All geek questions in one place

Identify a non-computer network device?

I am currently working on a program that scans my network and detects computers and devices on the network. I use various operations to search for data on devices that I discover, but want to distinguish network devices from computers. And I wonder if anyone knows how I can do this?

I looked at SNMP a bit and tried to connect to a network printer, router, and modem. But I, it seems, can only connect to the printer, neither the router nor the modem is responding.

Is there any other way to determine which device the IP address belongs to?

+6
source share
4 answers

Using a command line tool such as nmap , you can fingerprint a device that can provide you with all the information.

Perhaps you can call nmap through C # and read the answer.

Another alternative is to look for a network chip provider for a given MAC address. But I'm not sure how many details will be given to you.

Here is an example from nmap :

# nmap -O -v scanme.nmap.org Starting Nmap ( http://nmap.org ) Nmap scan report for scanme.nmap.org (64.13.134.52) Not shown: 994 filtered ports PORT STATE SERVICE 22/tcp open ssh 25/tcp closed smtp 53/tcp open domain 70/tcp closed gopher 80/tcp open http 113/tcp closed auth Device type: general purpose Running: Linux 2.6.X OS details: Linux 2.6.20-1 (Fedora Core 5) Uptime guess: 11.433 days (since Thu Sep 18 13:13:01 2008) TCP Sequence Prediction: Difficulty=204 (Good luck!) IP ID Sequence Generation: All zeros Nmap done: 1 IP address (1 host up) scanned in 6.21 seconds Raw packets sent: 2021 (90.526KB) | Rcvd: 23 (1326B)
+8
source

Firstly, this answer is biased towards Ethernet networks. Ideas may be useful for other scenarios.

There are many ways to do this, for example:

  • scan
  • target detection
  • passive traffic monitoring

scan

Perhaps, for example, with nmap.

Pro:

  • May detect unknown devices and services. forgotten by lazy administrators or established by untrusted users.
  • It can be a useful tool for finding services and security auditing.
  • For beginners, this sounds best: start from scratch, find them all. Bad news: read the cons.

Minuses:

  • It is very inefficient. If you start from scratch - you don't know anything about LAN - and you want to find all the possible services, you need to scan almost all the tcp and udp ports for every possible host.
  • Results are not 100% available: hw or sw firewalls; etc. The next launch may lead to a completely different result.
  • The results are not simple i_got_it / null, but fuzzy: you need an expert to evaluate the results.
  • Sometimes you need to have an administrator account on your computer to run this scan.
  • Some IDS may report this activity as bad.

target detection

If your goal is to map your network to official services, you might think about their official opening possibilities. For example, CDP, SSDP, srvloc, snmp receive broadcast, etc. You need to know what services you are researching.

Pro:

  • This is the most efficient way: both maximum speed and minimum network bandwidth.
  • The result is reliable: the next run should return the same result (obviously, if the services and network remain alive).
  • This is a way to verify service availability and SLA accounting.
  • You do not need an expert: for example. if the device responds to snmp, get SysDescr, you know your details. You get the exact answer or skip it.

Minuses:

  • You need to know what services you are researching.
  • You cannot use this to find devices / services. This is neither a security check nor a detection tool. For example: I change the listening port of the HTTP server to 81, how did you find me?

passive traffic monitoring

Once upon a time you find ethernet hosts connected to copper cables (CAT3 / CAT5) with hubs. You can run a program on any of these hosts to capture all traffic by placing the ethernet card in erratic mode so that the NIC sends all the packets to the operating system, as well as packets with a different MAC destination than the NIC's MAC address.

Your program can analyze this source data and analyze the protocols and packages inside.

You are currently using Ethernet switches, not hubs. Your NIC PC in random mode does not receive all the traffic on the network, because the switch only sends you packets for your host or for everyone (broadcast and - if registered - multicast).

You must use managed switches and configure one port as a relay or monitor port in order to bind the monitoring host.

Pro:

  • This is passive monitoring - if done correctly. This can be useful for a specific assessment when you cannot send any packet on the network under test, and you respect a strong SLA.
  • To collect nw traffic, you do not need to know the protocol and service settings. For example, you can remove the tcp / ip stack from your host, leave the driver on your local network and collect traffic.
  • Using a managed switch with a monitor port, you do not need to insert the network adapter into promiscuous mode / configure the tcp / ip stack.
  • libpcap / winpcap is the de facto standard for packet capture and it works. Before developing your own application, you can play with a graphical user interface such as Analyzer or Wireshark.
  • This prohibition is a useful tool for service discovery and security auditing.

Minuses:

  • You must be sure that you are not sending packets on the network under test? Use a managed switch with a relay port, also if you have hubs. The relay port can only accept network traffic.
  • To capture data with high bandwidth, for example, 1 Gbit, you need to configure your operating system, otherwise cpus will increase to a full load, and you will lose packets anyway. Forgot ms windows for this.
  • Obviously, you see only direct traffic, nothing about services that do not transmit.
  • See β€œEnds 3, 4 from the scan .) It’s close to watch the bits on the wires, it’s like an oscilloscope for electronic engineers. You record all the data, later you need an expert ^ 2 to evaluate them. Yes, later , because the analysis Details of errors and crashes are very time consuming.

This is a simple opening for introductory layouts. Discovery tools can mix both ways of finding devices and services on the network.

For example, HP JetAdmin discovery uses different methods only to search for network printers and HP scanners for not all devices on your local network.

+7
source

In general, you cannot learn much about the device from it IP. Using the host MAC address, you can determine the manufacturer of the network adapter. The first half of the MAC addresses is assigned by the manufacturer.

You can try using nmap .

Nmap ("Network Mapper") is a free, open source utility for network testing or security auditing. It was designed to quickly scan large networks, although it works great with single hosts. Nmap uses raw IP packets in new ways to determine which hosts are available on the network, which services (name and version of the application) these hosts offer, which operating systems (and OS versions) they run, what types of packet filters / firewalls are used, and Dozens of other features. Nmap runs on most types of computers, and both console and graphical versions are available. Nmap is free software, available with full source code under the terms of the GNU GPL.

0
source

My comment may look simple. But most devices implementing SNMP implement MIB-II. As you can see here, in the "System" there is an entry called "sysDescr", which you can use most of the time to identify the device.

enter image description here

0
source

Source: https://habr.com/ru/post/891214/

More articles:


All Articles