Get unknown static IP address

Question

I have Debian squeeze machine physically connected to my network. This machine has static IP address which I don't know. It is not possible to connect monitor to this device. Only one possibility to connect to current machine is SSH.

My current network configuration in which my windows machine is running is 192.168.1.xxx/255.255.255.0. I know, that device's I'm trying to connect IP starts with 162.168. How to know my device's IP address? Is there any Linux tools to solve this problem?

Are you able to connect the machine directly via ethernet to a Linux machine? — oh.dae.su, Nov 03 '18 at 12:58
Is the 162.168 just a typo and should have been a 192.168 ? — , Nov 04 '18 at 03:54
Is the Debian machine on the same network segment (broadcast domain) as the Windows machine? Do you know the MAC address of the network card(s) of the Debian machine? Is it a wired network (LAN) or wireless network (WLAN)? — dirkt, Nov 04 '18 at 07:12

score 1 · Answer 1 · answered Nov 03 '18 at 10:45

Two options spring to mind.

If you can connect a keyboard and blind login.

Once on the system you can ping any address and, with care, you can sniff the network from another box looking for arp requests. You'd use wireshark, tshark or some other sniffing tool.

Actually, unless the system is particularly quiet, it might try to contact something on the network anyway. Particularly during the boot process. It would be worth sniffing the network for arp requests during such a boot cycle anyway.
Add your sniffing system into each 192.168.x.0/24 subnet in turn (x = 0..255).

Run nmap -sn (ping scan) for all devices on that subnet. If no answer advance to the next and try again.

For bonus points scan each subnet twice using two different IP addresses, just to ensure you haven't allocated the same one that the hidden system is using.

Note that nmap -sn (old nmap -sP) does a (much faster) ARP scan if run by root. But using arp-scan --localnet is the correct solution (usually much less than 3 minutes for a /16 range). — , Nov 04 '18 at 03:53

score 0 · Answer 2 · answered Nov 03 '18 at 10:16

0

Use nmap -sP 192.168.1.0/24 to find the ip of everything that answers to ping (if this box doesn't you'll have to read the documentation for nmap to find out how you get it to try a TCP port, I can only remember that it can). And then try every address you don't know (or if you can do it safely, pull the network cable from the machine you're trying to find, and repeat the command, then you should be able to see that it no longer responds).

answered Nov 03 '18 at 10:16

Henrik supports the community

5,636

This won't handle 192.168.x.y addresses for x <> 1 – Chris Davies Nov 03 '18 at 10:38
But those are not in the specified subnet. I know the OP wrote that the device's IP starts with 162.168, but I assumed that it was just a typo (like the 162), but if it's not the traffic goes through a gateway which might complicate matters quite a bit. – Henrik supports the community Nov 03 '18 at 11:07
If you're assuming a typo then flag your assumption in your answer (or seek clarification in a comment on the question). Otherwise you're not really answering the question as asked. – Chris Davies Nov 03 '18 at 11:22
A nmap -sn (old -sP) will perform an ARP scan by default if called by root. – Nov 04 '18 at 03:56

score 0 · Answer 3 · answered Nov 04 '18 at 03:39

When you state that the only way to connect to the machine is via SSH it implies that the machine has either a known IP (which you do not know) or a known name. If that is so, just resolve the name:

dig NameOfComputerToSSH

I am giving the example with dig (and it may also be dig +short name), but many other tools are available, like getent, ip, nslookup, host and many more

If the above is not a solution for your case, then: When you state:

physically connected to my network

Does it mean that the computer is able to communicate with other computers on your network or the internet?

If yes, then it must have an IP (either IPv4 or IPv6).

If IPv4
You can scan at level 3 (IP level) with (similar to) nmap -sn 192.168.1.1/24 as an user. The command example will only scan the xxx.yyy.1.zzz segment. For all segments (as you state that you only know the 192.168 prefix) you will need to use (very very slow, more than 1 hour ), note the trailing 16:
```
nmap -sn 192.168.1.1/16
```
If you have root access, nmap could execute an ARP scan (faster but still in the hour range) with the same command, or, you can install and try (about 2 minutes 13 seconds for 65536 IPs with default network speed):
```
arp-scan --localnet
```

Or, if you must specify the network segment: apr-scan 192.168.11.11/16 or similar.

If IPv6
There is NO practical way to scan a local network for existing computers in a reasonable time. The fe80::/64 has 2⁶⁴ IPs, that's 2⁴⁸ (281.474.976.710.656) times the 192.168.x.y range (well, technically the range is fe80::/10, but it must be followed by 54 zeros, so, that's equivalent to the /64). And that is just one of the possible IP ranges an interface could have (interfaces are multihomed).

But, there is a command to find the neighbors (that have been active):
```
ip -6 neigh
```

eyoung100 · Answer 4 · 2018-11-03T07:45:46.533

Use your Router's client list to determine the IP address. Depending on your router model, the page may look different, but use the following as an example from my current connection:

Login to your router's configuration page. In your case, this is most likely http://192.168.1.1
Navigate the Page Headings until you see a page similar to the following:

DHCP Client List from a Surfboard SBG6782-AC Cable Modem

You want something on the page similar to the blue box, and you're looking for the information contained in the red box. Note: I've blotted out the MAC Address and Host Name columns for privacy reasons, but a bit of detective work is required:

From the List of Host Names, match up the IP addresses to the host, and IP's you are sure of, or
Use Hardware Lister: lshw -C network on each computer you have access to, in conjunction with Coffer's Vendor/Ethernet/Bluetooth MAC Address Lookup and Search, or this prettier Perl Script at Arul's Utilities: MAC Address and OUI Lookup, which explains what a MAC Address is in case you don't know. Match the results from the MAC Lookup tool with the MAC Address in the MAC Address Column.

I always advise users to set sensible host names for situations such as these so that the client list can be easily scanned and matched by memory. MAC addresses cannot be set this way but they can be spoofed if needed.

OP said the device has a static IP address, so you can't assume it will get anything via DHCP — Chris Davies, Nov 03 '18 at 09:05
Whther or not the IP Address is static or not is irrelevant. It will still be listed in the client table as the device is on his network. Any device connected will be listed. — eyoung100, Nov 05 '18 at 02:24

Get unknown static IP address

4 Answers4