Basic things you can find from an IP
Page 1 of 4 123 ... LastLast
Results 1 to 10 of 31

Thread: Basic things you can find from an IP

  1. #1
    King Tutorial-ankhamun
    Join Date
    Jul 2004
    Posts
    897

    Basic things you can find from an IP

    What can you find out from an IP?

    Here I will outline some use full Unix and NT commands for finding out more information about a given COLOR=purpleIP. Some of these techniques will fail depending on firewall rule sets.

    Items to be covered:

    How do I find my own IP?
    How do I find out if an IP is contactable?
    How do I find out what organization owns an IP?
    How do I find out what OS a box is running?
    How do I find out what ports are open/services are running?
    How do I tell who is logged in to that box?
    Any good all in one tools?
    How Do I find the NetBIOS name from the IP?
    How Do I find the IP from the NetBIOS name?
    How can I see the traffic going between two IPs on a switched network?



    How do I find my own IP?

    Because the IP your ISP's DHCP server hands you may not always be the same it is handy to be able to quickly find out what your IP is. Most of the time on a LAN the DHCP server will try to hand a machine the same IP it's MAC address received the last time it requested an address, but not always. To find out your host IP and other useful information use these commands.

    Windows 9X/Me:

    Use the "winipcfg" command, this will bring up a GUI dialog with all the info you will need.

    Windows NT/2000/XP/etc:

    Use the "ipconfig command.
    C:\>ipconfig /all

    Windows 2000 IP Configuration

    Host Name . . . . . . . . . . . . : se-libg-adrian1
    Primary DNS Suffix . . . . . . . : ads.mydomain.edu
    Node Type . . . . . . . . . . . . : Hybrid
    IP Routing Enabled. . . . . . . . : No
    WINS Proxy Enabled. . . . . . . . : No
    DNS Suffix Search List. . . . . . : ads.mydomain.edu
    mydomains.edu
    mydomain.edu

    Ethernet adapter Local Area Connection:

    Connection-specific DNS Suffix . : mydomains.edu
    Description . . . . . . . . . . . : 3Com 3C920 Integrated Fast Ethernet
    Controller (3C905C-TX Compatible)
    Physical Address. . . . . . . . . : 00-B0-D0-74-A8-A4
    DHCP Enabled. . . . . . . . . . . : Yes
    Autoconfiguration Enabled . . . . : Yes
    IP Address. . . . . . . . . . . . : 192.168.26.29
    Subnet Mask . . . . . . . . . . . : 255.255.240.0
    Default Gateway . . . . . . . . . : 192.168.16.100
    DHCP Server . . . . . . . . . . . : 192.168.30.254
    DNS Servers . . . . . . . . . . . : 192.168.20.1
    192.168.25.1
    192.168.30.1
    129.79.1.1
    129.79.5.100
    Primary WINS Server . . . . . . . : 192.168.30.254
    Secondary WINS Server . . . . . . : 192.168.30.253
    Lease Obtained. . . . . . . . . . : Saturday, February 02, 2002 12:03:14
    PM
    Lease Expires . . . . . . . . . . : Sunday, February 03, 2002 12:03:14 PM

    C:\>
    Notice that this gives you allsorts of networking information, including your IP, Gateway, MAC Address, DNS server and Host Name.

    Linux/Unix:

    Use the "ifconfig" command to find the IP of the box.
    bash-2.04$ /sbin/ifconfig
    eth0 Link encap:Ethernet HWaddr 00:C0:F0:31:9F:10
    inet addr:192.168.30.130 Bcast:192.168.31.255 Mask:255.255.240.0
    UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
    RX packets:21353979 errors:2 dropped:0 overruns:0 frame:2
    TX packets:20342701 errors:0 dropped:0 overruns:0 carrier:0
    collisions:0 txqueuelen:100
    Interrupt:11 Base address:0xde00

    lo Link encap:Local Loopback
    inet addr:127.0.0.1 Mask:255.0.0.0
    UP LOOPBACK RUNNING MTU:16436 Metric:1
    RX packets:2234607 errors:0 dropped:0 overruns:0 frame:0
    TX packets:2234607 errors:0 dropped:0 overruns:0 carrier:0
    collisions:0 txqueuelen:0

    bash-2.04$
    If you are SSH/telneting to the box and you want to find the IP you are attaching from use the "finger" command with no parameters.
    bash-2.04$ finger
    Login Name Tty Idle Login Time Office Office Phone
    adrian Adrian Crenshaw pts/3 Feb 2 14:57 (192.168.26.29)
    root root pts/0 1:53 Jan 28 17:25 (tux:2)
    root root pts/1 4d Jan 25 14:57
    root root pts/2 8d Jan 25 14:57 (tux:2)
    bash-2.04$
    All OSes:

