Questions

How to determine the IP addresses and subnets if there's no DHCP server

+
0 Votes
Locked

How to determine the IP addresses and subnets if there's no DHCP server

arch_eldeeb
I tried to connect a network that has some clients with manually assigned IPs and no DHCP server at all, when I attach my PC to the network it just keeps sending DHCP DISCOVER packets without any reply and ends up with APIPA and become isolated because of the different subnets.

==My Question==
How can I know the subnets and the static IPs of the network that has no DHCP servers, since I can't just try all the Private A,B and C class subnets one by one :).

And yes, thank you, I know that I can ask one of the already connected clients about their IP data and that's what I've done, but I'll appreciate a "network tool or method" to follow.
Thanks
  • +
    0 Votes
    Nonapeptide

    That's also a problem that I've been wanting to solve for a while. The only solution that I can come up with (unless I'm overlooking something glaringly obvious) is to write a program that assigns your machine an IP adderss and subnet mask and then either passively listens for any kind of broadcast traffic or actively ping/snmp/NetBIOS scans a few common IP addresses (.1, .2, .3 for example) and a few random IP addresses. If no response, then it would change your IP and subnet mask and try the process again. I imagine that a utility like this would check for the most common address ranges and subnet masks first before moving to more obscure ones (e.g. 192.168.0.0/16 and 10.0.0.0 /8 or /16 would be tested before 172.23.8.0 / 20 or 192.168.128.0 / 17 )

    To my knowledge, a tool like that dose not exist, so my ramblings are not helping you any. :)

    Does anyone know of such a tool? If not, any suggestions on what language would be a good fit for it? Whatever it is, it better look like C if I'm going to have anything to do with it. :)

    This makes me wonder if Fluke has already put something like this in their hardware... hmmm... if not, maybe they could hire me... :)

    +
    0 Votes
    CG IT

    there is a tool but you have to modify it.

    the wake on LAN tools all do discovery for both IP and MAC addresses BUT, you already have to be "on the network" to run discovery.

    With a little fun programming, you can make a wake on lan tool do other things like sniff, determine, query, broadcast, configure.

    +
    0 Votes
    Nonapeptide

    ...physically or logically? If I need to be logically on the network (correct IP and subnet) I fail to see how to apply this to the situation.

    Pardon the confusion, but I'm a bit fuzzy on this scenario. Of course, not having experience with WoL doesn't help either.

    One more thing has been added to my "Google this someday" list. I guess I'll just go read the Wikipedia article first. I've already got too many things I need to learn!!! ::breathes into paper bag::

    :)

    +
    0 Votes
    arch_eldeeb

    Thanks a lot for the idea, will digg it and see where I reach.
    I'm not a programming guru, but I have friends who are, will ask them to help and will keep you updated if I reached something.

    +
    0 Votes
    arch_eldeeb

    You know, I have a program that scans for live hosts in my subnet, I tried something stupid and it didn't work " wondering why?!!"
    I assigned myself a class C Ip address 192.168.0.2, and gave myself a class B subnet 255.255.0.0, and asked the program to scan my subnet and it went from 192.168.0.0 to 192.168.254.254 , so I'm done with the private class C, but then remembered that even if my ping reached 192.168.122.45 for example , the reply won't reach me because I'm not in IT'S subnet.
    No other ideas please??

    +
    0 Votes
    Nonapeptide

    Like I said, I've wanted a solution to this problem too.

    Looks like someone will have to code a solution, but my programming skills stop at helloWorld();

    +
    0 Votes
    CG IT

    you need to capture packets, strip away NAT and you can see the source IP address. from the source IP address you can determine subnet mask.

    That's one way.

    now you can create a program to query a LAN which will reveal it's addressing scheme, that is IF you can gain access to the private LAN. you don't need to know the addressing to gain access to the private LAN, just the ability to look at LAN traffic.

    Also a lot of businesses and residences use DHCP which provides addressing to clients that do not have addressing.

    you can send DHCP discover packets to determine if there is a DHCP server running. if you get the ACK packet, you can, with some more manipulation, get addressing.

    I'm certainly not going to tell someone how to hack, by providing code, or providing information on exploits. All the above ideas have been around since networking has been around.

    Heck, Cisco systems has their own network discovery code which will provide information on routers and switches in a pod, campus, regional level.

    +
    0 Votes
    Nonapeptide

    I've been too busy to experiment the way I want to.

    I figured the regardless of a NIC's configuration, the electric pulses are still hitting the card. It just seemed that without the proper IP addy and subnet mask an analyzer wouldn't work. My original train of though on the subject said "just open Ethereal and listen for broadcast traffic" but no such thing when I tried. I recently was introduced to a network that I knew nothing about. I was connected to the LAN and opened MS Network Monitor 3.0 but ::slaps forehead:: can't capture traffic without a configured NIC. Can't configure NIC without traffic to figure out the address scheme. Can't capture traffic... can't configure NIC.. can't... Argh.

