Kragen Sitaker
Sun, 20 Jan 2002 00:35:47 -0800
I'd like to be able to just plug my machine into a random Ethernet and have it work more or less immediately without any extra work on my part and without requiring DHCP to be provided or correctly configured. Generally, doing this requires knowing at least the following things: - what is a free IP address for me to use? - what is the LAN's netmask? - what is the default gateway? - where are some DNS servers? It is possible to find out some other IP addresses on the network by watching ARP request traffic, which is broadcast and will thus be available even through a switch; also, by looking at ARP from-to IP address pairs, you can find some pairs of IP addresses that one of them thinks is on the same LAN, and given this, you can come up with a conservative (maximal) estimate of the length of the 1 portion of the netmask. Having a too-conservative (too-large) number of netmask bits will mean that some traffic will get routed without needing to, which is only a problem if routing is broken (e.g. there's no default gateway or the default gateway is broken). It might also be possible to probe: if you send a packet that says it's from A to B and is likely to cause B to reply, I think B will decide how to route the reply packet by its normal means, which might involve sending it to A's cached MAC address, sending it to a router's cached MAC address, or ARPing for one or the other. If it ARPs for A, you know B thinks A is local. (In particular, I don't think B will use the MAC address from the probe packet.) The probe packet could be a TCP SYN, an ICMP ECHO_REQUEST, a UDP packet to some random port, or even a packet that pretends to be part of an existing TCP connection. Once you know the network number and netmask (or have a conservative estimate of them), you can probe with ARP to find presently-unused IP addresses. This is a little dangerous; you may have to switch to a different IP address later, suddenly and without warning, if someone else asserts ownership of that address. Finding the default gateway requires looking at actual IP traffic; on a switch, this may require ARP spoofing and subsequent relaying, which is somewhat dangerous for three reasons: - if your machine is buggy, breaks, crashes, or gets unplugged from the network, you will interfere with other traffic on the network until ARP caches expire (and if your machine is buggy, that may not happen) - if you're not supposed to be doing this, ARP spoofing should be conspicuous (although I don't know if IDSes actually pick it up, they could and *should*) - you could easily slow down the network for everyone whose traffic you redirect through yourself, because your Ethernet card probably isn't as fast as the switch's backplane. So it might be a good idea to see if you can sniff traffic for only a few IP addresses at a time. But once you have hold of actual IP traffic, you should be able to tell which local IP addresses are routers: the ones that get packets sent to their MAC addresses whose destination IP address isn't them. This is a little hard to do, because there's no easy way to tell which IP addresses are on a particular machine; here are some possible ways to tell: - send ARP queries for the destination IP address when you don't already have it in your ARP cache; if it's on a remote network, you won't get an answer, and if it's on the local network, you'll get an answer telling you its MAC address. This will tell you if the packet you just saw was directed to its MAC address or the MAC address of a router. Note that this could fuck up anybody depending on ARP sniffing to guess the local network configuration. - if the IP address doesn't look like it should be local based on our current idea of the netmask. (This might be wrong at first, but other hosts arping for the host should quickly correct this if an IP address looks remote because our current idea of the netmask is too conservative.) - if the IP address is one whose local network you know something about, for example that 209.115.72.* is on at least a /16, you may be able to tell whether the sender's IP would be one the receiver would consider remote. You could use the Once you have a router, you can probably use it as your default route; it may forward the packet back onto the same network, in which case you can see what it thinks your default route should be. It would be helpful to have a preconfigured list of Internet IP addresses for reachability testing, preferably over HTTP. Finding DNS servers should be relatively straightforward once you can sniff IP traffic: look for packets with a destination or especially source port of 53. But for many networks, this is unnecessary; you can just use DNS servers out on the global Internet.