当前位置：文江博客话题详情

无需 DHCP 即可发现默认网关

发布于 2024-09-02 01:46:38 字数 184 浏览 5 评论 0原文

一个疯狂的问题，但是有没有办法在没有 DHCP 的情况下发现默认网关？

这适用于网络上不使用 DHCP、尚无 IP 地址的设备。我在想如果我能发现默认网关，那么我可以尝试猜测一个未使用的 IP 地址，然后在网络上广播以查看它是否正在使用。

我理解，我可能是在自找麻烦。例如，如果已经有一台具有静态 IP 且已关闭的计算机。

原文

分享到QQ

分享到微博

如果你对这篇内容有疑问，欢迎到本站社区发帖提问参与讨论，获取更多帮助，或者扫码二维码加入 Web 技术交流群。

发布评论

需要登录才能够评论，你可以免费注册一个本站的账号。

一个人的夜不怕黑 2024-09-09 01:46:41

可以完成，但不是以简单的方式完成（根据我的有限知识）。
我将进一步分析的解决方案：

检测网关 - 2 种可能性（所有这些都与数据嗅探有关）：
- 捕获 DHCP Offer 数据包并
  检索网关
- 查找发往外部网络的数据包（例如，对每个目标 IP 地址执行 arp 请求 - 如果没有答案，则可能有默认网关的 mac 地址 - 您需要找到该网关的 IP 地址（分析 arp 数据包，所有数据包等...）
一个你有IP地址的人做一个arp请求并找到你免费的IP

嗅探库我认为是libpcap或winpcap。

从来没有做过类似的事情，但如果我在谷歌上找不到任何参考资料，我会去这个。我认为。

回复收藏 0 原文

烧了回忆取暖 2024-09-09 01:46:41

在 Windows 网络上，您可以使用 IP 0.0.0.0 并打开端口 67（或可能是 68）的 UDP 套接字，并等待 SMB 广播消息来了解 IP 地址。从那里，您可以使用 ARP 数据包搜索地址接近该 IP 的设备。

尝试找到一个与原始 IP（相同的高位）尽可能接近的未使用地址，以防网络使用小于 255.255.255.0 的网络掩码。一旦您发现未使用的 IP，请为您的设备声明它并发送免费 ARP。

现在继续 ARP 扫描，每当您发现有响应的设备时，请将其临时设置为默认网关，并尝试对 Internet 上将响应的设备的已知 IP 地址执行 ping 操作。如果您收到回复，则说明您已找到网关。

如果使用 DHCP，99% 的情况下都可以实现这一目标，那么需要做大量的工作。

回复收藏 0 原文

断念 2024-09-09 01:46:40

嗅探数据包一段时间，然后应用启发式方法。我假设 IPv4 和以太网用于其余部分。如果使用以太网交换机而不是集线器，则效果不会很好。最后还有更多内容。

根据您看到的以太网（或其他）和 IP 标头以及实际的 ARP 数据包（忽略广播和多播 IP 和 MAC 地址）创建您自己的 RARP（反向地址解析）表。确保您的表能够将多个 IP 地址映射到单个硬件接口。表中由实际 ARP 数据包输入或验证的任何 IP 地址都应进行此类标记。

网关可能会接收和发送更多流量。此流量可能具有来自许多不同网络的许多 IP 地址，但具有相同的硬件地址。网关将在您的表中显示为一个 MAC 地址和许多 IP 地址。您可能会观察到涉及此 MAC 地址的 ARP 事务，因此您可以查找别名为该 MAC 且也设置了 seen in ARP packet 标志的 IP 地址。这几乎可以肯定是网关的 IP 地址。

您可能能够根据网关的 IP 地址猜测网络地址和子网掩码，但这可能不是您可以信任的东西。如果您想尝试在具有非标准网络掩码的网络上执行此操作，您可以尝试执行以下操作。
创建两个 IP 地址大小的累加器变量：

uint32_t acc_and = 0xFFffFFff;
uint32_t acc_or  = 0x00000000;

然后对于表中的每个 ARP 验证地址，

acc_and &= ip_addr;
acc_or  |= ip_addr;

您还可以在来自网关的数据包中使用目标 IP 地址（非多播），但您必须知道网关，然后您才能将它们标记为此类。

查找网络掩码和网络地址

地址的网络部分在两者中应保持相同（在第一次操作之后），但在 acc_and 中，底部位应在 acc_or 中开始清除/code> 底部的位应该开始填满。有了足够的样本，您将能够通过以下方式确定网络地址：

uint32_t net_addr = acc_and & acc_or;