    The IP found using the instructions above is the IP your computers NIC (Network Interface Card) or modem has, if you are hooked to a home router or some other kind of NAT box the IP the world sees as you when you connect to other hosts will be different. To find you WAN IP (the IP the world sees when you are behind a NAT box or a Proxy) go to one of the following sites:

    http://www.rootsecure.net/?p=your_ip
    http://www.ipchicken.com/
    http://www.whatismyip.com/
    http://checkip.dyndns.org/

    How do I find out if an IP is contactable?

    If the host is not blocking ICMP echo requests (type 8, code 0) try using the "ping" command, it should work from any Unix like OS and from Windows.

    UP:
    C:\>ping 192.168.30.130

    Pinging 192.168.30.130 with 32 bytes of data:

    Reply from 192.168.30.130: bytes=32 time<10ms TTL=255
    Reply from 192.168.30.130: bytes=32 time<10ms TTL=255
    Reply from 192.168.30.130: bytes=32 time<10ms TTL=255
    Reply from 192.168.30.130: bytes=32 time<10ms TTL=255

    Ping statistics for 192.168.30.130:
    Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
    Approximate round trip times in milli-seconds:
    Minimum = 0ms, Maximum = 0ms, Average = 0ms

    C:\>
    Not Up
    C:\>ping 192.168.30.133

    Pinging 192.168.30.133 with 32 bytes of data:

    Request timed out.
    Request timed out.
    Request timed out.
    Request timed out.

    Ping statistics for 192.168.30.133:
    Packets: Sent = 4, Received = 0, Lost = 4 (100% loss),
    Approximate round trip times in milli-seconds:
    Minimum = 0ms, Maximum = 0ms, Average = 0ms

    C:\>
    If the host is behind a firewall blocking ICMP echo requests then you will have to look into other ways of enumerating the network, like Hping ( http://www.hping.org/ )

    How do I find out what organization owns an IP?

    Easiest way is to use the online tools from http://samspade.org/t/ (use IP Whois) or download their Windows tools and use them on your box. Arwin offers a similar CGI at http://ws.arin.net/cgi-bin/whois.pl if Sam Spade does not work for you. There is also a host of tools built into the SamSpade utility for Windows, which you can download from http://www.samspade.org/ssw/ .

    How do I find out what OS a box is running?

    You can tell what OS a box is running in a few ways. Knowing what ports are open on the box will give you some good guesses (for instance port 6000 is used for X-windows, it being open probably means the box is running some kind of Unix). The easiest way to find this info is to use the "nmap" utility from http://www.insecure.org/nmap/ ( also available on the Knoppix Linux Boot CD ( http://www.knoppix.org/ ) or Trinux boot disk ( http://sourceforge.net/projects/trinux/ ) ) and do an OS fingerprint like so:
    [root@tux adrian]# nmap -O tux.mydomains.edu

    Starting nmap V. 2.54BETA26 ( www.insecure.org/nmap/ )
    Adding open port 22/tcp
    Adding open port 1024/tcp
    Adding open port 25/tcp
    Adding open port 80/tcp
    Adding open port 110/tcp
    Adding open port 993/tcp
    Adding open port 6002/tcp
    Adding open port 5902/tcp
    Adding open port 111/tcp
    Adding open port 443/tcp
    Adding open port 21/tcp
    Adding open port 995/tcp
    Adding open port 23/tcp
    Adding open port 143/tcp
    Adding open port 139/tcp
    Adding open port 515/tcp
    Interesting ports on tux.mydomains.edu (192.168.30.130):
    (The 1532 ports scanned but not shown below are in state: closed)
    Port State Service
    21/tcp open ftp
    22/tcp open ssh
    23/tcp open telnet
    25/tcp open smtp
    80/tcp open http
    110/tcp open pop-3
    111/tcp open sunrpc
    139/tcp open netbios-ssn
    143/tcp open imap2
    443/tcp open https
    515/tcp open printer
    993/tcp open imaps
    995/tcp open pop3s
    1024/tcp open kdm
    5902/tcp open vnc-2
    6002/tcp open X11:2

    Remote operating system guess: Linux Kernel 2.4.0 - 2.4.5 (X86)
    Uptime 9.033 days (since Fri Jan 25 14:55:20 2002)

    Nmap run completed -- 1 IP address (1 host up) scanned in 2 seconds
    [root@tux adrian]#
    Notice the part in red indicate the likely OS. Be careful about using tools like "nmap", the site you are targeting may give your local admin a call asking why you are scanning their site. Also make sure your copy of Nmap is up to date so it has the newest OS fingerprints, the version I used in the above example is kind of old.

