Web Hosting:
Help Irongeek.com pay for bandwidth and research equipment:
What can you find out from an IP?
What can you find out from an IP?
Here I will outline some use full Unix and NT commands for finding out more
information about a given IP. Some of these techniques will fail depending on
firewall rule sets.
Because the IP your ISP's DHCP server hands you may not always be the same it
is handy to be able to quickly find out what your IP is. Most of the time on a LAN
the DHCP server will try to hand a machine the same IP it's MAC address received
the last
time it requested an address, but not always. To find out your host IP and other useful information use
these commands.
Windows 9X/Me:
Use the "winipcfg" command, this will bring up a GUI dialog with
all the info you will need.
lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
UP LOOPBACK RUNNING MTU:16436 Metric:1
RX packets:2234607 errors:0 dropped:0 overruns:0 frame:0
TX packets:2234607 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
bash-2.04$
If you are SSH/telneting to the box and you want to find the IP you are
attaching from use the "finger" command with no parameters.
bash-2.04$ finger
Login Name Tty Idle Login Time Office Office Phone
adrian Adrian Crenshaw pts/3 Feb 2 14:57 (192.168.1.2)
root root pts/0 1:53 Jan 28 17:25 (tux:2)
root root pts/1 4d Jan 25 14:57
root root pts/2 8d Jan 25 14:57 (tux:2)
bash-2.04$
All OSes:
The IP found using the instructions above is the IP
your computers NIC (Network Interface Card) or modem has, if you are hooked
to a home router or some other kind of NAT box the IP the world sees as you
when you connect to other hosts will be different. To find
you WAN IP (the IP the world sees when you are behind a NAT box or a Proxy)
go to one of the following sites:
If the host is not blocking ICMP echo requests (type 8, code 0) try using the "ping" command, it should work from any Unix like OS
and from Windows.
UP:
C:\>ping 192.168.1.3
Pinging 192.168.1.3 with 32 bytes of data:
Reply from 192.168.1.3: bytes=32 time<10ms TTL=255
Reply from 192.168.1.3: bytes=32 time<10ms TTL=255
Reply from 192.168.1.3: bytes=32 time<10ms TTL=255
Reply from 192.168.1.3: bytes=32 time<10ms TTL=255
Ping statistics for 192.168.1.3:
Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 0ms, Maximum = 0ms, Average = 0ms
Ping statistics for 192.168.30.133:
Packets: Sent = 4, Received = 0, Lost = 4 (100% loss),
Approximate round trip times in milli-seconds:
Minimum = 0ms, Maximum = 0ms, Average = 0ms
C:\>
If the host is behind a firewall blocking ICMP echo requests then you
will have to look into other ways of enumerating the network, like Hping (
http://www.hping.org/ )
How do I find out what organization owns an IP?
Easiest way is to use the online tools from http://samspade.org/t/
(use IP Whois) or download their Windows tools and use them on your box. Arwin
offers a similar CGI at
http://ws.arin.net/cgi-bin/whois.pl
if Sam Spade does not work for you. There is also a host of tools built into the
SamSpade utility for Windows, which you can download from
http://www.samspade.org/ssw/ .
How do I find out what OS a box is running?