并通过以下方式确定网络掩码：

uint32_t net_mask = acc_and ^ acc_or;

获取足够的采样本地 IP 地址可能需要很长时间，因此您可以开始尝试通过以下方式缩小范围：

uint32_t almost_net_mask = acc_and ^ acc_or;
int i = 0;
while ( 1 & almost_net_mask ) {
   i++;
   almost_net_mask >>= 1;
}
uint32_t net_mask = 0xFFffFFff;
while( i-- ) {
     net_mask <<=1;
}

这将找到最后 1 位集。最低 0 位显然不是地址本地部分的一部分。或者，您也可以通过以下方式获得相同的 i：

i = ffs( ~ ( acc_and ^ acc_or ) ) ; // assuming that int on your system is 32 bit.  if not use ffsl

如果您现在确实想确定您的网络掩码和网络地址，您可以尝试其他一些方法。您可以尝试查看网关是否会尝试将您发送的数据包转发到您认为应该是它们的本地地址。为此，您必须继续为自己分配一个 IP 地址，如果您的网络掩码不正确，这将是有风险的。

为自己选择一个 IP

尝试选择您没有看到过往来流量的最低合法 IP 地址，以增加其不超出范围的机会。您可以欺骗该地址的 ARP 请求并查找任何回复（您可以使用您自己的真实 MAC 地址，但可能为此创建一个 IP。不一定是您的 IP，这可能会有点混乱）。找到 IP 地址后，您将无法通过 ARP 为自己声明该地址。

您最终得到的 IP 地址可能实际上太高了。这很难确定，因为您的网络掩码仍然只是一个很好的猜测。如果是这种情况，你就不走运了，因为没有空闲的空位供你居住。

返回网络掩码

要查看您的网络掩码是否需要调整，请尝试发送带有您在本地网络中未看到的目标地址的 IP 数据包，但根据您对网络掩码和网络地址的猜测，该地址可能位于本地网络中。如果这些猜测不成立，那么它们应该分配给网络地址的位太多，因此发送到改变（到目前为止）最佳猜测网络地址的网络掩码部分的低位的地址就是您想要的。您可以尝试像平常一样通过 ARPing IP 地址并查看是否有人回复来发送这些数据，但由于您正在猜测地址并且可能会错过，因此最好尝试创建目标 MAC 地址设置为的数据包网关看看它是否会转发它。它可能被配置为不这样做，因此您可以尝试首先对您已经在网络中观察到的网络成员执行此操作，然后查看它是否为您转发它，以查看它是否会这样做。如果网关转发数据包，那么您可以依靠其网络掩码的想法来缩小您对网络掩码的想法。如果网关不会转发发往本地网络已知成员的数据包，那么您可以继续使用您对本地网络掩码和网络的想法，直到您有理由调整它，或者发送针对该范围内的地址的 ARP 请求（它只会回答你的问题“是”或“也许”，不可能肯定“否”）。

如果您使用的是以太网交换机，而不是集线器

如果您使用的是以太网交换机，事情会变得更加困难，因为如果交换机知道帧应该发送到其他地方，则它不会将以太网帧转发给您，因此您将看不到他们。不过，它会转发许多 ARP 请求，因为它们是广播的，除非发送者在其 ARP 缓存中仍然有该 IP 的条目，并且只是尝试尽早更新该条目（并非所有系统都会这样做）。这将使您构建网络及其成员的想法变得更加困难，但您可能能够做得不错。不过，您可能必须依赖网关的 ARP 请求数量以及来自网关的 ARP 请求数量高于其他系统才能发现它。这很容易出错，因为文件服务器可能具有类似的流量。

Packet sniff for a while and then apply heuristics. I'm assuming IPv4 and Ethernet for the rest of this. This won't work so well if Ethernet Switches are used rather than HUBs. More on that at the end.

Create your own RARP (reverse address resolution) table based on the Ethernet (or whatever) and IP headers you see as well as actual ARP packets (ignoring broadcast and multicast IP and MAC addresses). Make sure that your table is able to map multiple IP addresses to a single hardware interface. Any IP addresses in the table that are entered or verified by actual ARP packets should be flagged as such.

