ÜberhackerII, Chapter 9: Ethernet Exploration,
How to Uncover the Identities of Computers on a LAN
Our first task is to learn how to discover almost all addresses
on any LAN where you have a shell account, and how to identify
every piece of Ethernet hardware on it. I say "almost,"
because if serious security gurus run the LAN you are exploring,
they may hide some hardware. Switched Ethernet (if properly implemented
- more on that later, muhahaha!) is one of these techniques.
Let's presume that your target domain won't let you do zone transfers
(hosts -l or nslookup ls command). However, for many LANs, the
following trick will reveal all.
Note - in exploring Ethernets, the commands we use are almost
the same for both Unix-type operating systems and Windows 95/98/ME/NT/2000/XP/2003
(from the MS-DOS or cmd.exe prompt).
First we must figure out the broadcast address for the LAN you
wish to explore. A broadcast address is one that will send a message
out simultaneously addressed to everything on its network. In
the case of a network with no submasks that uses Internet Protocol
(IP) addresses, this is done by setting the IP address to 255
for the last three (or six, or nine) digits. For example, if you
have a private network with a Class C (254 addresses on it without
direct access to the Internet), your broadcast number might look
something like 192.168.1.255.
In general, the broadcast address is the highest address on a
LAN given its netmask. For example, Vincent Larsen points out
that a netmask of 255.255.255.192 will create a subnet of which
the highest IP address is 192.168.100.63. So in this case the
broadcast address is 192.168.100.63. The network will send anything
between 192.168.100.255 and 192.168.100.63 to the router, if it
How does this work? We get to learn about netmasks now! Each
of the 255s on the netmask keep the NICs on that subnet from looking
at that part of the IP address. So they only look at the last
segment of the address. There, they substract 192 from 255 to
get 63, so the NICs on that network only look at 63 and below.
Joe Klemencic explains,
"This math equation assumes you will be operating on the
192.168.100.0 network. You can easily be in the 192.168.100.64-192.168.100.127
network range and still have a 255.255.255.192 netmask. It all
has to do with the binary bit boundaries for a netmask. Basically,
the binary equivalent of the IP address is MASKed with the binary
equivalent of the netmask. Network's are all binary zeros while
the broadcast are all binary ones. Hosts are a combination of
binary ones and zeros in between.
IP: 192.168.100.0 = 11000000 10101000 01100100 00000000
Mask: 255.255.255.192 = 11111111 11111111 11111111 11000000
While looking at the netmask, the rightmost bit that is set determines
how many hosts can be on each network defined by the netmask.
In this case, 11000000, the bits are set in the 128 and 64 fields:
Binary Values: 128 64 32 16 8 4 2 1
Netmask: 1 1 0 0 0 0 0 0
In this case, the rightmost bit is in the Binary Value 64, so
only 64 hosts (including the network number and the broadcast
address) can be contained within a network. Now, to find the broadcast
address for the network:
Since we now know that only 64 hosts (including the network number
and the broadcast address) can be on a network with the 255.255.255.192
mask, you can create a table of available networks:
192.168.100.64 - 192.168.100.127
192.168.100.128 - 192.168.100.191
192.168.100.192 - 192.168.100.255
Now, see where the last octet of your IP address fits into this
table. If your IP address is 192.168.100.115, you will be in the
192.168.100.64 - 192.168.100.127 range, with 192.168.100.64 being
the network number and 192.168.100.127 being the broadcast address.
If you are unsure if you calculated it correctly, remember that
the network number is always an EVEN number, while the broadcast
number is always an ODD number.
So how to you find out for sure what the netmask and broadcast
address are on the LAN you are exploring? If you (as a lowly user)
have permission to use the ifconfig command on a box on that LAN,
you are in luck. Here's what SuSE Linux tells us:
eth0 Link encap:Ethernet HWaddr 00:C0:F0:37:56:6A
inet addr:10.0.0.9 Bcast:10.0.0.255 Mask:255.255.255.0
In Windows, you can use:
In Windows 95/98/ME, you can also get your MAC address at the
DOS prompt with the command winipcfg.
If you can't use these commands, just guess. If your target network
has computers that all start with 10.2.2., the broadcast address
will probably be 10.2.2.255 or 10.2.255.255, or (if you get really
lucky) 10.255.255.255. But be prepared for one heck of a bunch
of return pings, including from your own computer.
Normally you can only broadcast within an Ethernet. Most routers
block broadcast transmissions from leaving the LAN. So if you
try to ping 255.255.255.255, you will not broadcast a ping to
every address on the Internet.