You can tell what OS a box is running in a few ways. Knowing what ports are
open on the box will give you some good guesses (for instance port 6000 is used for
X-windows, it being open probably means the box is running some kind of Unix). The easiest
way to find this info is to use the "nmap" utility from http://www.insecure.org/nmap/
( also available on the Knoppix Linux Boot CD (
http://www.knoppix.org/ ) or Trinux boot
disk (
http://sourceforge.net/projects/trinux/ ) ) and do an OS fingerprint like so:
[root@tux adrian]# nmap -O
tux.mydomains.com
Starting nmap V. 2.54BETA26 ( www.insecure.org/nmap/ )
Adding open port 22/tcp
Adding open port 1024/tcp
Adding open port 25/tcp
Adding open port 80/tcp
Adding open port 110/tcp
Adding open port 993/tcp
Adding open port 6002/tcp
Adding open port 5902/tcp
Adding open port 111/tcp
Adding open port 443/tcp
Adding open port 21/tcp
Adding open port 995/tcp
Adding open port 23/tcp
Adding open port 143/tcp
Adding open port 139/tcp
Adding open port 515/tcp
Interesting ports on tux.mydomains.com (192.168.1.3):
(The 1532 ports scanned but not shown below are in state: closed)
Port State Service
21/tcp open ftp
22/tcp open ssh
23/tcp open telnet
25/tcp open smtp
80/tcp open http
110/tcp open pop-3
111/tcp open sunrpc
139/tcp open netbios-ssn
143/tcp open imap2
443/tcp open https
515/tcp open printer
993/tcp open imaps
995/tcp open pop3s
1024/tcp open kdm
5902/tcp open vnc-2
6002/tcp open X11:2
Remote operating system guess: Linux Kernel 2.4.0 - 2.4.5 (X86)
Uptime 9.033 days (since Fri Jan 25 14:55:20 2002)
Nmap run completed -- 1 IP address (1 host up) scanned in 2 seconds
[root@tux adrian]#
Notice the part in red indicate the likely OS. Be careful about using tools
like "nmap", the site you are targeting may give your local admin a
call asking why you are scanning their site. Also make sure your copy of Nmap is
up to date so it has the newest OS fingerprints, the version I used in the above
example is kind of old.
You can also find out sometimes by using the "What's that site
running" cgi at Netcraft, which does
a banner grab for you.
Telneting to the host and observing the intro may give you some info:
Red Hat Linux release 7.1 (Seawolf)
Kernel 2.4.2-2 on an i686
login:
and if they only have port 80 open you can telnet to that port and hit enter
twice and observe the headers:
[root@tux adrian]# telnet orangutan.mydomains.com 80
Trying 192.168.28.32...
Connected to orangutan.mydomains.com.
Escape character is '^]'.
HTTP/1.1 400 Bad Request
Server: Microsoft-IIS/5.0
Date: Sun, 03 Feb 2002 20:51:47 GMT
Content-Type: text/html
Content-Length: 87
<html><head><title>Error</title></head><body>The parameter is incorrect. </body>
</html>Connection closed by foreign host.
[root@tux adrian]#
This technique is know as "banner grabbing".
How do I find out what ports are open/services are
running?
There are port scanners for Windows and Unix, "nmap" ( http://www.insecure.org/nmap/
and available on the Trinux
boot disk) being my personal choice. Be careful about using tools like
"nmap", the site you are targeting may give your local admin a call
asking why you are scanning their site. See the above entry for an example of
using nmap.
If you want to find out what ports are open (and which executables they
belong too) on your local Windows box use the
"netstat" command with the -b option.
Windows:
C:\>netstat -b
Active Connections
Proto Local Address Foreign Address State PID
TCP cthulhu:912 localhost:3659 ESTABLISHED 452
[vmware-authd.exe]
TCP cthulhu:912 localhost:3658 ESTABLISHED 452
[vmware-authd.exe]
TCP cthulhu:912 localhost:3640 ESTABLISHED 452
[vmware-authd.exe]
TCP cthulhu:912 localhost:3657 ESTABLISHED 452
[vmware-authd.exe]
TCP cthulhu:1059 localhost:9051 ESTABLISHED 3760
[vidalia.exe]
TCP cthulhu:1074 localhost:1075 ESTABLISHED 2988
[firefox.exe]
TCP cthulhu:1075 localhost:1074 ESTABLISHED 2988
[firefox.exe]
TCP cthulhu:1102 localhost:1103 ESTABLISHED 2988
[firefox.exe]
TCP cthulhu:1103 localhost:1102 ESTABLISHED 2988
[firefox.exe]
TCP cthulhu:3640 localhost:912 ESTABLISHED 2576
[vmware.exe]
TCP cthulhu:3657 localhost:912 ESTABLISHED 904
[vmware-vmx.exe]
TCP cthulhu:3658 localhost:912 ESTABLISHED 808
[vmserverdWin32.exe]
TCP cthulhu:3659 localhost:912 ESTABLISHED 2576
[vmware.exe]
TCP cthulhu:9051 localhost:1059 ESTABLISHED 2728
[tor.exe]
TCP cthulhu:3877 192.168.1.13:microsoft-ds ESTABLISHED 4
[System]
How do I tell who is logged into a remote Windows box?