    You can also find out sometimes by using the "What's that site running" cgi at Netcraft, which does a banner grab for you.

    Telneting to the host and observing the intro may give you some info:
    Red Hat Linux release 7.1 (Seawolf)
    Kernel 2.4.2-2 on an i686
    login:
    and if they only have port 80 open you can telnet to that port and hit enter twice and observe the headers:
    [root@tux adrian]# telnet orangutan.mydomains.edu 80
    Trying 192.168.28.32...
    Connected to orangutan.mydomains.edu.
    Escape character is '^]'.


    HTTP/1.1 400 Bad Request
    Server: Microsoft-IIS/5.0
    Date: Sun, 03 Feb 2002 20:51:47 GMT
    Content-Type: text/html
    Content-Length: 87

    <html><head><title>Error</title></head><body>The parameter is incorrect. </body>
    </html>Connection closed by foreign host.
    [root@tux adrian]#
    This technique is know as "banner grabbing".

    How do I find out what ports are open/services are running?

    There are port scanners for Windows and Unix, "nmap" ( http://www.insecure.org/nmap/ and available on the Trinux boot disk) being my personal choice. Be careful about using tools like "nmap", the site you are targeting may give your local admin a call asking why you are scanning their site. See the above entry for an example of using nmap.

    If you want to find out what ports are open on your local Windows box use the "netstat" command.

    Windows:
    C:\>netstat

    Active Connections

    Proto Local Address Foreign Address State
    TCP se-sscs-cv112b7:1370 se-cser-fs01.mydomains.edu:netbios-ssn ESTABLISHED
    TCP se-sscs-cv112b7:1469 ntemail1-tr.mydomains.state.edu:1078 ESTABLISHED
    TCP se-sscs-cv112b7:1473 ntemail1-tr.mydomains.state.edu:1091 ESTABLISHED
    TCP se-sscs-cv112b7:1495 ntemail1-tr.mydomains.state.edu:1078 ESTABLISHED
    TCP se-sscs-cv112b7:1499 ntemail1-tr.mydomains.state.edu:1091 ESTABLISHED
    TCP se-sscs-cv112b7:1631 tux.mydomains.edu:telnet ESTABLISHED
    TCP se-sscs-cv112b7:1690 bl-uits-adsdc01.ads.mydomain.edu:microsoft-ds TIME_WA
    IT
    TCP se-sscs-cv112b7:1692 se-cser-app1.mydomains.edu:microsoft-ds ESTABLISHED
    TCP se-sscs-cv112b7:1694 bl-uits-adsdc01.ads.mydomain.edu:microsoft-ds TIME_WA
    IT
    TCP se-sscs-cv112b7:1699 homepages1.mydomains.edu:netbios-ssn TIME_WAIT

    C:\>
    For better information, like what binary has a post open use a tool like Fport ( http://www.foundstone.com ):
    C:\>fport
    FPort v2.0 - TCP/IP Process to Port Mapper
    Copyright 2000 by Foundstone, Inc.
    http://www.foundstone.com

