Red October Network Discovery.
by Computothought in Circuits > Linux
3904 Views, 23 Favorites, 0 Comments
Red October Network Discovery.
The basis of this Instructable is based on the dialog from the movie known as "The hunt for the Red October". In the movie, one of the key lines was I think "One ping and one ping only". Pinging was a method by submarines equipped with sonar to detect what is around them. Normally you would use more than one ping. In computing we also have a program called ping that does the same thing to detect what is around on the network. There is a very powerful program called nmap that usually automates such activity. That usually takes some kind of administrative power to implement. We will be using a simple linux batch file (could be easily converted to other platforms) to detect what is around us. This tool is perfect for the home network. It will probably not detect what is known as "Man in the middle devices", but at least you can see the visible systems on your network.
The code.
ping.sh: (do not forget "chmod +x ping.sh)
[code]
for i in {1..254}
do
ping 192.168.1.$i -c1 -w1 -v | grep "icmp_seq=1"
done
[/code]
If you have a different network, you will have to change "192.168.1" accordingly, here again we are using the good old "grep" command to extract data from the return stream. it is our sonar scope. Let's run it.
$ ./ping.sh
64 bytes from 192.168.1.1: icmp_seq=1 ttl=64 time=0.852 ms
64 bytes from 192.168.1.31: icmp_seq=1 ttl=64 time=0.260 ms
64 bytes from 192.168.1.99: icmp_seq=1 ttl=255 time=2.75 ms
64 bytes from 192.168.1.109: icmp_seq=1 ttl=64 time=0.261 ms
64 bytes from 192.168.1.115: icmp_seq=1 ttl=64 time=0.064 ms
$ _
Ok, there are five devices on the network. We need to know more. There is what is call DNS or "Domain naming service". We can use the router to tell us what the ipaddresses maybe are known as.
The code.
nslookup.sh: (Do not forget to make it executable with chmod +x nslookup.sh")
[code]
for i in {1..254}
do
nslookup 192.168.1.$i |grep name
done
[/code]
Let's run it.
$ ./nslookup.sh
1.1.168.192.in-addr.arpa name = my_network.
10.1.168.192.in-addr.arpa name = router2.
20.1.168.192.in-addr.arpa name = router3.
31.1.168.192.in-addr.arpa name = oesrvr1.
115.1.168.192.in-addr.arpa name = oesrvr104
$_
Notice the ipadresses are backwards, but we still can identify units on the network from the list. Two devices show up known as router2 and router3. I know that they are not connected to the network at this time. They just have reserved names in the router. The unit at 99 is actually the print server and should have a reserved name in the router, I can take care of that later. 109 is a temp machine I have set up to test some software. Now if there were any unknown numbers, they would need to be investigated immediately. Again you would need to change "192.168.1." to work with your network.
Ever wondered what your computer is looking for. Some of these could be avenues for hackers to get into your machine. Actually this is looking for processes bound to specific ports.
Use the following command to see wbat particular port your computer is listening for:
Terminal - Look for the process bound to a certain port:
You might see something like this in the file.
Cups is the unix print mechanism, Something you might want to keep and eye on once in a while or less.
--------------
addendum:
$ cat pingall.sh
a=""
for i in {1..254}
do
ping 192.168.1.$i -c1 -w1 -v | grep "icmp_seq=1"
done
$ ./pingall.sh
64 bytes from 192.168.1.1: icmp_seq=1 ttl=64 time=0.623 ms
64 bytes from 192.168.1.32: icmp_seq=1 ttl=64 time=0.113 ms
64 bytes from 192.168.1.99: icmp_seq=1 ttl=255 time=4.77 ms
64 bytes from 192.168.1.125: icmp_seq=1 ttl=64 time=1.26 ms
64 bytes from 192.168.1.149: icmp_seq=1 ttl=64 time=0.306 ms
Went back to the original system and decided to do just a single ping.
$ ping -c 1 192.168.1.32
PING 192.168.1.32 (192.168.1.32) 56(84) bytes of data.
64 bytes from 192.168.1.32: icmp_req=1 ttl=64 time=0.363 ms
--- 192.168.1.32 ping statistics ---
1 packets transmitted, 1 received, 0% packet loss, time 0ms
rtt min/avg/max/mdev = 0.363/0.363/0.363/0.000 ms
After looking at it about a thousand times, it finally hit me. The difference was reg vs seq. So I changed the batch file and all was well,
$ cat pingall.sh
a=""
for i in {1..254}
do
ping 192.168.1.$i -c1 -w1 -v | grep "icmp_req=1"
done
$ ./pingall.sh
64 bytes from 192.168.1.1: icmp_req=1 ttl=64 time=0.527 ms
64 bytes from 192.168.1.32: icmp_req=1 ttl=64 time=0.293 ms
64 bytes from 192.168.1.99: icmp_req=1 ttl=255 time=5.08 ms
64 bytes from 192.168.1.125: icmp_req=1 ttl=64 time=0.264 ms
64 bytes from 192.168.1.149: icmp_req=1 ttl=64 time=0.068 ms
Whew.... details details details.......
