ESN 59357-091110-510704-30


Document Name: Fishing for an unknown device
Document Description: Fishing for an unknown device

Fishing for an unknown device

2009/11/10

A customer bought a Linksys print server. It comes with a Windows CD that is supposed to allow you to configure the box, but with his Windows Vista machines, the print server couldn't be found. Probably the software doesn't work well with Vista.

More aggravatingly, I couldn't find a MAC address printed anywhere on the device, so I couldn't set an IP with arp -s (which then would have let me finish configuring the device using a browser).

What to do?

If you have a DHCP server anywhere in the network, the device will have obtained an IP address. The DHCP server should be able to show you addresses it has passed out. The only problem is recognizing it - if the server doesn't bother to show you when the DHCP lease was acquired, it may not be easy to spot the new addition.

That was my problem - too many leases and without the MAC address (and too many Linksys devices scattered about to start with), I couldn't spot it. Well, that's not entirely true: I probably could have, but I was also pressed for time: this was Boston job and it was getting later in the day and the last thing i want to do is be in Expressway traffic much after 2:00 PM.

So.. . I threw the Linksys in my car and drove home, avoiding rush hour by a comfortable margin.

Back home, I hooked up the print server to my network and was able to quickly spot it in the router's DHCP list. I typed that IP into a browser and now had access to the print server admin screens. That's great, but the customer's network is 192.168.24.0 and mine is 192.168.113.0. Simple enough to change that - I knew an available IP on their network, so I typed it in. Of course, immediately after doing so, I no longer had access to the print server, right?

Well, no. All I need to do is temporarily change my machine to use something in that range. The ethernet cables don't care if some of the devices are using one ip scheme and some are using others (a smart switch might care, but inexpensive little things like I use in my home do not).

Or could I use an alias. On the Mac, I'd do

sudo ifconfig en0 alias 192.168.24.12 netmask 255.255.255.0

For Linux, I'd do:

ifconfig eth0:0 192.168.24.12

(See Multiple IP addresses on one interface )

But what if I didn't have a DHCP server? The Linksys probably comes configured with some IP address (even if it is 0.0.0.0). If I don't know the MAC, and it isn't getting an IP from DHCP, how can I find it?

Ahh, that's not so easy. You could guess at the IP range: many devices default to 192.168.1.x or 192.168.2.x addresses; setting your machine to something in that range (or use an alias) would let you then do a discover ping (ping 192.168.1.255) or use "nmap nmap -s 192.168.4.0/24", but you might not find it if it isn't responding to ICMP. Yes, "nmap" can do a UDP scan, but again - who says this device will respond?

Well, nmap can test against ports you know it will respond on. For example, that print server is going to be listening on port 80. I could do nmap -p 80 192.168.11.0/24 - but again, I'm assuming the ip range and must be configured to be able to access that range. You can't use nmap to discover devices on networks your machine can't talk to.

So what else can we do? I'm not aware of any generic layer 2 discovery software (just because I'm not aware of it doesn't mean it doesn't exist!), but you can use tcpdump. The problem is filtering out all the unrelated traffic. For example, I changed a spare Windows laptop to use 172.16.48.9 - that's outside of my normal network. In a few seconds, a "sudo tcpdump | grep 172.16" started showing activity:

11:31:05.578203 IP 172.16.48.9 > igmp.mcast.net: igmp v3 report, 1 group record(s) 11:31:05.579545 ARP, Request who-has 172.16.48.9 tell 172.16.48.9, length 46 11:31:05.883441 ARP, Request who-has 172.16.48.9 tell 172.16.48.9, length 46 11:31:06.517325 IP 172.16.48.9 > igmp.mcast.net: igmp v3 report, 1 group record(s)

But that was only easy to find because I knew I was looking for 172.16.

I could do "sudo tcpdump -n grep -v 192.168" to cut down a lot of the noise - but if the device I want is in that range, I won't see it, so I have to be careful about what I exclude. Also, this depends upon the device being noisy - though at a power cycle almost any network device has to make SOME network noise.

A better way might be to use a Perl or Awk script that would sample tcpdump and extract unique IP addresses. That's not hard:

#!/usr/bin/perl while (<>) { @stuff=split /\s+/; $ip=sprintf("%d.%d.%d.%d",split /\./,$stuff[2]) if $stuff[1] == "IP"; $ip2=sprintf("%d.%d.%d.%d",split /\./,$stuff[4]) if $stuff[1] == "IP"; if (not $stored{"$ip > $ip2"}) { print "$ip > $ip2 seen\n"; $stored{"$ip > $ip2"}=1; } }

I changed the Windows box to 172.16.13.98 and very quickly saw:

192.168.113.2 > 64.226.42.29 seen 64.226.42.29 > 192.168.113.2 seen 192.168.113.2 > 66.249.81.100 seen 66.249.81.100 > 192.168.113.2 seen 192.168.113.2 > 74.125.93.100 seen 172.16.13.98 > 224.0.0.251 seen 74.125.93.118 > 192.168.113.2 seen 192.168.113.2 > 74.125.93.118 seen 172.16.3.98 > 224.0.0.22 seen 0.0.0.0 > 172.16.3.98 seen 192.168.113.2 > 66.249.80.83 seen 66.249.80.83 > 192.168.113.2 seen 172.16.3.98 > 224.0.0.251 seen 172.16.3.98 > 239.255.255.250 seen

(bolding added)

Fairly easy to spot that (and eliminating 192.168 addresses would have made it even easier) - though for this, a simple sudo tcpdump -n | grep "who-has" would have worked well, too. The Perl script has the advantage of spotting any kind of activity (and just might show you activity you didn't expect!).

Did I miss anything? Do you have any tricks I forgot? Please do comment if you do.


Author: Anthony Lawrence - Contact Author
Publisher: Anthony Lawrence
Licensee Name: Anthony Lawrence
Reference URL: http://aplawrence.com/Unixart/network-fishing.html
Copyright: All Rights Reserved
Registration Date: 11/10/2009 6:16:34 PM UTC
Views: 450



NUMLY.COM