    Pid Process Port Proto Path
    1572 inetinfo -> 25 TCP C:\WINDOWS\System32\inetsrv\inetinfo.exe
    1572 inetinfo -> 80 TCP C:\WINDOWS\System32\inetsrv\inetinfo.exe
    1008 svchost -> 135 TCP C:\WINDOWS\system32\svchost.exe
    4 System -> 139 TCP
    1572 inetinfo -> 443 TCP C:\WINDOWS\System32\inetsrv\inetinfo.exe
    4 System -> 445 TCP
    1108 svchost -> 1025 TCP C:\WINDOWS\System32\svchost.exe
    1572 inetinfo -> 1043 TCP C:\WINDOWS\System32\inetsrv\inetinfo.exe
    776 winlogon -> 1056 TCP \??\C:\WINDOWS\system32\winlogon.exe
    4 System -> 1135 TCP
    2436 OUTLOOK -> 1162 TCP C:\Program Files\Microsoft Office\OFFICE11\OUTLOOK.EXE
    4 System -> 1169 TCP
    2436 OUTLOOK -> 1176 TCP C:\Program Files\Microsoft Office\OFFICE11\OUTLOOK.EXE
    1232 firefox -> 1219 TCP C:\Program Files\Mozilla Firefox\firefox.exe
    1232 firefox -> 1220 TCP C:\Program Files\Mozilla Firefox\firefox.exe
    2436 OUTLOOK -> 1221 TCP C:\Program Files\Microsoft Office\OFFICE11\OUTLOOK.EXE
    4 System -> 1390 TCP
    4 System -> 1451 TCP
    4 System -> 1456 TCP
    1232 firefox -> 1602 TCP C:\Program Files\Mozilla Firefox\firefox.exe
    4 System -> 1634 TCP
    0 System -> 1635 TCP
    1108 svchost -> 3389 TCP C:\WINDOWS\System32\svchost.exe
    1296 -> 5000 TCP
    264 WCESCOMM -> 5679 TCP C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE

    1572 inetinfo -> 135 UDP C:\WINDOWS\System32\inetsrv\inetinfo.exe
    2436 OUTLOOK -> 137 UDP C:\Program Files\Microsoft Office\OFFICE11\OUTLOOK.EXE
    4 System -> 138 UDP
    1572 inetinfo -> 445 UDP C:\WINDOWS\System32\inetsrv\inetinfo.exe
    1008 svchost -> 500 UDP C:\WINDOWS\system32\svchost.exe
    1572 inetinfo -> 1026 UDP C:\WINDOWS\System32\inetsrv\inetinfo.exe
    4 System -> 1027 UDP
    1108 svchost -> 1028 UDP C:\WINDOWS\System32\svchost.exe
    1572 inetinfo -> 1049 UDP C:\WINDOWS\System32\inetsrv\inetinfo.exe
    776 winlogon -> 1051 UDP \??\C:\WINDOWS\system32\winlogon.exe
    4 System -> 1165 UDP
    2436 OUTLOOK -> 1558 UDP C:\Program Files\Microsoft Office\OFFICE11\OUTLOOK.EXE
    4 System -> 1900 UDP
    1232 firefox -> 1900 UDP C:\Program Files\Mozilla Firefox\firefox.exe
    2436 OUTLOOK -> 2967 UDP C:\Program Files\Microsoft Office\OFFICE11\OUTLOOK.EXE
    4 System -> 3456 UDP


    C:\>
    Or Netport:
    C:\>netport
    NetPort v1.1 - A Visual Log Product
    Copyright 2004 by Softgears Company
    http://www.softgears.com


