LinuxQuestions.org
Did you know LQ has a Linux Hardware Compatibility List?
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices

Reply
 
LinkBack Search this Thread
Old 07-20-2009, 11:50 PM   #1
crackpipe
Member
 
Registered: Nov 2005
Distribution: Slackware, Zenwalk, Debian
Posts: 33

Rep: Reputation: 15
Discover DHCP clients on a subnet


I'm in a home LAN behind a WiFi Linksys router used as a gateway to uplink to the ISP. Downstream, the router serves DHCP to the clients on the LAN in a vanilla 192.168.1.xxx format. I can go into the router, enter a password, click through a couple of screens, and obtain a list of the DHCP clients currently connected on the subnet, but I wonder if there is an application which allows me to do it from a client on the LAN. For example, if I'm on my laptop at 192.168.1.101, is there an application which will allow me to discover other clients on the same subnet, say at addresses 102 and 103, if two other computers were connected? I'd like to see who's on my same subnet without having to log into the router, go through a couple of screens, etc etc, each time I want to know who's online in the house. Hope this makes sense. Thanks.
 
Old 07-21-2009, 07:55 AM   #2
bsdunix
Senior Member
 
Registered: May 2006
Distribution: Caldera, CTOS, Debian, FreeBSD, Mac OS X, Mandrake, Minix, OpenBSD, Slackware, SuSE
Posts: 1,757

Rep: Reputation: 78
A search of "linux network discovery" using my favorite Internet search tool found this:

AutoScan Network, Network Monitoring and Management Tool
http://autoscan-network.com/index.ph...d=13&Itemid=28

There's probably other similar tools available. If your good with shell scripts, you could write something that pings the subnet.
 
Old 07-21-2009, 09:51 AM   #3
archtoad6
Senior Member
 
Registered: Oct 2004
Location: Houston, TX (usa)
Distribution: MEPIS, Debian, Knoppix,
Posts: 4,727
Blog Entries: 15

Rep: Reputation: 230Reputation: 230Reputation: 230
Interesting s/w concept, but I'm not very impressed w/ its performance.

I d/l'd & installed it, here are some observations:
  1. The site never loaded in Konqueror -- possibly due to a too tight cookie policy.
  2. There is English, but it's not the writer' native language.
  3. The "Add Network Wizard" is not remotely (forgive the pun) intuitive.
  4. Initially it did not find everything on my LAN.
  5. After I did a for loop ping scan, it found everything; but could not figure out the OS of 2 of my Linux boxen. It also couldn't report the name of my SmoothWall 3.0 firewall/gateway/router.
  6. What is "smtp.server.fr" doing under "SMTP:" in "Settings | General"? Is it phoning home? Is the author trustworthy?
  7. Is this the same AutoScan-Network mentioned here: http://en.wikipedia.org/wiki/BackTrack
  8. There is no off-line help & the on-line Help uses Firefox. I prefer Konqueror & Opera, & I'm annoyed that it doesn't recognize them.

It may be OK for scanning an M$ based network, but I not sure of its worth for primarily Linux networks.

I'm especially concerned about item #6 -- anyone have any answers or insights?

Last edited by archtoad6; 12-05-2009 at 04:30 AM. Reason: clarify wording
 
Old 07-22-2009, 04:58 PM   #4
crackpipe
Member
 
Registered: Nov 2005
Distribution: Slackware, Zenwalk, Debian
Posts: 33

Original Poster
Rep: Reputation: 15
Quote:
Originally Posted by bsdunix View Post
A search of "linux network discovery" using my favorite Internet search tool found this:

AutoScan Network, Network Monitoring and Management Tool
http://autoscan-network.com/index.ph...d=13&Itemid=28

There's probably other similar tools available. If your good with shell scripts, you could write something that pings the subnet.
Apparently there is a way to do this with pings? In general, of course we all prefer commands to applications so I'm tempted to go with pinging. But is pinging the right command? One would appear to have to ping each and every potential LAN address sequentially to see if there is a reply. This is at least a hundred possible addresses, so that the results of any hits would apparently have to be funneled into an array. Is there an easier built-in command than pinging all potential addresses?
 
