Finding IP addresses on a LAN

[ticketpimp]

I'm new, just trying to learn some things. I have a network securities class at school and for our final project we have to protect one of our machines against attackers in the class and use our other machine to try to crack into other people's boxes. I see a lot of tools for ping sweeps and such, but I was wondering if there is a quick way to find someones IP address on the LAN. All the ping tools I have seen, you have to give it a range of addresses, is there a tool that can go and see what is out there?

[MrLinus]

Thread moved from Security Tutorials to Newbie Security Questions. (The Tutorials sections are for people to post tutorials)

Ping sweeps are the easiest and fastest. You might want to consider nmap and some of the ways it could pick up on what is out there. Alternatively, if you can see a dhcp list that would show where leases are and lastly, arp might give back some info.

Oh.. and ettercap would also be good or a packetsniffer of some type.

[Tedob1]

if all are logged into the same lan just use the 'net view' command

[RoadClosed]

NET VIEW command default will give you the machine name. You can then ping the machine name for IP. Now just scan the entire network based on the ip you get, using your scanner o' choice.

[gizmofreak]

CAn u tell me the command to get ip-address from pinging via name

[r3fus3d]

if your using windows

ping <name here>
nslookup <name here>

[Ghost_25inf]

Ethereal is a good packet sniffing software. run this on the LAN and it should pick up the IP quicker than **** if its transmitting anything. If there is a Gateway somewhere between you and the other computer you might not be able to see it with this tool. I wouldnt run any ping tools, it will bring too much attention to yourself.

Another fast way is to mimic the Domain server, by taking its IP address and running Active Directory. once you name your server the same as the Proxy server and take its IP you now rule the school and have access to all. But if you do this you will piss off the Admin and might get kicked out of school.

Lastly if you know the computers name you could ping it with the name to see if that gives you the IP. then get yourself a good password recovery disk, made from a linux boot disk and reset the password to that computer. I have the recovery disk and it works on recovering passwords but I havent tried it over the network yet but a freind said it works great.

[droffohcam03]

you can look in your arp table (arp -a) after pinging the brocast adress
if their acualy trying to secure their boxes they probably wont respond to ping right?
I would set my box to not reply to ping and runa sniffer and watch as they all give away their ip's with ping sweeps and brocast pings

[kruptos]

Actually all the suggestions above are great.

If i have no utilities on my machine i would try to ping broadcast address and then arp -a. Also if you look at your own IP address by going to the command line and typing ipconfig /all you will get your address and the subnet mask which you can figure out how many hosts possible on your subnet and the range of address'.

Once you have that you can use NMAP, or type Net View and get a list of host names and ping by name.

Or you can work with some demo tools out there to give you both the name, and the IP address as well as some security holes that might be open. I think if you download the trial of LanGuard it will let you do a network scan which will return results of all the information above, as well as information about what shares are open and usernames, pretty cool tool. Plus it will give you what i like to call "areas of interest" to look at :-)

Hope this helps out some.

[slarty]

Quite a lot of boxes don't respond to broadcast pings. This includes Windows boxes in their default config, and in other OS it may be configureable (Linux via sysctl)

My recommendation for how to detect other boxes on a LAN is to just sit there and passively sniff. If they're Windows boxes in a reasonably standard config, they shout broadcasts announcing their netbios name, and a few other things, every couple of minutes. Of course you get their IP and MAC into the bargain. All without sending a single packet.

Slarty