    Pid Process Port Proto Foreign Address Path
    1572 inetinfo 25 TCP: LISTENING C:\WINDOWS\System32\inetsrv\inetinfo.exe
    1572 inetinfo 80 TCP: LISTENING C:\WINDOWS\System32\inetsrv\inetinfo.exe
    1008 svchost 135 TCP: LISTENING C:\WINDOWS\system32\svchost.exe
    1572 inetinfo 443 TCP: LISTENING C:\WINDOWS\System32\inetsrv\inetinfo.exe
    4 System 445 TCP: LISTENING
    1108 svchost 1025 TCP: LISTENING C:\WINDOWS\System32\svchost.exe
    1572 inetinfo 1043 TCP: LISTENING C:\WINDOWS\System32\inetsrv\inetinfo.exe
    776 winlogon 1056 TCP: LISTENING \??\C:\WINDOWS\system32\winlogon.exe
    4 System 1135 TCP: LISTENING
    2436 OUTLOOK 1162 TCP: LISTENING C:\Program Files\Microsoft Office\OFFICE11\OUTLOOK.EXE
    4 System 1169 TCP: LISTENING
    2436 OUTLOOK 1176 TCP: LISTENING C:\Program Files\Microsoft Office\OFFICE11\OUTLOOK.EXE
    1232 firefox 1220 TCP: LISTENING C:\Program Files\Mozilla Firefox\firefox.exe
    2436 OUTLOOK 1221 TCP: LISTENING C:\Program Files\Microsoft Office\OFFICE11\OUTLOOK.EXE
    4 System 1451 TCP: LISTENING
    4 System 1456 TCP: LISTENING
    1232 firefox 1602 TCP: LISTENING C:\Program Files\Mozilla Firefox\firefox.exe
    1108 svchost 3389 TCP: LISTENING C:\WINDOWS\System32\svchost.exe
    1296 System 5000 TCP: LISTENING
    264 WCESCOMM 5679 TCP: LISTENING C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE
    1232 firefox 1219 TCP: LISTENING C:\Program Files\Mozilla Firefox\firefox.exe
    1232 firefox 1219 TCP: ESTABLISHED 127.0.0.1:1220 C:\Program Files\Mozilla Firefox\firefox.exe
    1232 firefox 1220 TCP: ESTABLISHED 127.0.0.1:1219 C:\Program Files\Mozilla Firefox\firefox.exe
    4 System 139 TCP: LISTENING
    776 winlogon 1056 TCP: CLOSE_WAIT 134.68.220.157:389 \??\C:\WINDOWS\system32\winlogon.exe
    2436 OUTLOOK 1162 TCP: ESTABLISHED 134.68.220.155:1025 C:\Program Files\Microsoft Office\OFFICE11\OUTLOOK.EXE
    4 System 1169 TCP: ESTABLISHED 192.168.28.33:445
    2436 OUTLOOK 1176 TCP: ESTABLISHED 129.79.1.40:1222 C:\Program Files\Microsoft Office\OFFICE11\OUTLOOK.EXE
    2436 OUTLOOK 1221 TCP: ESTABLISHED 129.79.1.214:1249 C:\Program Files\Microsoft Office\OFFICE11\OUTLOOK.EXE
    4 System 1390 TCP: LISTENING
    4 System 1390 TCP: ESTABLISHED 192.168.30.154:139
    4 System 1456 TCP: ESTABLISHED 129.79.6.3:445
    1232 firefox 1602 TCP: ESTABLISHED 64.233.167.104:80 C:\Program Files\Mozilla Firefox\firefox.exe
    4 System 1634 TCP: LISTENING
    4 System 1634 TCP: ESTABLISHED 192.168.30.34:139
    1008 svchost 135 UDP: LISTENING C:\WINDOWS\system32\svchost.exe
    4 System 445 UDP: LISTENING
    836 lsass 500 UDP: LISTENING C:\WINDOWS\system32\lsass.exe
    1264 System 1026 UDP: LISTENING
    1264 System 1027 UDP: LISTENING
    836 lsass 1028 UDP: LISTENING C:\WINDOWS\system32\lsass.exe
    1572 inetinfo 1049 UDP: LISTENING C:\WINDOWS\System32\inetsrv\inetinfo.exe
    776 winlogon 1051 UDP: LISTENING \??\C:\WINDOWS\system32\winlogon.exe
    2436 OUTLOOK 1165 UDP: LISTENING C:\Program Files\Microsoft Office\OFFICE11\OUTLOOK.EXE
    1640 Rtvscan 2967 UDP: LISTENING C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exe
    1572 inetinfo 3456 UDP: LISTENING C:\WINDOWS\System32\inetsrv\inetinfo.exe
    4064 FRONTPG 1558 UDP: LISTENING C:\PROGRA~1\MICROS~2\Office10\FRONTPG.EXE
    1296 System 1900 UDP: LISTENING
    4 System 137 UDP: LISTENING
    4 System 138 UDP: LISTENING
    1296 System 1900 UDP: LISTENING


    C:\>
    Linux/*nix:

    Use the "lsof -i" command:
    [root@balrog root]# lsof -i
    COMMAND PID USER FD TYPE DEVICE SIZE NODE NAME
    dhclient 467 root 4u IPv4 777 UDP *:bootpc
    portmap 533 rpc 3u IPv4 898 UDP *:sunrpc
    portmap 533 rpc 4u IPv4 901 TCP *:sunrpc (LISTEN)
    rpc.statd 552 rpcuser 4u IPv4 972 UDP *:32768
    rpc.statd 552 rpcuser 5u IPv4 939 UDP *:728
    rpc.statd 552 rpcuser 6u IPv4 975 TCP *:32768 (LISTEN)
    sshd 642 root 3u IPv4 1287 TCP *:ssh (LISTEN)
    xinetd 657 root 5u IPv4 1313 TCP localhost.localdomain:32769 (LISTEN)
    sendmail 682 root 4u IPv4 1377 TCP localhost.localdomain:smtp (LISTEN)
    httpd 712 root 3u IPv4 1422 TCP *:http (LISTEN)
    httpd 712 root 4u IPv4 1423 TCP *:https (LISTEN)
    sshd 8498 root 4u IPv4 323188 TCP balrog.ius.edu:ssh->winxpe:1644 (ESTABLISHED)
    httpd 31094 apache 3u IPv4 1422 TCP *:http (LISTEN)
    httpd 31094 apache 4u IPv4 1423 TCP *:https (LISTEN)
    httpd 31095 apache 3u IPv4 1422 TCP *:http (LISTEN)
    httpd 31095 apache 4u IPv4 1423 TCP *:https (LISTEN)
    httpd 31096 apache 3u IPv4 1422 TCP *:http (LISTEN)
    httpd 31096 apache 4u IPv4 1423 TCP *:https (LISTEN)
    httpd 31097 apache 3u IPv4 1422 TCP *:http (LISTEN)
    httpd 31097 apache 4u IPv4 1423 TCP *:https (LISTEN)
    httpd 31098 apache 3u IPv4 1422 TCP *:http (LISTEN)
    httpd 31098 apache 4u IPv4 1423 TCP *:https (LISTEN)
    httpd 31099 apache 3u IPv4 1422 TCP *:http (LISTEN)
    httpd 31099 apache 4u IPv4 1423 TCP *:https (LISTEN)
    httpd 31100 apache 3u IPv4 1422 TCP *:http (LISTEN)
    httpd 31100 apache 4u IPv4 1423 TCP *:https (LISTEN)
    httpd 31101 apache 3u IPv4 1422 TCP *:http (LISTEN)
    httpd 31101 apache 4u IPv4 1423 TCP *:https (LISTEN)
    [root@balrog root]#

    How do I tell who is logged into a remote Windows box?

    On Windows you can try:
    C:\>nbtstat -a somebox
    Local Area Connection:

    Node IpAddress: [192.168.22.68] Scope Id: []
    NetBIOS Remote Machine Name Table
    Name Type Status
    ---------------------------------------------
    SE-SSCS-CV112C5<00> UNIQUE Registered
    ADS <00> GROUP Registered
    SE-SSCS-CV112C5<03> UNIQUE Registered
    ADS <1E> GROUP Registered
    JDOE <03> UNIQUE Registered

    MAC Address = 00-04-76-39-A9-F9
    C:\>
    But if Netbios over TCP/IP it turned off it won't work.
    In that case you may have to use a WMI script, but you would have to be an Admin on the remote box.

    On Unix:
    bash-2.05# nmblookup -S somebox
    querying se-sscs-cv112c5 on 192.168.31.255
    192.168.22.59 somebox <00>
    Looking up status of 192.168.22.59
    SE-SSCS-CV112C5 <00> - M <ACTIVE>
    ADS <00> - <GROUP> M <ACTIVE>
    SE-SSCS-CV112C5 <03> - M <ACTIVE>
    ADS <1e> - <GROUP> M <ACTIVE>
    JDOE <03> - M <ACTIVE>

    bash-2.05#
    The above will only work if the Windows box has Netbios over TCP/IP it turned on.

    Any good all in one tools?

    LANguard (for Windows) and Nessus (for Unix). With all these you would want to turn off some of the options, otherwise the admins at the other site will see is as an all out attack.

    How Do I find the NetBIOS name from the IP?

    On Windows:
    C:\>nbtstat -a 192.168.22.68

    Local Area Connection:
    Node IpAddress: [192.168.22.68] Scope Id: []

    NetBIOS Remote Machine Name Table

    Name Type Status
    ---------------------------------------------
    SE-SSCS-CV112C8<00> UNIQUE Registered
    ADS <00> GROUP Registered
    SE-SSCS-CV112C8<03> UNIQUE Registered
    SE-SSCS-CV112C8<20> UNIQUE Registered
    ADS <1E> GROUP Registered
    ADRIAN <03> UNIQUE Registered


