Jump to content



Photo

How do you find out the IP of a unknown device?

Answered Go to the full post

  • Please log in to reply
20 replies to this topic

#1 riahc3

riahc3

    Neowin's most indecisive member

  • Tech Issues Solved: 11
  • Joined: 09-April 03
  • Location: Spain
  • OS: Windows 7
  • Phone: HTC Desire Z

Posted 13 March 2014 - 07:23

Hello,

 

If you want to find out a IP of a unknown device (you dont know its last 2 sections, you have no manual, default was changed, person that changed it is no dead :laugh: by that I mean no obvious answers), how do you do it?

 

Do you set a PC to 192.168.1.1 SUB: 255.255.0.0 GW: 192.168.1.1, connect it directly to the device, nmap a ping scan thru all ips and it should show up?

 

Thats the way I do it but with something on my network.

 

Thank you



Best Answer +BudMan , 13 March 2014 - 15:56

while I agree that all networks are different and one tool might not be the best for a specific network.  If its a device you have your hands on you can always connect your laptop to the interface to sniff what its sending.  But sure if don't know where the device is in the DC and its only unmanaged switches you can have issues tracking something down for sure.

 

More than happy to discuss all the different ways that you could find an IP from a device in lots of different scenarios - since depending on the situation, different methodologies and or tools maybe be leveraged for the best way to get the information your seeking.

 

If you know its dhcp, I would just look to dhcp leases - especially if you know the mac from the outside of the device for example or its unique hardware so you would notice it from the first 3 of the mac per a vendor lookup, or that its different from all your other dhcp clients.. Or you can boot it and see the timestamp on the lease and rule out your known devices, etc..

 

If its something you bought off ebay or got 2nd hand can and not reset or console in, then I would connect it on an isolated network (say a laptop only with sniffer) and find its IP and then try to access interface from that IP, etc.  Or run a dhcp server on your laptop to give it an IP.  I would be hesitant to just connect some 2nd hand device to a production type network without first looking at its config or reset, etc.

 

Scanners can come in very handy in mapping out a network when you don't have access to managed switches or devices are quite - some will send out more noise then others and if busy network sometime there can be a lot of noise to go through if your just looking for devices on network.  Some devices might not even respond to a ping sweep though and looking at traffic might be required to catch when they arp for say their gateway IP, etc.

 

There is many variables that could come into play, every situation could be be vastly different.

Go to the full post



#2 Gerowen

Gerowen

    Neowinian Senior

  • Tech Issues Solved: 2
  • Joined: 28-August 05
  • Location: Hills of Kentucky
  • OS: Ubuntu Linux

Posted 13 March 2014 - 07:45

If it's connected to the network, just use something like Angry IP Scanner to scan the range of IPs handed out by your router.

You can get Angry IP Scanner at http://angryip.org/

Here's a screenshot of me running the Linux version.  They also have a Windows version.  It also has all sorts of right click options for hosts once the scan is complete.

Screenshot from 2014-03-13 03:45:37.png



#3 Original Poster

Original Poster

    Systems Developer

  • Tech Issues Solved: 1
  • Joined: 15-July 08
  • Location: my room
  • OS: windows 7/8, Kali, ubuntu, OSx 10.9
  • Phone: Android

Posted 13 March 2014 - 11:55

If it's connected to the network, just use something like Angry IP Scanner to scan the range of IPs handed out by your router.

You can get Angry IP Scanner at http://angryip.org/

Here's a screenshot of me running the Linux version.  They also have a Windows version.  It also has all sorts of right click options for hosts once the scan is complete.

attachicon.gifScreenshot from 2014-03-13 03:45:37.png

what if i want the mac address as well ?  getting the IP OR mac of a device is easy but i want both of one device



#4 OP riahc3

riahc3

    Neowin's most indecisive member

  • Tech Issues Solved: 11
  • Joined: 09-April 03
  • Location: Spain
  • OS: Windows 7
  • Phone: HTC Desire Z

Posted 13 March 2014 - 11:59

Hello,

If it's connected to the network, just use something like Angry IP Scanner to scan the range of IPs handed out by your router.

It isnt a router nor is it a DHCP client. Its IP is already set as static.

