Possible to find out IP Range?

Hi all,

Was chatting with a couple of workmates and a question came up.

Would it be possible to scan for the range of IP addresses in use on a wireless network that doesn't have DHCP?

I mean... When you connect to a network with your client trying to use DHCP when a DHCP server isn't present - you get the 192.194.... address.

Possible to find out what the network is using?

Regards,
C:4

Find more posts tagged with

SAVE $250 on Your Boot Camp — Use Code "EXAM26"

Exclusively for TechExams members for Infosec Boot Camps starting before April 30, 2026

View Boot Camps

Comments

KGhaleon

If a DHCP server isn't present, your going to get an APIPA address starting with 169. I believe it's possible to get an address from a DHCP server located on another subnet, though. Not sure what your asking.

I don't know any way to find out what addresses are usable on the subnet without looking at the server. You could user a program like angry IP but it will show you all 256 addresses, I believe.

sprkymrk

You can use something like wireshark or TCPDump in promiscuous mode or better yet EttercapNG and sniff the traffic for a while. You should be able to identify IP addresses in use that way. Several scanners come to mind, but in most you specify the range you want to scan so you'd be hit or miss guessing until you found some live ones.

Silver Bullet

Angry IP scanner will scan ranges that you specify. You can specify any range from 0.0.0.0 through 255.255.255.255 or 192.168.1.0 through 192.168.1.255. It will then check each address and the results show if the address is Dead or Alive.

http://www.angryziber.com/ipscan/

For more detailed network sniffing then you will need something like sprkymrk suggested

dtlokee

Using Wireshark and looking for arp traffic will give you some of the addresses in use on the subnet, atleast a default gateway address, then you can pick an address next to that and use a standard IP scanner to test a range of addresses.

JDMurray

How would you guys go about finding the netmask used by the wireless network? You can't always correctly assume the netmask from the IP address, so what would you do to find out what the netmask actually is?

sprkymrk

JDMurray wrote:

How would you guys go about finding the netmask used by the wireless network? You can't always correctly assume the netmask from the IP address, so what would you do to find out what the netmask actually is?

Once you find a couple, you can ping the range it's supposed to be by default and see where the replies come from. If you get replies all over the range then you can sweep a wider range until you don't get anymore replies outside a certain number. If you only get replies from a few hosts close together in the range, you can do the math.

Either way, depending on why you want to do this in the first place, close is proboably good enough.

dtlokee

JDMurray wrote:

How would you guys go about finding the netmask used by the wireless network? You can't always correctly assume the netmask from the IP address, so what would you do to find out what the netmask actually is?

I find most network admins will assign the default gateway as the lowest address or the highest address in the range, then I use that to figure what a logical netmask might be. For example if I see lots of arp requests for 192.168.100.30 (guessing this is the default gateway), I would asume it's a /27 or longer then try to ping some addresses, or arp sweep for them (seems to work better even is ICMP is disabled due to a personal firewall)