Old 07-24-2009, 07:39 AM   #5
archtoad6
Senior Member
 
Registered: Oct 2004
Location: Houston, TX (usa)
Distribution: MEPIS, Debian, Knoppix,
Posts: 4,727
Blog Entries: 15

Rep: Reputation: 230Reputation: 230Reputation: 230
Quote:
Originally Posted by crackpipe View Post
Apparently there is a way to do this with pings? In general, of course we all prefer commands to applications so I'm tempted to go with pinging. But is pinging the right command?
Good Q! I look forward to some good suggestions.

Quote:
Originally Posted by crackpipe View Post
One would appear to have to ping each and every potential LAN address sequentially to see if there is a reply. This is at least a hundred possible addresses, so that the results of any hits would apparently have to be funneled into an array.
In the case of a Class C LAN (192.168.N.0), I count 254: 256 minus 1st & last. Here's the beginnings of how I would do it:
Code:
# LAN parameters:
# 'LAN' is the "Class C" subnet
# 's1' is the 1st host to test, & 's2' the last
# set a narrow range of s1 & s2 during testing
LAN=0
s1=1
s2=254

# the test loop -- pipes raw data into "less"
for ((S=$s1;$S<=$s2;S++))
   do  HOST=192.168.$LAN.$S
   ping -c3 $HOST && echo "Found $HOST"
   echo -e "$?\n====="
done  | less

# to find just the discovered hosts, 
# pipe  'echo "Found $HOST"'  into a file, 
# OR pipe the whole command through a "grep" filter

Quote:
Originally Posted by crackpipe View Post
Is there an easier built-in command than pinging all potential addresses?
None that I know of -- I look fwd. to seeing others' suggestions.
 
Old 07-24-2009, 10:24 AM   #6
ntubski
Senior Member
 
Registered: Nov 2005
Distribution: Debian
Posts: 2,307

Rep: Reputation: 767Reputation: 767Reputation: 767Reputation: 767Reputation: 767Reputation: 767Reputation: 767
I would suggest nmap, see the Host Discovery page in the reference guide.
 
Old 07-24-2009, 11:58 AM   #7
tekhead2
Member
 
Registered: Apr 2004
Distribution: slackware/FreeBSD/Vector
Posts: 291

Rep: Reputation: 52
There are literally thousands of Linux applications that will do just what your looking for. My personal favorite is Autoscan which does a full port scan,SNMP, and MAC scan. http://autoscan-network.com/. This is a GUI application and it's pretty easy to use. However it is very intensive and will appear as an attack. Additionally you can use NMAP which is the defacto standard tool for host discovery and scanning. Another really easy way to find out who's on your network segment is to do an ARP scan. There are a couple of ARP scanning utilities that I like, the first is arp-scan, which is a console application, you would issue this command to find all the hosts in your network arp-scan --localnet. This will display a lits of IP addresses as well as MAC addresses. Additionally you could always use Ettercap-GTK which is also another attack tool that can ARP poison, but you could just use it for host discovery as well.
 
Old 07-24-2009, 01:55 PM   #8
archtoad6
Senior Member
 
Registered: Oct 2004
Location: Houston, TX (usa)
Distribution: MEPIS, Debian, Knoppix,
Posts: 4,727
Blog Entries: 15

Rep: Reputation: 230Reputation: 230Reputation: 230
tekhead2,

Can you answer any of the questions & concerns I voiced in post #3?

TIA,
 
Old 07-24-2009, 02:16 PM   #9
tekhead2
Member
 
Registered: Apr 2004
Distribution: slackware/FreeBSD/Vector
Posts: 291

Rep: Reputation: 52
Well the smtp server section is for collecting different OS signatures. Autoscan does host guessing based on a host database that is ran from the developers website. Once you get Autoscan working and you come across a host with an unknown OS or signature it will prompt you to fill information concerning which OS and or type of hardware it is. So yes it does "phone home' but only when you submit a host signature.

