How do you find out the IP of a unknown device?

[riahc3]

Hello,

 

If you want to find out a IP of a unknown device (you dont know its last 2 sections, you have no manual, default was changed, person that changed it is no dead :laugh: by that I mean no obvious answers), how do you do it?

 

Do you set a PC to 192.168.1.1 SUB: 255.255.0.0 GW: 192.168.1.1, connect it directly to the device, nmap a ping scan thru all ips and it should show up?

 

Thats the way I do it but with something on my network.

 

Thank you

[Gerowen]

If it's connected to the network, just use something like Angry IP Scanner to scan the range of IPs handed out by your router.

You can get Angry IP Scanner at http://angryip.org/

Here's a screenshot of me running the Linux version.  They also have a Windows version.  It also has all sorts of right click options for hosts once the scan is complete.

[Original Poster]

If it's connected to the network, just use something like Angry IP Scanner to scan the range of IPs handed out by your router.

You can get Angry IP Scanner at http://angryip.org/

Here's a screenshot of me running the Linux version.  They also have a Windows version.  It also has all sorts of right click options for hosts once the scan is complete.

Screenshot from 2014-03-13 03:45:37.png

what if i want the mac address as well ?  getting the IP OR mac of a device is easy but i want both of one device

[riahc3]

Hello,

If it's connected to the network, just use something like Angry IP Scanner to scan the range of IPs handed out by your router.

It isnt a router nor is it a DHCP client. Its IP is already set as static.

[episode]

Hello,

It isnt a router nor is it a DHCP client. Its IP is already set as static.

Yes, but the IP is presumably still in the range, unless the IP range has changed. It would show up in scans.

Advanced IP Scanner would give you the MAC as well. Dont know if angry does but I would assume it does.

[riahc3]

Hello,

Yes, but the IP is presumably still in the range, unless the IP range has changed. It would show up in scans.

Advanced IP Scanner would give you the MAC as well. Dont know if angry does but I would assume it does.

Range of what?

[watkinsx2]

Hello,

Range of what?

 

IP Address Range.

[eXtermia]

if you have a switch that does port mirroring or all are plugged into a Hub you can connect a machine to the mirrored port running wireshark and sniff traffic looking for broadcasts and watch for unknown devices, unless you know specifically the ip range they are using this may be the most effective way. This will also sniff broadcasts of devices that may be non pingable because of individial device or machine firewalls.

[ApuBo]

you can use Nmap for it, to scan what it is, what os it running, and if it runs any services it will detect what it runs.

nmap.org it run on all. but im using windows one, so dont know if it has all functions on other os's :) also it has been on 2 movies :o

[GreenMartian]

I work with lots of IP-enabled devices in the office, a lot of them came from unknown Chinese manufacturer, with barely legible manuals (if you're lucky enough to even get one).

 

As eXtermia said above, just connect the device to your PC's ethernet, and use Wireshark to look for ARP Broadcast packets.

 

Here's something I found with with a quick Googling:

[+BudMan MVC]

What??  Are you trying to give advice or ask it?

 

What device is this for starters?  Is it a network device that you can use a console cable on?  Why do you need the IP if you don't know it?  Is it on the network in operation?  If some device you want to put on your network I would factory reset it first thing.

 

If its on your network and working - how would you not know the IP?  Confused how would anyone be using it if they don't know the IP or name that resolves to an IP?

 

But sure if you are looking for devices on your network you can use nmap or angry scanner, etc.  Or you could just sniff for traffic as well and count up the IPs and Macs you see.

 

But your example of setting 192.168.0.0/16 -- is that your network?  Kind of pointless if that is not your network.  If your wanting to scan so unknown device that is not working so you can access its web gui for example - how do you know the device was on 192.168?  Maybe it was 10.x, maybe it was 172.16-31 maybe it had a public IP because the guy that set it up like to just grab address space out of his ass and use it on his network?

