1

I'm trying to practice penetration testing on my home network. The target system is my desktop computer, which is connected to the network via ethernet cable. The attack system is my laptop, which is connected via Wi-Fi. My laptop is running Ubuntu Linux 12.10.

I'm simulating an attack by someone who has gained access to the wireless network, but is interested in data that resides on a particular computer which happens to be on the wired portion of the network - my desktop. In this scenario (foregoing any further knowledge I have about my network or the target system) I'm having a hard time finding the IP address of my desktop.

Tools such as ipscan or nmap only appear to find devices on the wireless side of the network. I know I could go to the router, and pull up the list of connected devices, but that would require foreknowledge (or cracking) of the router's password - something I'm pretending to not have at this point.

In this scenario, how can I use my laptop to find my desktop on the network and establish a connection? Again, I'm simulating the role of an outside attacker who's just gotten access to the Wi-Fi - all I know is the Wi-Fi SSID, Wi-Fi PSK, Wi-Fi AP's MAC address, and the network's gateway address.

Iszi
  • 26,997
  • 18
  • 98
  • 163
Andrea Mazzocchi
  • 123
  • 1
  • 4
  • 2
    This isn't a security question, so it's off topic here. – Polynomial Feb 26 '13 at 20:42
  • Sorry, I thought of it as a security question. Where should I post it? – Andrea Mazzocchi Feb 26 '13 at 20:43
  • Perhaps super users, but to clarify you're on WiFi, and you want to determine which clients are ethernet based and which are WiFi based on the same router you're connected to? – Peleus Feb 26 '13 at 20:44
  • @Peleus I'm not sure they're looking to distinguish Wi-Fi vs. Wired. It seems they're positioning themselves as an intruder who's gotten access to the wireless network, and is now looking for a *specific device* - that device just happens to be known to be on the wired network. – Iszi Feb 26 '13 at 20:48
  • Not exactly: I can see on my personal modem configurations which computers are connected, for example: iPhone : wifi : 192.168.x.x myNotebook : wifi : 192.168.x.x myHomeComputer : ethernet : 192.168.x.x I saw this by digiting the IP address of my modem on the browser...so I know the IP address of my home computer, but I want to know if there's another way to find it out, for example through a shell (I'm running Ubuntu 12.10 on my Notebook). – Andrea Mazzocchi Feb 26 '13 at 20:48
  • Did a major overhaul of the question to put it more closely in the security realm. I hope it didn't stray too far from the OP's intention. – Iszi Feb 26 '13 at 20:57
  • @AndreaMazzocchi - Are you able to see that information without logging into the modem? I thought those web interfaces required admin login before you could get that. – Iszi Feb 26 '13 at 20:59
  • @Iszi that's the point: I want to know the IP address of my home computer without logging into the modem: just using built-in commands in Ubuntu...just me and the shell against the world ^_^ – Andrea Mazzocchi Feb 26 '13 at 21:12
  • @AndreaMazzocchi FYI: If you're comfortable using Ubuntu, and really serious about learning pentesting, you should try out [BackTrack](http://www.backtrack-linux.org/). It doesn't have to be installed on the attack system, though that would be ideal - you can run it as a LiveCD or load it into a VM. – Iszi Feb 26 '13 at 21:14
  • Thanks @Iszi I already knew BackTrack, but now I only want to know a method to get the IP address of my home computer in the ways I wrote above :) – Andrea Mazzocchi Feb 26 '13 at 21:20
  • Uhh, I'm admittedly going off memory, but are you sure nmap only shows the wireless side? Assuming you have a subnet of 255.255.255.0 - IP range of 192.168.0.xx the ethernet clients should still be assigned IP's within this range. Ergo, they should be routable, ergo nmap -sn 192.168.0.* should reveal all the clients, wired and wireless. If it doesn't, can you "cheat" for the moment, get an IP of an ethernet client and post it here along with your wireless IP? Can you ping the ethernet client? – Peleus Feb 26 '13 at 22:47
  • "-sN" is the flag standing for TCP Null...I don't know why, but now nmap found my Home computer's IP address! I didn't try -sN before, thanks. – Andrea Mazzocchi Feb 26 '13 at 23:09
  • I'm glad it worked for you, but I actually said -sn :P Lowercase n, -sn is a simple ping scan, it tries to ping all the clients in the IP range and simply lists those that responded. Much quicker than a port scan for simply discovering hosts. – Peleus Feb 27 '13 at 03:15
  • @AndreaMazzocchi - Maybe you weren't logged in before as a superuser? Nmap running under unprivileged account would only do a HTTP port 80 ping, meaning only HTTP servers would normally respond. – TildalWave Feb 27 '13 at 04:17

2 Answers2

1

Simply so it shows as having an answer:

nmap -sn <your IP address>

...will perform a ping scan across all the connected hosts, quickly showing what IP's are responding to pings on your network.

Note that this is case-sensitive.

Iszi
  • 26,997
  • 18
  • 98
  • 163
Peleus
  • 3,827
  • 2
  • 18
  • 20
0

I really don't get your question. Like you are describing it, you get access to wifi, that means you are in the network, therefore that means you can find any device in the network.

This sentence "Tools such as ipscan or nmap only appear to find devices on the wireless side of the network." doesn't make sense at all. Your network is your network, if you are connected to your network you should see each device connected, not only wireless.

Try a nmap -O -A 192.168.x.0/24 (why you hide local IP addresses? Pointless), this should show each device connected and its operating system, and if it were a real attack you could determine which computer is seeing information like hostname (e.g. Andrea-PC).

Another attack vector is the router, you would be surprised how many routers use default passwords like admin/admin.

The Illusive Man
  • 10,487
  • 16
  • 56
  • 88
  • It could be that the router has a guest WLAN. This would prevent direct access to the other computers on the private network. – John Rix Dec 04 '14 at 11:00