Linux - SecurityThis forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Introduction to Linux - A Hands on Guide
This guide was created as an overview of the Linux Operating System, geared toward new users as an exploration tour and getting started guide, with exercises at the end of each chapter.
For more advanced trainees it can be a desktop reference, and a collection of the base knowledge needed to proceed with system and network administration. This book contains many real life examples derived from the author's experience as a Linux system and network administrator, trainer and consultant. They hope these examples will help you to get a better understanding of the Linux system and that you feel encouraged to try out things on your own.
Click Here to receive this Complete Guide absolutely free.
I'm in a home LAN behind a WiFi Linksys router used as a gateway to uplink to the ISP. Downstream, the router serves DHCP to the clients on the LAN in a vanilla 192.168.1.xxx format. I can go into the router, enter a password, click through a couple of screens, and obtain a list of the DHCP clients currently connected on the subnet, but I wonder if there is an application which allows me to do it from a client on the LAN. For example, if I'm on my laptop at 192.168.1.101, is there an application which will allow me to discover other clients on the same subnet, say at addresses 102 and 103, if two other computers were connected? I'd like to see who's on my same subnet without having to log into the router, go through a couple of screens, etc etc, each time I want to know who's online in the house. Hope this makes sense. Thanks.
There's probably other similar tools available. If your good with shell scripts, you could write something that pings the subnet.
Apparently there is a way to do this with pings? In general, of course we all prefer commands to applications so I'm tempted to go with pinging. But is pinging the right command? One would appear to have to ping each and every potential LAN address sequentially to see if there is a reply. This is at least a hundred possible addresses, so that the results of any hits would apparently have to be funneled into an array. Is there an easier built-in command than pinging all potential addresses?
Apparently there is a way to do this with pings? In general, of course we all prefer commands to applications so I'm tempted to go with pinging. But is pinging the right command?
Good Q! I look forward to some good suggestions.
Originally Posted by crackpipe
One would appear to have to ping each and every potential LAN address sequentially to see if there is a reply. This is at least a hundred possible addresses, so that the results of any hits would apparently have to be funneled into an array.
In the case of a Class C LAN (192.168.N.0), I count 254: 256 minus 1st & last. Here's the beginnings of how I would do it:
# LAN parameters:
# 'LAN' is the "Class C" subnet
# 's1' is the 1st host to test, & 's2' the last
# set a narrow range of s1 & s2 during testing
# the test loop -- pipes raw data into "less"
ping -c3 $HOST && echo "Found $HOST"
echo -e "$?\n====="
done | less
# to find just the discovered hosts,
# pipe 'echo "Found $HOST"' into a file,
# OR pipe the whole command through a "grep" filter
Originally Posted by crackpipe
Is there an easier built-in command than pinging all potential addresses?
None that I know of -- I look fwd. to seeing others' suggestions.
There are literally thousands of Linux applications that will do just what your looking for. My personal favorite is Autoscan which does a full port scan,SNMP, and MAC scan. http://autoscan-network.com/. This is a GUI application and it's pretty easy to use. However it is very intensive and will appear as an attack. Additionally you can use NMAP which is the defacto standard tool for host discovery and scanning. Another really easy way to find out who's on your network segment is to do an ARP scan. There are a couple of ARP scanning utilities that I like, the first is arp-scan, which is a console application, you would issue this command to find all the hosts in your network arp-scan --localnet. This will display a lits of IP addresses as well as MAC addresses. Additionally you could always use Ettercap-GTK which is also another attack tool that can ARP poison, but you could just use it for host discovery as well.
Well the smtp server section is for collecting different OS signatures. Autoscan does host guessing based on a host database that is ran from the developers website. Once you get Autoscan working and you come across a host with an unknown OS or signature it will prompt you to fill information concerning which OS and or type of hardware it is. So yes it does "phone home' but only when you submit a host signature.