 

More than happy to help you solve your issue - but from how your post was worded its almost like you were telling people how to find a device?  Why would you set a GW on your scan??  Your scanning 192.168.0.0/16 -- why would it need a GW address, how would it even use GW -- where is it trying to go other than 192.168/16 ?

 

You giving a GW makes no sense in your post?  What are you trying to accomplish and more than happy to help.

[riahc3]

Hello,

What??  Are you trying to give advice or ask it?

Both :laugh:

As you can see, I use nmap when I dont know a device's IP but I know its in my submask; Because I know it has a DHCP client and I have (one) DHCP server in my network.

But what about when you know NOTHING about it?

What device is this for starters?  Is it a network device that you can use a console cable on?  Why do you need the IP if you don't know it?  Is it on the network in operation?  If some device you want to put on your network I would factory reset it first thing.

Like you mentioned BudMan, this is a give/ask thread; You dont know what the device is, it does NOT have a console serial entry, you just want to know its IP to know it. The scenario would be that we tested and we cannot find it on our network.

I already factory resetted it ;) but nothing.

 

But your example of setting 192.168.0.0/16 -- is that your network?  Kind of pointless if that is not your network.  If your wanting to scan so unknown device that is not working so you can access its web gui for example - how do you know the device was on 192.168?  Maybe it was 10.x, maybe it was 172.16-31 maybe it had a public IP because the guy that set it up like to just grab address space out of his ass and use it on his network?

Just to not overcomplicate things :)

 

More than happy to help you solve your issue - but from how your post was worded its almost like you were telling people how to find a device?

You are the only one that seems to have caught the point of the thread, it seems! :)

Let me copy and paste:

As you can see, I use nmap when I dont know a device's IP but I know its using the same submask; Because I know it has a DHCP client and I have (one) DHCP server in my network so it will have a IP in my network.

I have absolutely no issue so I cannot test this out (well I could get some router I have around here and set it to a 93.12.12.123 or some strange address and test it out on my 192.168.100.x network)

[+BudMan MVC]

"I know it has a DHCP client and I have (one) DHCP server in my network so it will have a IP in my network."

 

Then you would know it IP from just looking on your dhcp server..  Why would you need to scan?

 

Still not understanding the point of this thread..  If your trying to write a guide it is no where close to complete and in the wrong section and has misleading information in it (FUD)  If you are asking for help you have not given the information required to help you.

 

Confused...  What are you trying to accomplish?  Did you have ?  If you're wanting to "discuss" methods of finding unwanted/rouge devices on your network from security point of view?  Then you started out on the wrong footing..

[GreenMartian]

Let's get this straight:

• You have a device in your possession.
• You know it's set up with a static IP.
• You don't know what the static IP is. It could be in your subnet, or it could be a completely weird IP, like 1.2.3.4

Is that correct?

 

If so, install Wireshark and start sniffing for broadcast packets when the device turns on. Seriously, it's that easy.

[+BudMan MVC]

• You don't know what the static IP is. It could be in your subnet, or it could be a completely weird IP, like 1.2.3.4

Is that correct?

 

I don't think so because he than says this

 

"Because I know it has a DHCP client and I have (one) DHCP server in my network so it will have a IP in my network."

 

I don't have a clue to what he is asking or wants to discuss to be honest.  But your advice is spot on from the 3 points assumed.

[riahc3]

Hello,

That was used as a example from when I KNOW a device is on my network. When I confirm it isnt, I guess the best method is using Wireshark and seeing ARP broadcasts, from what most of you comment :)

Correct?

My apoligies for not making clear the point of this thread.

