfig command I have sort of messed it up. I know it has an ethernet management port configured with a static IP, but I do not know this IP. My idea was to connect this server and a computer on to a switch, boot a linux and port scan every internet address. Since its a private lan I would not be bothering anyone else. Since there is no dhcp and I want no routing I started the ethernet using ifconfig eth0 1.1.1.1 netmask 0.0.0.0 up The device started, but when I use nmap to scan IPs it does not know how to route packets. So the question is ... how do I scan every possible address in a private network. Also, is there a better way to find this static IP ? Regards Nick ------------------------------------------------------------------------ Securing Apache Web Server with thawte Digital Certificate In this guide we examine the importance of Apache-SSL and who needs an SSL certificate. We look at how SSL works, how it benefits your company and how your customers can tell if a site is secure. You will find out how to test, purchase, install and use a thawte Digital Certificate on your Apache web server. Throughout, best practices for set-up are highlighted to help you ensure efficient ongoing management of your encryption keys and digital certificates. http://www.dinclinx.com/Redirect.aspx?36;4175;25;1371;0;5;946;e13b6be442f727d1 ------------------------------------------------------------------------ ------------------------------------------------------------------------ Securing Apache Web Server with thawte Digital Certificate In this guide we examine the importance of Apache-SSL and who needs an SSL certificate. We look at how SSL works, how it benefits your company and how your customers can tell if a site is secure. You will find out how to test, purchase, install and use a thawte Digital Certificate on your Apache web server. Throughout, best practices for set-up are highlighted to help you ensure efficient ongoing management of your encryption keys and digital certificates. http://www.dinclinx.com/Redirect.aspx?36;4175;25;1371;0;5;946;e13b6be442f727d1 ------------------------------------------------------------------------------------------------------------------------------------------------ Securing Apache Web Server with thawte Digital Certificate In this guide we examine the importance of Apache-SSL and who needs an SSL certificate. We look at how SSL works, how it benefits your company and how your customers can tell if a site is secure. You will find out how to test, purchase, install and use a thawte Digital Certificate on your Apache web server. Throughout, best practices for set-up are highlighted to help you ensure efficient ongoing management of your encryption keys and digital certificates. http://www.dinclinx.com/Redirect.aspx?36;4175;25;1371;0;5;946;e13b6be442f727d1 ------------------------------------------------------------------------------------------------------------------------------------------------ Securing Apache Web Server with thawte Digital Certificate In this guide we examine the importance of Apache-SSL and who needs an SSL certificate. We look at how SSL works, how it benefits your company and how your customers can tell if a site is secure. You will find out how to test, purchase, install and use a thawte Digital Certificate on your Apache web server. Throughout, best practices for set-up are highlighted to help you ensure efficient ongoing management of your encryption keys and digital certificates. http://www.dinclinx.com/Redirect.aspx?36;4175;25;1371;0;5;946;e13b6be442f727d1 ------------------------------------------------------------------------
-- The code that never executes at all is the fastest. ------------------------------------------------------------------------ Securing Apache Web Server with thawte Digital Certificate In this guide we examine the importance of Apache-SSL and who needs an SSL certificate. We look at how SSL works, how it benefits your company and how your customers can tell if a site is secure. You will find out how to test, purchase, install and use a thawte Digital Certificate on your Apache web server. Throughout, best practices for set-up are highlighted to help you ensure efficient ongoing management of your encryption keys and digital certificates. http://www.dinclinx.com/Redirect.aspx?36;4175;25;1371;0;5;946;e13b6be442f727d1 ------------------------------------------------------------------------
Current thread:
- Re: how to find a static IP, (continued)
- Re: how to find a static IP Jared Curtis (Jul 14)
- Re: how to find a static IP ghe (Jul 14)
- Re: how to find a static IP infolookup (Jul 15)
- Re: how to find a static IP ghe (Jul 14)
- RE: how to find a static IP Cisternas Marquez, Gonzalo (Jul 14)
- Re: how to find a static IP Morgan Reed (Jul 15)
- RE: how to find a static IP Lord Lunatic (Jul 15)
- RE: how to find a static IP redhavoc (Jul 15)
- Re: how to find a static IP Robin Wood (Jul 15)
- Re: how to find a static IP Mark (Jul 15)
- Re: how to find a static IP Mark (Jul 16)
- Re: how to find a static IP Tim Clewlow (Jul 16)
- Re: how to find a static IP Jared Curtis (Jul 14)