The add network function is because Autoscan is actually a client-server application and you can place the server executable on other machines and have them act as network daemons. I've not really seen a use for this yet, but I'm sure if I had several large segments I could make use of it. I typically just choose my locahosts IP address , which it should autofill in the drop down menu.

As far as OS detection goes it's really mediocre, I would much rather just use NMAP with ZenMAP, which it apparently does use to some extent, you can also run an NMAP scan from inside of the applications interface which is just a simple scan.

I'm not sure why you had issues not seeing any hosts on your network, I've not had anything like that happen, unless it crashes, which I admit it's done to me quite a bit in the most recent version.

I think the real reason why I like having it is it's ability to do SNMP scanning, OS detection, and the intrusion alert function. It's just another tool in the toolbox. It is by no means a definative solution, but judging from your question it sounds like your wanting a heads up on whats connected to your network, and I can attest that the intrusion alert pops up whenever I connect a new host to the network.
 
Old 07-28-2009, 01:47 AM   #10
crackpipe
Member
 
Registered: Nov 2005
Distribution: Slackware, Zenwalk, Debian
Posts: 33

Original Poster
Rep: Reputation: 15
I'm greatly appreciating the responses here so far. Took a look at Zenmap (Zenwalk nmap GUI) and Auto-Scan. Both seem to discover network clients by scanning, say, 192.168.1.0/24. Both of these applications appear a little like pianos -- one has to learn to play them. It may be that using these GUI's gets me to understand what I might be able to do more quickly with a script, such the one initiated by ArchToad above. The quest continues, especially for something that doesn't take a lot of resources and accomplishes occasional polling with a pop-up if joins the subnet. I'll watch with interest for additional suggestions/experiences here.
 
Old 07-28-2009, 02:25 AM   #11
catkin
LQ 5k Club
 
Registered: Dec 2008
Location: Tamil Nadu, India
Distribution: Servers: Debian Squeeze and Wheezy. Desktop: Slackware64 14.0. Netbook: Slackware 13.37
Posts: 8,512
Blog Entries: 27

Rep: Reputation: 1174Reputation: 1174Reputation: 1174Reputation: 1174Reputation: 1174Reputation: 1174Reputation: 1174Reputation: 1174Reputation: 1174
Hello crackpipe

What you want to do is not absolutely possible; all DHCP clients have the option of simply ignoring every probe packet you send them. Ignoring this type of DHCP client, how much information do you want/need? Just the IP addresses of DHCP clients or more?

How big is the router's DHCP pool? archtoad calculated 256 less the broadcast and network addresses and that is a robust approach but you could speed things up by configuring the actual DHCP pool into the script, maybe even have the script telnet into the router and screen-scrape that information.

There's another idea -- it may be possible to script telnetting into the router to get the same info you get by browsing the router's web-server pages. But isn't that leases granted and not expired? If so, any clients that went offline without releasing their leases would also be listed.

Best

Charles
 
Old 07-28-2009, 09:52 AM   #12
archtoad6
Senior Member
 
Registered: Oct 2004
Location: Houston, TX (usa)
Distribution: MEPIS, Debian, Knoppix,
Posts: 4,727
Blog Entries: 15

Rep: Reputation: 230Reputation: 230Reputation: 230
catkin,
Quote:
Originally Posted by catkin View Post
What you want to do is not absolutely possible;
Did you mean "What you want to do is absolutely not possible..."? -- Minor change in wording, significant change in meaning. Apologies if I am misinterpreting you.


crackpipe,
Quote:
Originally Posted by catkin View Post
There's another idea -- it may be possible to script telnetting into the router to get the same info you get by browsing the router's web-server pages.
Or use ssh. Or if there is a mini-website w/in the router, try wget or cURL.

