Monday, August 10, 2015

Connect to a network without DHCP


You might be in some new town or some new school and there is no DHCP, or the DHCP is not responding. But you can physically connect to the network. That happens to me alot. I am now posting for a successful breaking an entry to a free WiFi here in Addis Abeba.

If for some reason you could not get an IP form the network, your computer will fail to connect to the network. For many cases, the network admins leave the IP range to the default values. You know '192.168.1.*'. and as you can guess the subnet mask to '255.255.255.0', and the default getway to the first valid address of the range, i.e '192.168.1.1'.

But some don't leave it that way. Specially if there is some more complicated networking done. So, how in the world do we find the range of IP addresses to guess from. Well if you get some IP addresses in use in the network, then the rest is making your IP address to something that is not used in the network.

Lets begin with finding the IP in use in the network. First we have to connect to the network. To do this we have to assign some random IP. Set a static IP address like the above one to your network interface.
Then Scan for active IP addresses in use in the network you are connected to. To achieve this, we need an ARP scanner in place. What we want to do is scan for packets that are being thrown around in the network. It captures packets and registers their IP and MAC addresses.

Thre are many ARP Scanners to choose from. For my linux enthusiast friends, netdiscover is good one. If you are using Backtrak or Kali linux, I hear it is already packaged with your penetration distro. For other linux users, go over

After installing your ARP scanner, somehow set it to passively listen to packets. To do this with netdiscover, run
sudo netdiscover -i wlan0 -p 

This will start instruct netdiscover to listen for packages without sending any requests. The result is any IP address currently communicating in the local network. It might take a while if there is no active device. My result looks like this one
 
Currently scanning: (passive)   |   Screen View: Unique Hosts                 
                                                                               
 21 Captured ARP Req/Rep packets, from 9 hosts.   Total size: 1260             
 _____________________________________________________________________________
   IP            At MAC Address      Count  Len   MAC Vendor                   
 ----------------------------------------------------------------------------- 
 0.0.0.0         f0:24:75:ad:c0:9e    03    180   Unknown vendor               
 169.254.132.101 f0:24:75:ad:c0:9e    03    180   Unknown vendor               
 10.11.3.54      14:58:d0:39:0d:02    05    300   Unknown vendor               
 0.0.0.0         28:cf:da:57:94:f9    03    180   Unknown vendor               
 169.254.34.169  28:cf:da:57:94:f9    02    120   Unknown vendor               
 10.11.6.42      b8:5a:73:62:b1:ec    02    120   Unknown vendor               
 10.11.6.17      84:db:ac:ad:99:70    01    060   Unknown vendor               
 10.11.6.26      b8:ca:3a:96:8f:82    01    060   Unknown vendor               
 10.15.4.10      64:51:06:26:1f:e6    01    060   Unknown vendor 

From this result I could see a list of valid IP addresses. You can see that most of the IP addresses are from '10.*.*.*' range. So you can start guessing from here.