LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Linux - Security (http://www.linuxquestions.org/questions/linux-security-4/)
-   -   Discover DHCP clients on a subnet (http://www.linuxquestions.org/questions/linux-security-4/discover-dhcp-clients-on-a-subnet-741573/)

crackpipe 07-21-2009 12:50 AM

Discover DHCP clients on a subnet
 
I'm in a home LAN behind a WiFi Linksys router used as a gateway to uplink to the ISP. Downstream, the router serves DHCP to the clients on the LAN in a vanilla 192.168.1.xxx format. I can go into the router, enter a password, click through a couple of screens, and obtain a list of the DHCP clients currently connected on the subnet, but I wonder if there is an application which allows me to do it from a client on the LAN. For example, if I'm on my laptop at 192.168.1.101, is there an application which will allow me to discover other clients on the same subnet, say at addresses 102 and 103, if two other computers were connected? I'd like to see who's on my same subnet without having to log into the router, go through a couple of screens, etc etc, each time I want to know who's online in the house. Hope this makes sense. Thanks.

bsdunix 07-21-2009 08:55 AM

A search of "linux network discovery" using my favorite Internet search tool found this:

AutoScan Network, Network Monitoring and Management Tool
http://autoscan-network.com/index.ph...d=13&Itemid=28

There's probably other similar tools available. If your good with shell scripts, you could write something that pings the subnet.

archtoad6 07-21-2009 10:51 AM

Interesting s/w concept, but I'm not very impressed w/ its performance.

I d/l'd & installed it, here are some observations:
  1. The site never loaded in Konqueror -- possibly due to a too tight cookie policy.
  2. There is English, but it's not the writer' native language.
  3. The "Add Network Wizard" is not remotely (forgive the pun) intuitive.
  4. Initially it did not find everything on my LAN.
  5. After I did a for loop ping scan, it found everything; but could not figure out the OS of 2 of my Linux boxen. It also couldn't report the name of my SmoothWall 3.0 firewall/gateway/router.
  6. What is "smtp.server.fr" doing under "SMTP:" in "Settings | General"? Is it phoning home? Is the author trustworthy?
  7. Is this the same AutoScan-Network mentioned here: http://en.wikipedia.org/wiki/BackTrack
  8. There is no off-line help & the on-line Help uses Firefox. I prefer Konqueror & Opera, & I'm annoyed that it doesn't recognize them.

It may be OK for scanning an M$ based network, but I not sure of its worth for primarily Linux networks.

I'm especially concerned about item #6 -- anyone have any answers or insights?

crackpipe 07-22-2009 05:58 PM

Quote:

Originally Posted by bsdunix (Post 3615131)
A search of "linux network discovery" using my favorite Internet search tool found this:

AutoScan Network, Network Monitoring and Management Tool
http://autoscan-network.com/index.ph...d=13&Itemid=28

There's probably other similar tools available. If your good with shell scripts, you could write something that pings the subnet.

Apparently there is a way to do this with pings? In general, of course we all prefer commands to applications so I'm tempted to go with pinging. But is pinging the right command? One would appear to have to ping each and every potential LAN address sequentially to see if there is a reply. This is at least a hundred possible addresses, so that the results of any hits would apparently have to be funneled into an array. Is there an easier built-in command than pinging all potential addresses?

archtoad6 07-24-2009 08:39 AM

Quote:

Originally Posted by crackpipe (Post 3616996)
Apparently there is a way to do this with pings? In general, of course we all prefer commands to applications so I'm tempted to go with pinging. But is pinging the right command?

Good Q! I look forward to some good suggestions.

Quote:

Originally Posted by crackpipe (Post 3616996)
One would appear to have to ping each and every potential LAN address sequentially to see if there is a reply. This is at least a hundred possible addresses, so that the results of any hits would apparently have to be funneled into an array.

In the case of a Class C LAN (192.168.N.0), I count 254: 256 minus 1st & last. Here's the beginnings of how I would do it:
Code:

# LAN parameters:
# 'LAN' is the "Class C" subnet
# 's1' is the 1st host to test, & 's2' the last
# set a narrow range of s1 & s2 during testing
LAN=0
s1=1
s2=254

# the test loop -- pipes raw data into "less"
for ((S=$s1;$S<=$s2;S++))
  do  HOST=192.168.$LAN.$S
  ping -c3 $HOST && echo "Found $HOST"
  echo -e "$?\n====="
done  | less

# to find just the discovered hosts,
# pipe  'echo "Found $HOST"'  into a file,
# OR pipe the whole command through a "grep" filter


Quote:

Originally Posted by crackpipe (Post 3616996)
Is there an easier built-in command than pinging all potential addresses?

None that I know of -- I look fwd. to seeing others' suggestions.

ntubski 07-24-2009 11:24 AM

I would suggest nmap, see the Host Discovery page in the reference guide.

tekhead2 07-24-2009 12:58 PM

There are literally thousands of Linux applications that will do just what your looking for. My personal favorite is Autoscan which does a full port scan,SNMP, and MAC scan. http://autoscan-network.com/. This is a GUI application and it's pretty easy to use. However it is very intensive and will appear as an attack. Additionally you can use NMAP which is the defacto standard tool for host discovery and scanning. Another really easy way to find out who's on your network segment is to do an ARP scan. There are a couple of ARP scanning utilities that I like, the first is arp-scan, which is a console application, you would issue this command to find all the hosts in your network arp-scan --localnet. This will display a lits of IP addresses as well as MAC addresses. Additionally you could always use Ettercap-GTK which is also another attack tool that can ARP poison, but you could just use it for host discovery as well.

archtoad6 07-24-2009 02:55 PM

tekhead2,

Can you answer any of the questions & concerns I voiced in post #3?