The code.
ping.sh: (do not forget "chmod +x ping.sh)
[code]
for i in {1..254}
do
ping 192.168.1.$i -c1 -w1 -v | grep "icmp_seq=1"
done
[/code]
If you have a different network, you will have to change "192.168.1" accordingly, here again we are using the good old "grep" command to extract data from the return stream. it is our sonar scope. Let's run it.
$ ./ping.sh
64 bytes from 192.168.1.1: icmp_seq=1 ttl=64 time=0.852 ms
64 bytes from 192.168.1.31: icmp_seq=1 ttl=64 time=0.260 ms
64 bytes from 192.168.1.99: icmp_seq=1 ttl=255 time=2.75 ms
64 bytes from 192.168.1.109: icmp_seq=1 ttl=64 time=0.261 ms
64 bytes from 192.168.1.115: icmp_seq=1 ttl=64 time=0.064 ms
$ _
Ok, there are five devices on the network. We need to know more. There is what is call DNS or "Domain naming service". We can use the router to tell us what the ipaddresses maybe are known as.
The code.
nslookup.sh: (Do not forget to make it executable with chmod +x nslookup.sh")
[code]
for i in {1..254}
do
nslookup 192.168.1.$i |grep name
done
[/code]
Let's run it.
$ ./nslookup.sh
1.1.168.192.in-addr.arpa name = my_network.
10.1.168.192.in-addr.arpa name = router2.
20.1.168.192.in-addr.arpa name = router3.
31.1.168.192.in-addr.arpa name = oesrvr1.
115.1.168.192.in-addr.arpa name = oesrvr104
$_
Notice the ipadresses are backwards, but we still can identify units on the network from the list. Two devices show up known as router2 and router3. I know that they are not connected to the network at this time. They just have reserved names in the router. The unit at 99 is actually the print server and should have a reserved name in the router, I can take care of that later. 109 is a temp machine I have set up to test some software. Now if there were any unknown numbers, they would need to be investigated immediately. Again you would need to change "192.168.1." to work with your network.
Ever wondered what your computer is looking for. Some of these could be avenues for hackers to get into your machine. Actually this is looking for processes bound to specific ports.
Use the following command to see wbat particular port your computer is listening for:
Terminal - Look for the process bound to a certain port:
sudo netstat -tulpn | grep :8080
Look for the process bound to a certain port
Or you could look at all the ports to 1000;
$ cat portscan.sh
for i in {1..1000}
do
echo $i
sudo netstat -tulpn | grep :$i
done
for i in {1..1000}
do
echo $i
sudo netstat -tulpn | grep :$i
done
$./portscan.sh > portscan.file
You might see something like this in the file.
...
...
628
629
630
631
tcp 0 0 127.0.0.1:631 0.0.0.0:* LISTEN 2217/cupsd
tcp6 0 0 ::1:631 :::* LISTEN 2217/cupsd
632
633
629
630
631
tcp 0 0 127.0.0.1:631 0.0.0.0:* LISTEN 2217/cupsd
tcp6 0 0 ::1:631 :::* LISTEN 2217/cupsd
632
633
...
...
Cups is the unix print mechanism, Something you might want to keep and eye on once in a while or less.
--------------
addendum:
$ cat pingall.sh
a=""
for i in {1..254}
do
ping 192.168.1.$i -c1 -w1 -v | grep "icmp_seq=1"
done
$ ./pingall.sh
64 bytes from 192.168.1.1: icmp_seq=1 ttl=64 time=0.623 ms
64 bytes from 192.168.1.32: icmp_seq=1 ttl=64 time=0.113 ms
64 bytes from 192.168.1.99: icmp_seq=1 ttl=255 time=4.77 ms
64 bytes from 192.168.1.125: icmp_seq=1 ttl=64 time=1.26 ms
64 bytes from 192.168.1.149: icmp_seq=1 ttl=64 time=0.306 ms
Went back to the original system and decided to do just a single ping.
$ ping -c 1 192.168.1.32
PING 192.168.1.32 (192.168.1.32) 56(84) bytes of data.
64 bytes from 192.168.1.32: icmp_req=1 ttl=64 time=0.363 ms
--- 192.168.1.32 ping statistics ---
1 packets transmitted, 1 received, 0% packet loss, time 0ms
rtt min/avg/max/mdev = 0.363/0.363/0.363/0.000 ms
After looking at it about a thousand times, it finally hit me. The difference was reg vs seq. So I changed the batch file and all was well,
$ cat pingall.sh
a=""
for i in {1..254}
do
ping 192.168.1.$i -c1 -w1 -v | grep "icmp_req=1"
done
$ ./pingall.sh
64 bytes from 192.168.1.1: icmp_req=1 ttl=64 time=0.527 ms
64 bytes from 192.168.1.32: icmp_req=1 ttl=64 time=0.293 ms
64 bytes from 192.168.1.99: icmp_req=1 ttl=255 time=5.08 ms
64 bytes from 192.168.1.125: icmp_req=1 ttl=64 time=0.264 ms
64 bytes from 192.168.1.149: icmp_req=1 ttl=64 time=0.068 ms
Whew.... details details details.......