What's New!

Chat with
Hackers

How to Defend
Your Computer 

The Guides
to (mostly) 
Harmless Hacking

Happy Hacker 
Digests (old stuff) 

Hacker Links 

Hacker
Wargames 

Meet the 
Happy Hacksters 

Help for 
Beginners 

Hacker 
Bookstore 

Humor 

It Sucks 
to Be Me!

How to Commit
Computer Crime (not)! 

What Is a 
Hacker, Anyhow? 

Have a 
Great Life! 

News from the 
Hacker War Front

ÜberhackerII, Chapter 9: Ethernet Exploration, continued...

How to Uncover the Identities of Computers on a LAN

Our first task is to learn how to discover almost all addresses on any LAN where you have a shell account, and how to identify every piece of Ethernet hardware on it. I say "almost," because if serious security gurus run the LAN you are exploring, they may hide some hardware. Switched Ethernet (if properly implemented - more on that later, muhahaha!) is one of these techniques.

Let's presume that your target domain won't let you do zone transfers (hosts -l or nslookup ls command). However, for many LANs, the following trick will reveal all.

Note - in exploring Ethernets, the commands we use are almost the same for both Unix-type operating systems and Windows 95/98/ME/NT/2000/XP/2003 (from the MS-DOS or cmd.exe prompt).

First we must figure out the broadcast address for the LAN you wish to explore. A broadcast address is one that will send a message out simultaneously addressed to everything on its network. In the case of a network with no submasks that uses Internet Protocol (IP) addresses, this is done by setting the IP address to 255 for the last three (or six, or nine) digits. For example, if you have a private network with a Class C (254 addresses on it without direct access to the Internet), your broadcast number might look something like 192.168.1.255.

In general, the broadcast address is the highest address on a LAN given its netmask. For example, Vincent Larsen points out that a netmask of 255.255.255.192 will create a subnet of which the highest IP address is 192.168.100.63. So in this case the broadcast address is 192.168.100.63. The network will send anything between 192.168.100.255 and 192.168.100.63 to the router, if it exists.

How does this work? We get to learn about netmasks now! Each of the 255s on the netmask keep the NICs on that subnet from looking at that part of the IP address. So they only look at the last segment of the address. There, they substract 192 from 255 to get 63, so the NICs on that network only look at 63 and below.

Joe Klemencic explains,

"This math equation assumes you will be operating on the 192.168.100.0 network. You can easily be in the 192.168.100.64-192.168.100.127 network range and still have a 255.255.255.192 netmask. It all has to do with the binary bit boundaries for a netmask. Basically, the binary equivalent of the IP address is MASKed with the binary equivalent of the netmask. Network's are all binary zeros while the broadcast are all binary ones. Hosts are a combination of binary ones and zeros in between.

For example:
IP: 192.168.100.0 = 11000000 10101000 01100100 00000000
Mask: 255.255.255.192 = 11111111 11111111 11111111 11000000

While looking at the netmask, the rightmost bit that is set determines how many hosts can be on each network defined by the netmask. In this case, 11000000, the bits are set in the 128 and 64 fields:

Binary Values: 128 64 32 16 8 4 2 1
Netmask: 1 1 0 0 0 0 0 0
In this case, the rightmost bit is in the Binary Value 64, so only 64 hosts (including the network number and the broadcast address) can be contained within a network. Now, to find the broadcast address for the network:

Since we now know that only 64 hosts (including the network number and the broadcast address) can be on a network with the 255.255.255.192 mask, you can create a table of available networks:
192.168.100.0-192.168.100.63
192.168.100.64 - 192.168.100.127
192.168.100.128 - 192.168.100.191
192.168.100.192 - 192.168.100.255

Now, see where the last octet of your IP address fits into this table. If your IP address is 192.168.100.115, you will be in the 192.168.100.64 - 192.168.100.127 range, with 192.168.100.64 being the network number and 192.168.100.127 being the broadcast address. If you are unsure if you calculated it correctly, remember that the network number is always an EVEN number, while the broadcast number is always an ODD number.

So how to you find out for sure what the netmask and broadcast address are on the LAN you are exploring? If you (as a lowly user) have permission to use the ifconfig command on a box on that LAN, you are in luck. Here's what SuSE Linux tells us:

~> ifconfig
eth0 Link encap:Ethernet HWaddr 00:C0:F0:37:56:6A
inet addr:10.0.0.9 Bcast:10.0.0.255 Mask:255.255.255.0

In Windows, you can use:

C:/>ipconfig /all

In Windows 95/98/ME, you can also get your MAC address at the DOS prompt with the command winipcfg.

If you can't use these commands, just guess. If your target network has computers that all start with 10.2.2., the broadcast address will probably be 10.2.2.255 or 10.2.255.255, or (if you get really lucky) 10.255.255.255. But be prepared for one heck of a bunch of return pings, including from your own computer.

Normally you can only broadcast within an Ethernet. Most routers block broadcast transmissions from leaving the LAN. So if you try to ping 255.255.255.255, you will not broadcast a ping to every address on the Internet.

More --->>


Carolyn's most
popular book,
in 4th edition now!
For advanced
hacker studies,
read Carolyn's
Google Groups
Subscribe to Happy Hacker
Email:
Visit this group

© 2013 Happy Hacker All rights reserved.