[sc302 Veteran]

I would use angry IP.  if it is a device on your network you could narrow it down very quickly as to what it is.  Within a few minutes I can find out what the ip is of any random device being that I usually know what subnet or range it is in.  255 or so addresses isn't a lot esp if you have your network setup right and can see which are windows devices (they resolve to a name) vs non windows devices (they don't resolve or resolve with a strange unknown name that isn't part of your deployment).  I am sorry that you don't like scanning like that, but within minutes or seconds you can easily determine the information you are trying to get, if all you are after is a ip address.  If you need a bit more information then sure wireshark, but that would require you to have the equipment to use wireshark properly (either a managed layer switch that you can enable a mirror port on, or a in the middle device where you see all traffic on the network.  Many deployments do not have layer 3 switching so relying on wireshark to get your answers on every network you encounter is foolish, you would need to expand your toolset.

[+BudMan MVC]

while I agree that all networks are different and one tool might not be the best for a specific network.  If its a device you have your hands on you can always connect your laptop to the interface to sniff what its sending.  But sure if don't know where the device is in the DC and its only unmanaged switches you can have issues tracking something down for sure.

 

More than happy to discuss all the different ways that you could find an IP from a device in lots of different scenarios - since depending on the situation, different methodologies and or tools maybe be leveraged for the best way to get the information your seeking.

 

If you know its dhcp, I would just look to dhcp leases - especially if you know the mac from the outside of the device for example or its unique hardware so you would notice it from the first 3 of the mac per a vendor lookup, or that its different from all your other dhcp clients.. Or you can boot it and see the timestamp on the lease and rule out your known devices, etc..

 

If its something you bought off ebay or got 2nd hand can and not reset or console in, then I would connect it on an isolated network (say a laptop only with sniffer) and find its IP and then try to access interface from that IP, etc.  Or run a dhcp server on your laptop to give it an IP.  I would be hesitant to just connect some 2nd hand device to a production type network without first looking at its config or reset, etc.

 

Scanners can come in very handy in mapping out a network when you don't have access to managed switches or devices are quite - some will send out more noise then others and if busy network sometime there can be a lot of noise to go through if your just looking for devices on network.  Some devices might not even respond to a ping sweep though and looking at traffic might be required to catch when they arp for say their gateway IP, etc.

 

There is many variables that could come into play, every situation could be be vastly different.

[sc302 Veteran]

that depends on the ping sweep.  angry ip doesn't only work on echo requests.

[riahc3]

Hello,

while I agree that all networks are different and one tool might not be the best for a specific network.  If its a device you have your hands on you can always connect your laptop to the interface to sniff what its sending.  But sure if don't know where the device is in the DC and its only unmanaged switches you can have issues tracking something down for sure.

 

More than happy to discuss all the different ways that you could find an IP from a device in lots of different scenarios - since depending on the situation, different methodologies and or tools maybe be leveraged for the best way to get the information your seeking.

 

If you know its dhcp, I would just look to dhcp leases - especially if you know the mac from the outside of the device for example or its unique hardware so you would notice it from the first 3 of the mac per a vendor lookup, or that its different from all your other dhcp clients.. Or you can boot it and see the timestamp on the lease and rule out your known devices, etc..

 

If its something you bought off ebay or got 2nd hand can and not reset or console in, then I would connect it on an isolated network (say a laptop only with sniffer) and find its IP and then try to access interface from that IP, etc.  Or run a dhcp server on your laptop to give it an IP.  I would be hesitant to just connect some 2nd hand device to a production type network without first looking at its config or reset, etc.

 

Scanners can come in very handy in mapping out a network when you don't have access to managed switches or devices are quite - some will send out more noise then others and if busy network sometime there can be a lot of noise to go through if your just looking for devices on network.  Some devices might not even respond to a ping sweep though and looking at traffic might be required to catch when they arp for say their gateway IP, etc.

 

There is many variables that could come into play, every situation could be be vastly different.

Exact answer I was looking for (in someone's reply)

You gave a general reply of the possible ways in most scenarios.

Thanks

[+BudMan MVC]

that depends on the ping sweep.  angry ip doesn't only work on echo requests.

Very true there are other methods of using icmp to discover information about a device vs just echo reply..