    Simplified: In my (admittedly limited) experience one needs a LAN address to look at LAN traffic on a PC.

    Tell me I'm wrong, please. :)

    +
    0 Votes
    arch_eldeeb

    I was just curious to know if I made it to my network is it going to be hard to determine the IPs or not.
    We have to think like them if we want to be protected from them :)
    And I tried wireshark, looks promising, also "snort" but looks complicated.
    Thanks for help.

    +
    0 Votes
    robo_dev

    And there also are typically misconfigured devices on most networks that also give some info.

    +
    0 Votes

    Hm

    wesley.chin

    What is the OS? If OS is XP, type "cmd" in Run under the Start Menu, then type "ipconfig", and hit enter on the keyboard.

    If the OS is XP, the information you are seeking should be returned.

    +
    0 Votes

    Hi

    ramuvr

    How can I know the subnets and the static IPs of the network that has no DHCP servers?

    Answer:

    Well, I have no idea,

    Lets give this a try :

    cmd> ipconfig /displaydns

    well that will give you your host file entries and may be about one good IP for you to play around with. give it a 100+ that Ip and try.

    +
    0 Votes
    arch_eldeeb

    This will work only If I have already an IP

    +
    0 Votes
    robo_dev

    Etheral or Wireshark are protocol analyzers. It will show you the traffic that it can see, and you should be able to determine the network information without any difficulty.

    +
    0 Votes

    +1

    DanKe

    easy peazy.


    or you could just look at the ip configuration of another machine... :)

    +
    0 Votes
    arch_eldeeb

    Please everyone, that scenario is imaginary, I just wanted to know If I did it to my network, will this help increase security.
    And the answer is no!!, it can be determined by software like wireshark and snort as CG IT and robo_dev said.

    Thank you CG IT and robo_dev.

    +
    0 Votes
    iamnot

    So, it may work if there is other people using the network, so, yes, of course, you could go check out their machines.
    But, if you wanted to get into a WLAN that had no dhcp, and NO ONE ELSE WAS CONNECTED, then you can sniff all day with ethereal and sniff out nothing. So, the imaginary scenario(which should have been disclosed during the initial question to get the right answer)is, yes, you can disable dhcp and someone would have to know the subnet to get on, and NO etherreal would NOT work since it relies on connected traffic. Obviously as the author said in the beginning, if they had connected traffic, they could go over to another computer and type in the IP...
    Why I replied to this is to hopefully help someone else who wastes their time downloading a 24MB etherreal file that does nothing....

  • +
    0 Votes
    Nonapeptide

    That's also a problem that I've been wanting to solve for a while. The only solution that I can come up with (unless I'm overlooking something glaringly obvious) is to write a program that assigns your machine an IP adderss and subnet mask and then either passively listens for any kind of broadcast traffic or actively ping/snmp/NetBIOS scans a few common IP addresses (.1, .2, .3 for example) and a few random IP addresses. If no response, then it would change your IP and subnet mask and try the process again. I imagine that a utility like this would check for the most common address ranges and subnet masks first before moving to more obscure ones (e.g. 192.168.0.0/16 and 10.0.0.0 /8 or /16 would be tested before 172.23.8.0 / 20 or 192.168.128.0 / 17 )

    To my knowledge, a tool like that dose not exist, so my ramblings are not helping you any. :)

    Does anyone know of such a tool? If not, any suggestions on what language would be a good fit for it? Whatever it is, it better look like C if I'm going to have anything to do with it. :)

    This makes me wonder if Fluke has already put something like this in their hardware... hmmm... if not, maybe they could hire me... :)

    +
    0 Votes
    CG IT

    there is a tool but you have to modify it.

    the wake on LAN tools all do discovery for both IP and MAC addresses BUT, you already have to be "on the network" to run discovery.

    With a little fun programming, you can make a wake on lan tool do other things like sniff, determine, query, broadcast, configure.

    +
    0 Votes
    Nonapeptide

    ...physically or logically? If I need to be logically on the network (correct IP and subnet) I fail to see how to apply this to the situation.

    Pardon the confusion, but I'm a bit fuzzy on this scenario. Of course, not having experience with WoL doesn't help either.

    One more thing has been added to my "Google this someday" list. I guess I'll just go read the Wikipedia article first. I've already got too many things I need to learn!!! ::breathes into paper bag::

    :)

    +
    0 Votes
    arch_eldeeb

    Thanks a lot for the idea, will digg it and see where I reach.
    I'm not a programming guru, but I have friends who are, will ask them to help and will keep you updated if I reached something.

    +
    0 Votes
    arch_eldeeb

    You know, I have a program that scans for live hosts in my subnet, I tried something stupid and it didn't work " wondering why?!!"
    I assigned myself a class C Ip address 192.168.0.2, and gave myself a class B subnet 255.255.0.0, and asked the program to scan my subnet and it went from 192.168.0.0 to 192.168.254.254 , so I'm done with the private class C, but then remembered that even if my ping reached 192.168.122.45 for example , the reply won't reach me because I'm not in IT'S subnet.
    No other ideas please??

    +
    0 Votes
    Nonapeptide

    Like I said, I've wanted a solution to this problem too.

    Looks like someone will have to code a solution, but my programming skills stop at helloWorld();

    +
    0 Votes
    CG IT

    you need to capture packets, strip away NAT and you can see the source IP address. from the source IP address you can determine subnet mask.

    That's one way.

    now you can create a program to query a LAN which will reveal it's addressing scheme, that is IF you can gain access to the private LAN. you don't need to know the addressing to gain access to the private LAN, just the ability to look at LAN traffic.

    Also a lot of businesses and residences use DHCP which provides addressing to clients that do not have addressing.

    you can send DHCP discover packets to determine if there is a DHCP server running. if you get the ACK packet, you can, with some more manipulation, get addressing.

    I'm certainly not going to tell someone how to hack, by providing code, or providing information on exploits. All the above ideas have been around since networking has been around.

    Heck, Cisco systems has their own network discovery code which will provide information on routers and switches in a pod, campus, regional level.

    +
    0 Votes
    Nonapeptide

    I've been too busy to experiment the way I want to.

    I figured the regardless of a NIC's configuration, the electric pulses are still hitting the card. It just seemed that without the proper IP addy and subnet mask an analyzer wouldn't work. My original train of though on the subject said "just open Ethereal and listen for broadcast traffic" but no such thing when I tried. I recently was introduced to a network that I knew nothing about. I was connected to the LAN and opened MS Network Monitor 3.0 but ::slaps forehead:: can't capture traffic without a configured NIC. Can't configure NIC without traffic to figure out the address scheme. Can't capture traffic... can't configure NIC.. can't... Argh.

    Simplified: In my (admittedly limited) experience one needs a LAN address to look at LAN traffic on a PC.

    Tell me I'm wrong, please. :)

    +
    0 Votes
    arch_eldeeb

    I was just curious to know if I made it to my network is it going to be hard to determine the IPs or not.
    We have to think like them if we want to be protected from them :)
    And I tried wireshark, looks promising, also "snort" but looks complicated.
    Thanks for help.

    +
    0 Votes
    robo_dev

    And there also are typically misconfigured devices on most networks that also give some info.

    +
    0 Votes

    Hm

    wesley.chin

    What is the OS? If OS is XP, type "cmd" in Run under the Start Menu, then type "ipconfig", and hit enter on the keyboard.

    If the OS is XP, the information you are seeking should be returned.

    +
    0 Votes

    Hi

    ramuvr

    How can I know the subnets and the static IPs of the network that has no DHCP servers?

    Answer:

    Well, I have no idea,

    Lets give this a try :

    cmd> ipconfig /displaydns

    well that will give you your host file entries and may be about one good IP for you to play around with. give it a 100+ that Ip and try.

    +
    0 Votes
    arch_eldeeb

    This will work only If I have already an IP

    +
    0 Votes
    robo_dev

    Etheral or Wireshark are protocol analyzers. It will show you the traffic that it can see, and you should be able to determine the network information without any difficulty.

    +
    0 Votes

    +1

    DanKe

    easy peazy.


    or you could just look at the ip configuration of another machine... :)

    +
    0 Votes
    arch_eldeeb

    Please everyone, that scenario is imaginary, I just wanted to know If I did it to my network, will this help increase security.
    And the answer is no!!, it can be determined by software like wireshark and snort as CG IT and robo_dev said.

    Thank you CG IT and robo_dev.

    +
    0 Votes
    iamnot

    So, it may work if there is other people using the network, so, yes, of course, you could go check out their machines.
    But, if you wanted to get into a WLAN that had no dhcp, and NO ONE ELSE WAS CONNECTED, then you can sniff all day with ethereal and sniff out nothing. So, the imaginary scenario(which should have been disclosed during the initial question to get the right answer)is, yes, you can disable dhcp and someone would have to know the subnet to get on, and NO etherreal would NOT work since it relies on connected traffic. Obviously as the author said in the beginning, if they had connected traffic, they could go over to another computer and type in the IP...
    Why I replied to this is to hopefully help someone else who wastes their time downloading a 24MB etherreal file that does nothing....