    MAC Address = 00-04-76-39-B6-D9

    C:\>
    On Unix (if you have nbtstat installed):
    [root@tux /root]# nbtstat 192.168.22.68
    received data:
    A2 48 84 00 00 00 00 01 00 00 00 00 20 43 4B 41 .H.......... CKA
    41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 AAAAAAAAAAAAAAAA
    41 41 41 41 41 41 41 41 41 41 41 41 41 00 00 21 AAAAAAAAAAAAA..!
    00 01 00 00 00 00 00 9B 06 53 45 2D 53 53 43 53 .........SE-SSCS
    2D 43 56 31 31 32 43 38 00 44 00 41 44 53 20 20 -CV112C8.D.ADS
    20 20 20 20 20 20 20 20 20 20 00 C4 00 53 45 2D ...SE-
    53 53 43 53 2D 43 56 31 31 32 43 38 03 44 00 53 SSCS-CV112C8.D.S
    45 2D 53 53 43 53 2D 43 56 31 31 32 43 38 20 44 E-SSCS-CV112C8 D
    00 41 44 53 20 20 20 20 20 20 20 20 20 20 20 20 .ADS
    1E C4 00 41 44 52 49 41 4E 20 20 20 20 20 20 20 ...ADRIAN
    20 20 03 44 00 00 04 76 39 B6 D9 00 00 00 00 00 .D...v9.......
    00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
    00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
    00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
    00 00 00 00 8C .....
    6 names in response
    SE-SSCS-CV112C8<0x00> Unique Workstation Service
    ADS <0x00> Group Domain Name
    SE-SSCS-CV112C8<0x03> Unique Messenger Service
    SE-SSCS-CV112C8<0x20> Unique File Server Service
    ADS <0x1e> Group Potential Master Browser
    ADRIAN <0x03> Unique Messenger Service
    [root@tux /root]#
    How Do I find the IP from the NetBIOS name?

    On Windows:
    C:\>nbtstat -a se-sscs-cv112c8

    Local Area Connection:
    Node IpAddress: [192.168.22.68] Scope Id: []

    NetBIOS Remote Machine Name Table

    Name Type Status
    ---------------------------------------------
    SE-SSCS-CV112C8<00> UNIQUE Registered
    ADS <00> GROUP Registered
    SE-SSCS-CV112C8<03> UNIQUE Registered
    SE-SSCS-CV112C8<20> UNIQUE Registered
    ADS <1E> GROUP Registered
    ADRIAN <03> UNIQUE Registered

    MAC Address = 00-04-76-39-B6-D9
    C:\>
    On Unix:
    [root@tux /root]# nmblookup se-sscs-cv112c8
    querying se-sscs-cv112c8 on 192.168.31.255
    192.168.22.68 se-sscs-cv112c8<00>
    [root@tux /root]#
    How can I see the traffic going between two points on a switched network?

    Get the dsniff and ngrep packages, they come with Trinux (note: on Trinux use "arpredirect" instead of "arpspoof") or you can download them. Start up three terminals.

    In the first terminal run :
    arpspoof -t 1.1.1.1 2.2.2.2
    In the 2nd one run :
    arpspoof -t 2.2.2.2 1.1.1.1
    Then run ngrep:
    ngrep host 1.1.1.1|more
    and watch the fun. Also try the "dsniff" command to see plaintext passwords that are passed between the two hosts. To find out more information visit my article on the basics of ARP spoofing at http://irongeek.com/i.php?page=security/arpspoof

  2. #2
    Senior Member
    Join Date
    Mar 2004
    Location
    Colorado
    Posts
    421

    Re: Basic things you can find from an IP

    Originally posted here by Irongeek
    What can you find out from an IP?

    Here I will outline some use full Unix and NT commands for finding out more information about a given COLOR=purpleIP. Some of these techniques will fail depending on firewall rule sets.

    Items to be covered:

    How do I find my own IP?
    How do I find out if an IP is contactable?
    How do I find out what organization owns an IP?
    How do I find out what OS a box is running?
    How do I find out what ports are open/services are running?
    How do I tell who is logged in to that box?
    Any good all in one tools?
    [/url]
    A good *remote* all in one tool I like to use is

    http://www.dnsstuff.com

    Is a nice compliment to local tools.

  3. #3
    AO Ancient: Team Leader
    Join Date
    Oct 2002
    Posts
    5,197

    Basic things you can find from a Tutorial

    Host Name . . . . . . . . . . . . : se-libg-adrian1
    Ahhh.... So, your name is Adrian.... Ok....

    adrian Adrian Crenshaw pts/3 Feb 2 14:57 (192.168.26.29)
    Ahhh.... Adrian Crenshaw.... Ok.....

    Remote operating system guess: Linux Kernel 2.4.0 - 2.4.5 (X86)
    Adrian is running Linux.... but let's be careful.... NMap can often mistake a Win2k box for a Linux Kernel 2.4.0 - 2.4.5 IIRC.....

    [root@tux adrian]# telnet orangutan.mydomains.edu 80
    Trying 192.168.28.32...
    Connected to orangutan.mydomains.edu.
    Escape character is '^]'.