Several years ago, before I really started using Linux, I used cURL to log into my SMC 7008BR to scrape & d/l its logs; as well as check on its WAN IP address.
 
Old 07-28-2009, 10:11 AM   #13
catkin
LQ 5k Club
 
Registered: Dec 2008
Location: Tamil Nadu, India
Distribution: Servers: Debian Squeeze and Wheezy. Desktop: Slackware64 14.0. Netbook: Slackware 13.37
Posts: 8,512
Blog Entries: 27

Rep: Reputation: 1174Reputation: 1174Reputation: 1174Reputation: 1174Reputation: 1174Reputation: 1174Reputation: 1174Reputation: 1174Reputation: 1174
Quote:
Originally Posted by archtoad6 View Post
catkin,
Did you mean "What you want to do is absolutely not possible..."? -- Minor change in wording, significant change in meaning. Apologies if I am misinterpreting you.
Sorry -- I was trying to be concise and ended up being confusing. I meant "What you want to do is not definitely, completely and unquestionably possible" -- there are circumstances in which it is not possible.

As you say, it is quite (in the original sense of that word!) different from ""What you want to do is absolutely not possible". Now it is the "not" that is "definitely, completely and unquestionably" -- there are no circumstances in which it is possible.

 
Old 07-28-2009, 10:22 AM   #14
nowonmai
Member
 
Registered: Jun 2003
Posts: 481

Rep: Reputation: 47
It's not clear if you want to list only the DHCP clients or all the hosts on the network, particularly since many of the solutions are only to list the hosts, rather than those that had their addresses assigned via DHCP.

To list hosts, you could do (X.Y.Z.0/24 being your subnet in CIDR notation)...

Code:
nmap X.Y.Z.0/24
Or

Code:
arp -a
The only definitive way to enumerate DHCP clients is through the Server that assigned their addresses. You could attempt to expire their leases and have them renew, but, again how to do that from another client. ARP related attacks don't specifically hit DHCP clients either.

In short... are you after all hosts on a subnet or just the DHCP clients?
 
Old 07-30-2009, 01:33 AM   #15
crackpipe
Member
 
Registered: Nov 2005
Distribution: Slackware, Zenwalk, Debian
Posts: 33

Original Poster
Rep: Reputation: 15
Noowanmi's nmap command recipe gave a list of hosts quite nicely. That's in the direction I'm headed. Eventually, I'd like to build the capacity for nmap to poll with a little more information, such as the MAC, pop-up a terminal to alert me to any new DHCP hosts, and ask if I would like to log that new host. I could set up a postgresql database that saves anything I want to log. In this way, if I am ever hacked, I at least have learned how to save forensic info for the po-po's.

What I don't understand is catkin's comment. It seems that if a host is granted DHCP interaction, some port has to be open to allow DHCP, and so it has to be detectable on the LAN. Further, it appears that a malicious squatter on the LAN that did not have an IP assigned by the router would seem to be unable to monitor traffic on the LAN. That is, could a stealth node attach itself to the LAN, not receive an IP, open its NIC to promiscuous mode, sniff all traffic, and take away information? If so, how do we detect such a squatting laptop, in addition to DHCP hosts? Does this make sense?
 
  


Reply

Tags
dhcp, lan


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off
Trackbacks are Off
Pingbacks are On
Refbacks are Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
discover all hosts in ipv6 subnet and their addresses ineya Linux - Networking 5 12-13-2008 05:21 AM
Same subnet, but running specific clients through a separate gateway? atrain Linux - Networking 12 02-05-2008 11:29 AM
cannot dhcp discover after updating kernel, hangs on inetd precision Debian 0 06-04-2006 09:58 PM
ADSL DHCP A-OK, but Mandrake 10.1 to be DHCP for other subnet is a problem turnbui Linux - Networking 2 08-20-2005 09:34 AM
Problem with DHCP discover mavinac Linux - Networking 1 04-28-2005 07:27 AM


All times are GMT -5. The time now is 10:56 AM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration