There are a thousand and one reasons to chase the neighbors who are typing the inlay on your Wifi. The security of your connected devices, the problems of downloading … But with the recent discovery of a fault in the WPA, you have a very good reason to check what happens in your home… One is never too careful You do not? This is a good opportunity to review orders for those who already know, and a great opportunity to find out for others.
Nmap, for those who do not know, is a port scanner:
It allows to do a lot of trick (for a global overview, RTFM ! In our case, we will use Nmap to scan all the IP addresses of our local network and see which machines are connected to it.
Nmap has a graphical interface, but honestly, it confuses more than anything else… We will install it all on the command line. For those who are under mac, you will have to go through Macports. For those on linux, leave your terminal, we go!
Sudo apt - get install nmap
Once the installation is complete, if you do not know your IP, do a little ifconfig:
ifconfig eth0 Link encap : Ethernet HWaddr 00 : 19 : db : f8 : b2 : 29 inet addr : 192.168 . 0.12 Bcast : 192.168 . 0.255 Mask : 255.255 . 255.0 adr inet6 : fe80 :: 217 : dbff : fef4 : b221 / 64 Scope : Link UP BROADCAST RUNNING MULTICAST MTU : 1500 Metric : 1 Packets re ç us : 83608 errors : 0 : 0 overruns : 0 frame : 0 TX packets : 23819 errors : 0 dropped : 0 overruns : 0 carrier : 0 collisions : 0 lg file transmission : 1000 Bytes re ç Us : 18363857 ( 18.3 MB ) Bytes transmitted : 6721613 ( 6.7 MB ) Interruption : 25 Lo Link encap : Local loopInet adr : 127.0 . 0.1 Mask : 255.0 . 0.0 adr inet6 : :: 1 / 128 Scope : H O you UP LOOPBACK RUNNING MTU : 16436 Metric : 1 Packets re ç us : 304 errors : 0 : 0 overruns : 0 frame : 0 TX packets : 304 errors : 0 dropped : 0 overruns : 0 carrier : 0 collisions : 0 lg file transmission : 0 bytes re ç us : 25004 ( 25.0 KB ) Bytes transmitted : 25004 ( 25.0 KB )
My IP is a private IP and my network is 192.168.0.0/24 (if all this does not speak to you too much, I invite you to read a tutorial on subnet masks). It’s time to launch our first scan!
Sudo nmap 192.168 . 0. * - O Starting Nmap 5.51 ( http : //nmap.org) at 2017-08-17 00:21 CET Nmap scan report for 192.168 . 0.12 Host is up ( 0.016s latency ). Not shown : 999 filtered ports PORT STATE SERVICE 80 / tcp open http Warning : OSScan results May be unreliable Because We Could not find at least one open and one closed Port Device Type : phone Running : Linux 2.6 . X OS details : Linux 2.6 . 24 ( Andop mobile phone ) Nmap scan report for 192.168 . 0.13 Host is up ( 0.000050s latency ). All 1000 scanned ports on 192.168 . 0.13 are closed ( 969 ) or filtered ( 31 ) Device type : media device | Phone | General purpose Running : Apple iPhone OS 1.X | 2.X | 3.X , Apple Mac OS X 10.4 . X | 10.5 . X | 10.6 . X Too Many fingerprints match this host to give specific details OS Network Distance : 0 hops Nmap scan report for 192.168 . 0.103 Host is up ( 0.0041s latency ). Not shown : 999 closed ports PORT STATE SERVICE 80 / tcp open http Device type : specialized Running : Wind River pSOSystem OS details : Wind River pSOSystem Network Distance : 0 hops Nmap scan report for 192.168 . 0.254 Host is up ( 0.0045s latency ). Not shown : 996 filtered ports PORT STATE SERVICE 80 / tcp open http 554 / tcp open rtsp 5678 / tcp open CSTR 9100 / tcp open jetdirect MAC Address : 00 : 24 : D4 : BE : 8F : DA ( Freebox SA ) Warning : OSScan results May be unreliable Because We Could not find at least one open and one closed Port Device Type : broadband router | General purpose Running : Linux 2.6 . X OS details : DD - WRT v24 SP2 ( Linux 2.6 . 24 ), Linux 2.6 . 13 - 2.6 . 31 , Linux 2.6 . 18 Network Distance : 1 hop OS detection performed . Please report any incorrect results at http : //nmap.org/submit/. Nmap done : 256 IP addresses ( 4 hosts up ) scanned in 333.04 seconds
Some explanations first:
- Nmap must be run as root for many options, so it’s a good idea to do it all the time
- You will notice that it can be given the intervals to scan in two ways: 192.68.0. * Or 192.168.0.0/24
- I used the option
-O, it corresponds to the detection of the OS. This is not always very reliable, but it costs nothing, and it can always give a clue
Last line, when Nmap finished its scan, it gives us the number of hosts detected on the total of scanned IP (here 4 hosts on 256 IP). So do not panic if you see more guests than it should. In addition to your computers, smartphones and all the gadgets you may have forgotten to take into account, your router is a network host (in my case the freebox).
History to be sure not to forget anyone, we will complete this first scan by UDP scan, it can help to find the hidden:
Sudo nmap 192.168 . 0.0 / 24 - sU Password : Starting Nmap 5.51 ( http : //nmap.org) at 2012-01-08 00:55 CET Nmap scan report for wesharethis.com ( 192.168 . 0.12 ) Host is up ( 0.038s latency ). All 1000 scanned ports on buzeo . net ( 192.168 . 0.12 ) are open | filtered Nmap scan report for 192.168 . 0.13 Host is up ( 0.000019s latency ). Not shown : 500 open | Filtered ports , 499 closed ports PORT STATE SERVICE 123 / udp open ntp Nmap scan report for 192.168 . 0.103 Host is up ( 0.0097s latency ). All 1000 scanned ports on 192.168 . 0.103 are closed Nmap scan report for 192.168 . 0.254 Host is up ( 0.0072s latency ). Not shown : 992 open | Filtered ports PORT STATE SERVICE 68 / udp closed dhcpc 32769 / udp closed filenet - rpc 32770 / udp closed Sometimes - RPC4 32772 / udp closed Sometimes - rpc8 32775 / udp closed Sometimes - rpc14 32776 / udp closed Sometimes - rpc16 32778 / udp closed Sometimes - rpc20 32780 / udp closed Sometimes - rpc24 MAC Address : 00 : 24 : D4 : BE : 8F : DA ( Freebox SA )
In most cases, you will find the same buddies, but you never know, it can always be wise to try another scanning technique.
Now that you have found the intru (or not), it only remains to proceed by elimination before going out, the baseball bat … even though the golf club, I think it has a lot more class: mrgreen: ! Note that there is also a tool dedicated to the detection and geolocation of intruders on the Wifi network, it is called moocherhunter. The software is based this time not on pings or TCP / UDP requests, like Nmap, but on the traffic of wifi clients, and it is a live CD.
Going back to Nmap, you will understand that this tool is very versatile. Its purpose is not to determine who is present or not on the network, but, as the name suggests, to find ports open on a machine. This little exercise will have allowed you to discover the tool. I leave you now to do your little experiments and marvel at the power of the thing.