The add network function is because Autoscan is actually a client-server application and you can place the server executable on other machines and have them act as network daemons. I've not really seen a use for this yet, but I'm sure if I had several large segments I could make use of it. I typically just choose my locahosts IP address , which it should autofill in the drop down menu.
As far as OS detection goes it's really mediocre, I would much rather just use NMAP with ZenMAP, which it apparently does use to some extent, you can also run an NMAP scan from inside of the applications interface which is just a simple scan.
I'm not sure why you had issues not seeing any hosts on your network, I've not had anything like that happen, unless it crashes, which I admit it's done to me quite a bit in the most recent version.
I think the real reason why I like having it is it's ability to do SNMP scanning, OS detection, and the intrusion alert function. It's just another tool in the toolbox. It is by no means a definative solution, but judging from your question it sounds like your wanting a heads up on whats connected to your network, and I can attest that the intrusion alert pops up whenever I connect a new host to the network.
I'm greatly appreciating the responses here so far. Took a look at Zenmap (Zenwalk nmap GUI) and Auto-Scan. Both seem to discover network clients by scanning, say, 192.168.1.0/24. Both of these applications appear a little like pianos -- one has to learn to play them. It may be that using these GUI's gets me to understand what I might be able to do more quickly with a script, such the one initiated by ArchToad above. The quest continues, especially for something that doesn't take a lot of resources and accomplishes occasional polling with a pop-up if joins the subnet. I'll watch with interest for additional suggestions/experiences here.
What you want to do is not absolutely possible; all DHCP clients have the option of simply ignoring every probe packet you send them. Ignoring this type of DHCP client, how much information do you want/need? Just the IP addresses of DHCP clients or more?
How big is the router's DHCP pool? archtoad calculated 256 less the broadcast and network addresses and that is a robust approach but you could speed things up by configuring the actual DHCP pool into the script, maybe even have the script telnet into the router and screen-scrape that information.
There's another idea -- it may be possible to script telnetting into the router to get the same info you get by browsing the router's web-server pages. But isn't that leases granted and not expired? If so, any clients that went offline without releasing their leases would also be listed.
Did you mean "What you want to do is absolutely not possible..."? -- Minor change in wording, significant change in meaning. Apologies if I am misinterpreting you.
Sorry -- I was trying to be concise and ended up being confusing. I meant "What you want to do is not definitely, completely and unquestionably possible" -- there are circumstances in which it is not possible.
As you say, it is quite (in the original sense of that word!) different from ""What you want to do is absolutely not possible". Now it is the "not" that is "definitely, completely and unquestionably" -- there are no circumstances in which it is possible.
It's not clear if you want to list only the DHCP clients or all the hosts on the network, particularly since many of the solutions are only to list the hosts, rather than those that had their addresses assigned via DHCP.
To list hosts, you could do (X.Y.Z.0/24 being your subnet in CIDR notation)...
The only definitive way to enumerate DHCP clients is through the Server that assigned their addresses. You could attempt to expire their leases and have them renew, but, again how to do that from another client. ARP related attacks don't specifically hit DHCP clients either.
In short... are you after all hosts on a subnet or just the DHCP clients?
Noowanmi's nmap command recipe gave a list of hosts quite nicely. That's in the direction I'm headed. Eventually, I'd like to build the capacity for nmap to poll with a little more information, such as the MAC, pop-up a terminal to alert me to any new DHCP hosts, and ask if I would like to log that new host. I could set up a postgresql database that saves anything I want to log. In this way, if I am ever hacked, I at least have learned how to save forensic info for the po-po's.
What I don't understand is catkin's comment. It seems that if a host is granted DHCP interaction, some port has to be open to allow DHCP, and so it has to be detectable on the LAN. Further, it appears that a malicious squatter on the LAN that did not have an IP assigned by the router would seem to be unable to monitor traffic on the LAN. That is, could a stealth node attach itself to the LAN, not receive an IP, open its NIC to promiscuous mode, sniff all traffic, and take away information? If so, how do we detect such a squatting laptop, in addition to DHCP hosts? Does this make sense?