#5 episode

episode

    Neowinian Fanatic

  • Tech Issues Solved: 3
  • Joined: 11-December 01

Posted 13 March 2014 - 12:02

Hello,
It isnt a router nor is it a DHCP client. Its IP is already set as static.

Yes, but the IP is presumably still in the range, unless the IP range has changed. It would show up in scans.

Advanced IP Scanner would give you the MAC as well. Dont know if angry does but I would assume it does.



#6 OP riahc3

riahc3

    Neowin's most indecisive member

  • Tech Issues Solved: 11
  • Joined: 09-April 03
  • Location: Spain
  • OS: Windows 7
  • Phone: HTC Desire Z

Posted 13 March 2014 - 12:04

Hello,

Yes, but the IP is presumably still in the range, unless the IP range has changed. It would show up in scans.
Advanced IP Scanner would give you the MAC as well. Dont know if angry does but I would assume it does.

Range of what?

#7 watkinsx2

watkinsx2

    Neowinian

  • Joined: 11-December 01
  • Location: Hertfordshire
  • OS: Windows 7
  • Phone: HTC One/Lumia 920

Posted 13 March 2014 - 12:13

Hello,
Range of what?

 

IP Address Range.



#8 eXtermia

eXtermia

    Neowinian

  • Joined: 25-December 02
  • Location: Germany
  • Phone: Nokia 920 White+ Lumia 1020 64gb Yellow (telephonica no sim lock version)

Posted 13 March 2014 - 12:14

if you have a switch that does port mirroring or all are plugged into a Hub you can connect a machine to the mirrored port running wireshark and sniff traffic looking for broadcasts and watch for unknown devices, unless you know specifically the ip range they are using this may be the most effective way. This will also sniff broadcasts of devices that may be non pingable because of individial device or machine firewalls.



#9 ApuBo

ApuBo

    Great GRL/KAL gamer.

  • Joined: 04-February 08
  • Location: Greenland
  • OS: Windows
  • Phone: Android, SGS4

Posted 13 March 2014 - 12:35

you can use Nmap for it, to scan what it is, what os it running, and if it runs any services it will detect what it runs.

nmap.org it run on all. but im using windows one, so dont know if it has all functions on other os's :) also it has been on 2 movies :o



#10 +GreenMartian

GreenMartian

    Neowinian Senior

  • Joined: 28-August 04
  • Location: adelaide, au

Posted 13 March 2014 - 12:39

I work with lots of IP-enabled devices in the office, a lot of them came from unknown Chinese manufacturer, with barely legible manuals (if you're lucky enough to even get one).

 

As eXtermia said above, just connect the device to your PC's ethernet, and use Wireshark to look for ARP Broadcast packets.

 

Here's something I found with with a quick Googling:



#11 +BudMan

BudMan

    Neowinian Senior

  • Tech Issues Solved: 100
  • Joined: 04-July 02
  • Location: Schaumburg, IL
  • OS: Win7, Vista, 2k3, 2k8, XP, Linux, FreeBSD, OSX, etc. etc.

Posted 13 March 2014 - 12:42

What??  Are you trying to give advice or ask it?

 

What device is this for starters?  Is it a network device that you can use a console cable on?  Why do you need the IP if you don't know it?  Is it on the network in operation?  If some device you want to put on your network I would factory reset it first thing.

 

If its on your network and working - how would you not know the IP?  Confused how would anyone be using it if they don't know the IP or name that resolves to an IP?

 

But sure if you are looking for devices on your network you can use nmap or angry scanner, etc.  Or you could just sniff for traffic as well and count up the IPs and Macs you see.

 

But your example of setting 192.168.0.0/16 -- is that your network?  Kind of pointless if that is not your network.  If your wanting to scan so unknown device that is not working so you can access its web gui for example - how do you know the device was on 192.168?  Maybe it was 10.x, maybe it was 172.16-31 maybe it had a public IP because the guy that set it up like to just grab address space out of his ass and use it on his network?

 

More than happy to help you solve your issue - but from how your post was worded its almost like you were telling people how to find a device?  Why would you set a GW on your scan??  Your scanning 192.168.0.0/16 -- why would it need a GW address, how would it even use GW -- where is it trying to go other than 192.168/16 ?