The gateway(s) is likely to recieve and send more traffic. This traffic is likely to have many IP addresses from many different networks but have the same hardware address. The gateway will show up in your table as one MAC address with lots of IP addresses. It is likely that you will have observed an ARP transaction involving this MAC address address, so you can look for an IP address that aliases that MAC that also has the seen in ARP packet flag set. That is almost certainly a gateway's IP address.

You will probably be able to guess the network address and subnet mask based on the IP address of the gateway, but this might not be something you can trust. If you want to try to make this work on a network with a non-standard netmask you can try to do the following.
Make two IP address sized accumulator variables:

uint32_t acc_and = 0xFFffFFff;
uint32_t acc_or  = 0x00000000;

And then for each ARP verified address in your table you do

acc_and &= ip_addr;
acc_or  |= ip_addr;

You could also use destination IP addresses (that aren't multicast) in packets that came from the gateway for this, but you would have to know the gateway before you could flag them as such.

finding the netmask and network address

The network portion of the address should stay the same in both (after the first operation), but in acc_and the bottom bits should start clearing out while in the acc_or the bottom bits should start filling up. With enough samples you would be able to determine the network address by:

uint32_t net_addr = acc_and & acc_or;

and the netmask by:

uint32_t net_mask = acc_and ^ acc_or;

Getting enough sampled local IP addresses could take too long, so you can start trying to narrow it down by:

uint32_t almost_net_mask = acc_and ^ acc_or;
int i = 0;
while ( 1 & almost_net_mask ) {
   i++;
   almost_net_mask >>= 1;
}
uint32_t net_mask = 0xFFffFFff;
while( i-- ) {
     net_mask <<=1;
}

This would find you the last 1 bit set. The lowest 0 bit is obviously not part of the local portion of the address. Alternately you could get the same i by:

i = ffs( ~ ( acc_and ^ acc_or ) ) ; // assuming that int on your system is 32 bit.  if not use ffsl

If you really really want to be sure of your netmask and network address now you can try some other things. You can try to see if the gateway will attempt to forward packets you send it to what you think should be local addresses to them. For this would would have to go ahead and assign yourself an IP address, which is risky if your netmask isn't right.

choosing an IP for yourself

Try to choose the lowest legal IP address that you haven't seen traffic to or from to increase the chance that it is not out of range. You could spoof an ARP request for that address and look for any replies (you could use your own real MAC address but possibly make up an IP for this. doesn't have to be your IP, which might confuse things for a little bit). After you have found an IP address that you can't ARP claim it for yourself.

It is possible that you ended up with an IP address that is actually too high. This is difficult to know for sure since your netmask is still just a good guess. You're out of luck if this is the case because there is not free slot for you to live.

back to the netmask

To see if your netmask needs adjusting try sending IP packets with destination addresses that you haven't see in the local network but that could be in the local network based on your guesses at the netmask and the network address. If these guesses are off they should have too many bits assigned to the network address, so sending to addresses which change the lower bits from the netmasked portion of the (so far) best guessed network address is what you want. You can try sending these as you normally would by ARPing the IP address and seeing if anyone replies, but since you are guessing addresses and likely to miss, it might be better to try creating the packet(s) with the destination MAC address set to the gateway to see if it would forward it. It may be configured not to, so you could try to see if it would by first doing this for a member of the network which you have already observed in the network and then see if it forwards it for you. If the gateway forwards the packet then you can rely on its idea of the netmask to narrow down your idea of the netmask. If the gateway will not forward for packets destine for known members of the local network then you can either just keep using your idea of the local netmask and network until you have a reason to adjust it or send out ARP requests for addresses in that range (which will only answer your question as either "yes" or "maybe" with no possibility of a sure "no").

if you are using an Ethernet switch, rather than a HUB

If you are using an Ethernet switch things get much more difficult because the switch will not forward Ethernet frames to you if it knows that the frames should go somewhere else, so you will not see them. It will forward many ARP requests, though, since they are broadcast unless the sender still has an entry for that IP in its ARP cache and is just trying for an early renewal of that entry (this may not be done by all systems). This will make building your idea of the network and its members much more difficult, but you will likely be able to do a decent job. You will probably have to rely on the quantity of ARP request for the gateway and from the gateway being higher than the other systems to spot it, though. This is error prone as a file server could have similar traffic.

回复收藏 0 原文

~没有更多了~