    HTTP/1.1 400 Bad Request
    Server: Microsoft-IIS/5.0
    Date: Sun, 03 Feb 2002 20:51:47 GMT
    Content-Type: text/html
    Content-Length: 87
    Adrian scans someone elses box or a different box he owns..... Hmmmm.....

    I'm not going to go on..... Your profile states you are in Louisville, (nice town BTW, been there a few times..... ), and your tutorial almost leads me to your doorstep.....

    Sanitize, Sanitize, Sanitize......
    Don\'t SYN us.... We\'ll SYN you.....
    \"A nation that draws too broad a difference between its scholars and its warriors will have its thinking done by cowards, and its fighting done by fools.\" - Thucydides

  4. #4
    King Tutorial-ankhamun
    Join Date
    Jul 2004
    Posts
    897
    Dude, my name is already all over my website and articles Iíve written else where. Most of this data you can find about my boxes in this tutorial is very old (check the Nmap version number). I did do a little to Sanitize this data some before I put up the tutorial, but a lot of the info it gives about me is stuff you could find by just doing a google search. When it comes to the net Iím not a very private person.

  5. #5
    AO Ancient: Team Leader
    Join Date
    Oct 2002
    Posts
    5,197
    Iron...

    It might make little difference to you today.... You're the "Iron Geek"..... In a few years you will have an issue with your own privacy... trust me.... and everything you "give away" today will come back to haunt you then, because it will all still be there for the world to see..... I'm ex-special forces, (in the US...... the Brits don't put the word "special" on anything but the fewest men), and I can find you and certainly could drop you at 600 yards and you'd never see it coming.... But I'd survive about 3 seconds in a scrap with you I'm sure...... I'm a tad older now and a lot less fit and strong...

    My post wasn't a condemnation of you per se, it was a lesson to others that may not be so laissez-faire and "invincible" as you are today that sanitization of what they post on the internet today will either "get" them today or it will "get" them tomorrow... Tutorials are there to teach.... Their responses can teach also.... I hope my response taught something to someone who hadn't thought about the consequences today or tomorrow.....
    Don\'t SYN us.... We\'ll SYN you.....
    \"A nation that draws too broad a difference between its scholars and its warriors will have its thinking done by cowards, and its fighting done by fools.\" - Thucydides

  6. #6
    King Tutorial-ankhamun
    Join Date
    Jul 2004
    Posts
    897
    Thanks Tiger, I appreciate your concern. I did make some effort to obscure my IPs and the domain Iím coming from (though a little looking on the net will find such info). It has nothing to do with feeling "invincible" or macho now, I just find it unlikely that anyone would be interested enough to bother me physically. There are far more interesting folks to shoot at out there. Worse case likely scenario I see is some one messes with one of my boxes just to say he hacked to the guy on Antionline named Irongeek. Iím not that well know so I donít think many people would find that bragable. This might be a good topic for another thread, I think Iíll start on. Thanks for giving me something to think about.

  7. #7
    You definately know how to write your tuts Iron, this is all great stuff. One suggestion: How about bolding those questions throughout the tut? They serve as good headers, and for someone like me who's scanning through the whole thing for certain info, that would help speed things up and enhance the organized look of the tut.

    Great work, keep 'em coming!

  8. #8
    AO Ancient: Team Leader
    Join Date
    Oct 2002
    Posts
    5,197
    Iron:

    You'd be surprised how information you give away today can come back to "haunt" you tomorrow... I haven't done it yet, though I know where I have made my "mistakes" that could lead you to my door..... But I know more than one person who has had it lead back.... including an identity theft, (ok, they weren't "smart"), but it happened.....

    Maybe, your tutorial will teach others about something it wasn't intended to.... either way, it was a good tutorial......
    Don\'t SYN us.... We\'ll SYN you.....
    \"A nation that draws too broad a difference between its scholars and its warriors will have its thinking done by cowards, and its fighting done by fools.\" - Thucydides

  9. #9
    King Tutorial-ankhamun
    Join Date
    Jul 2004
    Posts
    897
    Originally posted here by AngelicKnight
    You definately know how to write your tuts Iron, this is all great stuff. One suggestion: How about bolding those questions throughout the tut? They serve as good headers, and for someone like me who's scanning through the whole thing for certain info, that would help speed things up and enhance the organized look of the tut.

    Great work, keep 'em coming!
    Good idea, done.

  10. #10
    Banned
    Join Date
    Jul 2004
    Posts
    297
    Lots of good info in this thread. Now how can you tell if the ip in question is a buisness class proxy.
    just courious.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •