Possible to find out IP Range?

5no-yt5no-yt Member Posts: 79 ■■□□□□□□□□
Hi all,

Was chatting with a couple of workmates and a question came up.

Would it be possible to scan for the range of IP addresses in use on a wireless network that doesn't have DHCP?

I mean... When you connect to a network with your client trying to use DHCP when a DHCP server isn't present - you get the 192.194.... address.

Possible to find out what the network is using?



Regards,
C:4
Security is like exercise: everyone talks about it, but not many people do it.
-J.R.Purser

Comments

  • KGhaleonKGhaleon Member Posts: 1,346 ■■■□□□□□□□
    If a DHCP server isn't present, your going to get an APIPA address starting with 169. I believe it's possible to get an address from a DHCP server located on another subnet, though. Not sure what your asking.

    I don't know any way to find out what addresses are usable on the subnet without looking at the server. You could user a program like angry IP but it will show you all 256 addresses, I believe.
    Present goals: MCAS, MCSA, 70-680
  • sprkymrksprkymrk Member Posts: 4,884 ■■■□□□□□□□
    You can use something like wireshark or TCPDump in promiscuous mode or better yet EttercapNG and sniff the traffic for a while. You should be able to identify IP addresses in use that way. Several scanners come to mind, but in most you specify the range you want to scan so you'd be hit or miss guessing until you found some live ones.
    All things are possible, only believe.
  • Silver BulletSilver Bullet Member Posts: 676
    Angry IP scanner will scan ranges that you specify. You can specify any range from 0.0.0.0 through 255.255.255.255 or 192.168.1.0 through 192.168.1.255. It will then check each address and the results show if the address is Dead or Alive.

    http://www.angryziber.com/ipscan/

    For more detailed network sniffing then you will need something like sprkymrk suggested
  • dtlokeedtlokee Member Posts: 2,378 ■■■■□□□□□□
    Using Wireshark and looking for arp traffic will give you some of the addresses in use on the subnet, atleast a default gateway address, then you can pick an address next to that and use a standard IP scanner to test a range of addresses.
    The only easy day was yesterday!
  • JDMurrayJDMurray MSIT InfoSec, CISSP, SSCP, GSEC, EnCE, C|EH, CySA+, PenTest+, CASP+, Security+ Surf City, USAAdmin Posts: 12,170 Admin
    How would you guys go about finding the netmask used by the wireless network? You can't always correctly assume the netmask from the IP address, so what would you do to find out what the netmask actually is?
  • sprkymrksprkymrk Member Posts: 4,884 ■■■□□□□□□□
    JDMurray wrote:
    How would you guys go about finding the netmask used by the wireless network? You can't always correctly assume the netmask from the IP address, so what would you do to find out what the netmask actually is?

    Once you find a couple, you can ping the range it's supposed to be by default and see where the replies come from. If you get replies all over the range then you can sweep a wider range until you don't get anymore replies outside a certain number. If you only get replies from a few hosts close together in the range, you can do the math.

    Either way, depending on why you want to do this in the first place, close is proboably good enough.
    All things are possible, only believe.
  • dtlokeedtlokee Member Posts: 2,378 ■■■■□□□□□□
    JDMurray wrote:
    How would you guys go about finding the netmask used by the wireless network? You can't always correctly assume the netmask from the IP address, so what would you do to find out what the netmask actually is?

    I find most network admins will assign the default gateway as the lowest address or the highest address in the range, then I use that to figure what a logical netmask might be. For example if I see lots of arp requests for 192.168.100.30 (guessing this is the default gateway), I would asume it's a /27 or longer then try to ping some addresses, or arp sweep for them (seems to work better even is ICMP is disabled due to a personal firewall)
    The only easy day was yesterday!
Sign In or Register to comment.