 

You giving a GW makes no sense in your post?  What are you trying to accomplish and more than happy to help.



#12 OP riahc3

riahc3

    Neowin's most indecisive member

  • Tech Issues Solved: 11
  • Joined: 09-April 03
  • Location: Spain
  • OS: Windows 7
  • Phone: HTC Desire Z

Posted 13 March 2014 - 12:50

Hello,

What??  Are you trying to give advice or ask it?

Both :laugh:

As you can see, I use nmap when I dont know a device's IP but I know its in my submask; Because I know it has a DHCP client and I have (one) DHCP server in my network.

But what about when you know NOTHING about it?

What device is this for starters?  Is it a network device that you can use a console cable on?  Why do you need the IP if you don't know it?  Is it on the network in operation?  If some device you want to put on your network I would factory reset it first thing.

Like you mentioned BudMan, this is a give/ask thread; You dont know what the device is, it does NOT have a console serial entry, you just want to know its IP to know it. The scenario would be that we tested and we cannot find it on our network.

I already factory resetted it ;) but nothing.
 

But your example of setting 192.168.0.0/16 -- is that your network?  Kind of pointless if that is not your network.  If your wanting to scan so unknown device that is not working so you can access its web gui for example - how do you know the device was on 192.168?  Maybe it was 10.x, maybe it was 172.16-31 maybe it had a public IP because the guy that set it up like to just grab address space out of his ass and use it on his network?

Just to not overcomplicate things :)
 

More than happy to help you solve your issue - but from how your post was worded its almost like you were telling people how to find a device?

You are the only one that seems to have caught the point of the thread, it seems! :)

Let me copy and paste:
As you can see, I use nmap when I dont know a device's IP but I know its using the same submask; Because I know it has a DHCP client and I have (one) DHCP server in my network so it will have a IP in my network.

I have absolutely no issue so I cannot test this out (well I could get some router I have around here and set it to a 93.12.12.123 or some strange address and test it out on my 192.168.100.x network)

#13 +BudMan

BudMan

    Neowinian Senior

  • Tech Issues Solved: 100
  • Joined: 04-July 02
  • Location: Schaumburg, IL
  • OS: Win7, Vista, 2k3, 2k8, XP, Linux, FreeBSD, OSX, etc. etc.

Posted 13 March 2014 - 13:01

"I know it has a DHCP client and I have (one) DHCP server in my network so it will have a IP in my network."

 

Then you would know it IP from just looking on your dhcp server..  Why would you need to scan?

 

Still not understanding the point of this thread..  If your trying to write a guide it is no where close to complete and in the wrong section and has misleading information in it (FUD)  If you are asking for help you have not given the information required to help you.

 

Confused...  What are you trying to accomplish?  Did you have ?  If you're wanting to "discuss" methods of finding unwanted/rouge devices on your network from security point of view?  Then you started out on the wrong footing..



#14 +GreenMartian

GreenMartian

    Neowinian Senior

  • Joined: 28-August 04
  • Location: adelaide, au

Posted 13 March 2014 - 13:12

Let's get this straight:

  • You have a device in your possession.
  • You know it's set up with a static IP.
  • You don't know what the static IP is. It could be in your subnet, or it could be a completely weird IP, like 1.2.3.4

Is that correct?

 

If so, install Wireshark and start sniffing for broadcast packets when the device turns on. Seriously, it's that easy.



#15 +BudMan

BudMan

    Neowinian Senior

  • Tech Issues Solved: 100
  • Joined: 04-July 02
  • Location: Schaumburg, IL
  • OS: Win7, Vista, 2k3, 2k8, XP, Linux, FreeBSD, OSX, etc. etc.

Posted 13 March 2014 - 13:21

  • You don't know what the static IP is. It could be in your subnet, or it could be a completely weird IP, like 1.2.3.4

Is that correct?

 

I don't think so because he than says this

 

"Because I know it has a DHCP client and I have (one) DHCP server in my network so it will have a IP in my network."

 

I don't have a clue to what he is asking or wants to discuss to be honest.  But your advice is spot on from the 3 points assumed.