On Windows you can try:
C:\>nbtstat -a somebox
Local Area Connection:
Node IpAddress: [192.168.22.68] Scope Id: []
NetBIOS Remote Machine Name Table
Name Type Status
---------------------------------------------
testbox2<00> UNIQUE Registered
MYADS <00> GROUP Registered
testbox2<03> UNIQUE Registered
MYADS <1E> GROUP Registered
JDOE 03> UNIQUE Registered
MAC Address = 00-04-76-39-A9-F9
C:\>
But if Netbios over TCP/IP it turned off it won't work.
In that case you may have to use a WMI script, but you would have to be an Admin on the remote box.
On Unix:
bash-2.05# nmblookup -S somebox
querying testbox2 on 192.168.31.255
192.168.22.59 somebox <00>
Looking up status of 192.168.22.59
testbox2 <00> - M <ACTIVE>
MYADS <00> - <GROUP> M <ACTIVE>
testbox2 <03> - M <ACTIVE>
MYADS <1e> - <GROUP> M <ACTIVE>
JDOE <03> - M <ACTIVE>
bash-2.05#
The above will only work is the Windows box has Netbios over TCP/IP it turned on.
Any good all in one tools?
LANguard (for Windows) and Nessus
(for Unix). With all these you would want to turn off some of the options,
otherwise the admins at the other site will see is as an all out attack.
How Do I find the NetBIOS name from the IP?
On Windows:
C:\>nbtstat -a 192.168.22.68
Local Area Connection:
Node IpAddress: [192.168.22.68] Scope Id: []
NetBIOS Remote Machine Name Table
Name Type Status
---------------------------------------------
testbox3 <00> UNIQUE Registered
MYADS <00> GROUP Registered
testbox3 <03> UNIQUE Registered
testbox3 <20> UNIQUE Registered
MYADS <1E> GROUP Registered
ADRIAN <03> UNIQUE Registered
MAC Address = 00-04-76-39-B6-D9
C:\>
Local Area Connection:
Node IpAddress: [192.168.22.68]
Scope Id: []
NetBIOS Remote
Machine Name Table
Name
Type Status
---------------------------------------------
testbox3<00>
UNIQUE Registered
MYADS
<00> GROUP Registered
testbox3<03>
UNIQUE Registered
testbox3<20>
UNIQUE Registered
MYADS
<1E> GROUP Registered
ADRIAN
<03> UNIQUE Registered
How can I see the traffic going between two points on a switched network?
Get the dsniff and ngrep packages, they come with Trinux (note: on Trinux use
"arpredirect" instead of "arpspoof") or you can download
them. Start up three terminals.
In the first terminal run :
arpspoof -t 1.1.1.1
2.2.2.2
In the 2nd one run :
arpspoof -t 2.2.2.2
1.1.1.1
Then run ngrep:
ngrep host 1.1.1.1|more
and watch the fun. Also try the "dsniff" command to see plaintext
passwords that are passed between the two hosts. To find out more information
visit my article on the basics of ARP spoofing at
http://irongeek.com/i.php?page=security/arpspoof
You can also use Ettercap (Win and Linux) and Cain (Win) to do much the same
thing as these videos illustrate:
Change Log: 09/03/2004: First published 10/10/2007: Added "Moan My IP", the -b option to Netstat and
linked to the videos for Cain and Ettercap and the article
A Quick
Intro to Sniffers.
RSS
Printable version of this article