TIA,

tekhead2 07-24-2009 03:16 PM

Well the smtp server section is for collecting different OS signatures. Autoscan does host guessing based on a host database that is ran from the developers website. Once you get Autoscan working and you come across a host with an unknown OS or signature it will prompt you to fill information concerning which OS and or type of hardware it is. So yes it does "phone home' but only when you submit a host signature.

The add network function is because Autoscan is actually a client-server application and you can place the server executable on other machines and have them act as network daemons. I've not really seen a use for this yet, but I'm sure if I had several large segments I could make use of it. I typically just choose my locahosts IP address , which it should autofill in the drop down menu.

As far as OS detection goes it's really mediocre, I would much rather just use NMAP with ZenMAP, which it apparently does use to some extent, you can also run an NMAP scan from inside of the applications interface which is just a simple scan.

I'm not sure why you had issues not seeing any hosts on your network, I've not had anything like that happen, unless it crashes, which I admit it's done to me quite a bit in the most recent version.

I think the real reason why I like having it is it's ability to do SNMP scanning, OS detection, and the intrusion alert function. It's just another tool in the toolbox. It is by no means a definative solution, but judging from your question it sounds like your wanting a heads up on whats connected to your network, and I can attest that the intrusion alert pops up whenever I connect a new host to the network.

crackpipe 07-28-2009 02:47 AM

I'm greatly appreciating the responses here so far. Took a look at Zenmap (Zenwalk nmap GUI) and Auto-Scan. Both seem to discover network clients by scanning, say, 192.168.1.0/24. Both of these applications appear a little like pianos -- one has to learn to play them. It may be that using these GUI's gets me to understand what I might be able to do more quickly with a script, such the one initiated by ArchToad above. The quest continues, especially for something that doesn't take a lot of resources and accomplishes occasional polling with a pop-up if joins the subnet. I'll watch with interest for additional suggestions/experiences here.

catkin 07-28-2009 03:25 AM

Hello crackpipe :)

What you want to do is not absolutely possible; all DHCP clients have the option of simply ignoring every probe packet you send them. Ignoring this type of DHCP client, how much information do you want/need? Just the IP addresses of DHCP clients or more?

How big is the router's DHCP pool? archtoad calculated 256 less the broadcast and network addresses and that is a robust approach but you could speed things up by configuring the actual DHCP pool into the script, maybe even have the script telnet into the router and screen-scrape that information.

There's another idea -- it may be possible to script telnetting into the router to get the same info you get by browsing the router's web-server pages. But isn't that leases granted and not expired? If so, any clients that went offline without releasing their leases would also be listed.

Best

Charles

archtoad6 07-28-2009 10:52 AM

catkin,
Quote:

Originally Posted by catkin (Post 3622617)
What you want to do is not absolutely possible;

Did you mean "What you want to do is absolutely not possible..."? -- Minor change in wording, significant change in meaning. Apologies if I am misinterpreting you. :)


crackpipe,
Quote:

Originally Posted by catkin (Post 3622617)
There's another idea -- it may be possible to script telnetting into the router to get the same info you get by browsing the router's web-server pages.

Or use ssh. Or if there is a mini-website w/in the router, try wget or cURL.

Several years ago, before I really started using Linux, I used cURL to log into my SMC 7008BR to scrape & d/l its logs; as well as check on its WAN IP address.

catkin 07-28-2009 11:11 AM

Quote:

Originally Posted by archtoad6 (Post 3623025)
catkin,
Did you mean "What you want to do is absolutely not possible..."? -- Minor change in wording, significant change in meaning. Apologies if I am misinterpreting you. :)

Sorry -- I was trying to be concise and ended up being confusing. I meant "What you want to do is not definitely, completely and unquestionably possible" -- there are circumstances in which it is not possible.

As you say, it is quite (in the original sense of that word!) different from ""What you want to do is absolutely not possible". Now it is the "not" that is "definitely, completely and unquestionably" -- there are no circumstances in which it is possible.

:study:

nowonmai 07-28-2009 11:22 AM

It's not clear if you want to list only the DHCP clients or all the hosts on the network, particularly since many of the solutions are only to list the hosts, rather than those that had their addresses assigned via DHCP.

To list hosts, you could do (X.Y.Z.0/24 being your subnet in CIDR notation)...

Code:

nmap X.Y.Z.0/24
Or

Code:

arp -a
The only definitive way to enumerate DHCP clients is through the Server that assigned their addresses. You could attempt to expire their leases and have them renew, but, again how to do that from another client. ARP related attacks don't specifically hit DHCP clients either.

In short... are you after all hosts on a subnet or just the DHCP clients?

crackpipe 07-30-2009 02:33 AM

Noowanmi's nmap command recipe gave a list of hosts quite nicely. That's in the direction I'm headed. Eventually, I'd like to build the capacity for nmap to poll with a little more information, such as the MAC, pop-up a terminal to alert me to any new DHCP hosts, and ask if I would like to log that new host. I could set up a postgresql database that saves anything I want to log. In this way, if I am ever hacked, I at least have learned how to save forensic info for the po-po's.

What I don't understand is catkin's comment. It seems that if a host is granted DHCP interaction, some port has to be open to allow DHCP, and so it has to be detectable on the LAN. Further, it appears that a malicious squatter on the LAN that did not have an IP assigned by the router would seem to be unable to monitor traffic on the LAN. That is, could a stealth node attach itself to the LAN, not receive an IP, open its NIC to promiscuous mode, sniff all traffic, and take away information? If so, how do we detect such a squatting laptop, in addition to DHCP hosts? Does this make sense?


All times are GMT -5. The time now is 02:40 AM.