AP without DHCP

[dninja at gmail.com (Robin Wood)]

2009/11/12 Bert Van Kets <mailing at vankets.com>:
> Hi guys,
>
> I was wondering what methods or commands can be used to get past the
> following situation:
> You access a WiFi AP with WEP encryption, you get the key and can
> connect but do not get an IP address. I assume this is due to the use of
> fixed IPs only (no dhcp). How do you get past this? How do you get info
> in the IP range? Do I need to nMap scan every possible internal IP range???
> What if no clients are connected and Mac address filtering is switched
> on on top of the lack of dhcp? I luckily do have a client Mac address,
> but if I didn't have this it would be an extra hurdle.
> My knowledge and experience have encountered a concrete wall. How do I
> climb it?

If you have MAC address filtering and no traffic to get a MAC address
from then I'd say you were out of luck.

Once past filtering and you've managed to connect or just have the WEP key ...

You can sniff and decrypt data and just pick out IP addresses with
wireshark or tcpdump. Kismet will also tell you IP addresses or
subnets if it can work them out.

if there are no wireless clients then I'd still sniff traffic, there
will probably be broadcast traffic leaking out which should give IP
details away.

If it does come down to scanning then go for the common IP ranges
first, I doubt anyone would be using 10.241.0.0/16 for their subnet,
more likely something like 192.168.0.0/24 or something in the low 10.
range. Some research on the AP would also give you default IP ranges
that you could try, for example Fons are usually on 192.168.10.0/24.

Robin