Menu
What's new
By:
Filters Better Search

How to telnet into an unknown IP

  • SNBForums Code of Conduct

    SNBForums is a community for everyone, no matter what their level of experience.

    Please be tolerant and patient of others, especially newcomers. We are all here to share and learn!

    The rules are simple: Be patient, be nice, be helpful or be gone!

T

trunolimit

Occasional Visitor
Here is the situation, I have a serial terminal box (IOLAN black box to be exact). I have no idea what the IP of this box is but I do know it's MAC address. I need to telnet into this box to be able to change configs on it. I have it connected directly to a laptop.

I tried installing wireshark on the laptop in hopes I'd catch a glimpse of the IP address but no luck. I read somewhere about ARP -s but if it does work can someone explain to be how it would work. Wouldn't communications fail once it gets to layer 3 of the stack on the blackbox? Here is the directions that I've gathered from different sources.

An explanation on why this would work would be greatly appreciated and wouldn't this be a security vulnerability?



If the address is unknown or undefined, the following sets a temporary IP address:

Set the static ARP with the desired IP address (example: 192.168.0.12) by using the hardware address which is printed on the label of the product. Open a command prompt window by going to START> RUN and type CMD and click OK. This will open a DOS window.

Note: In order for the ARP command to work in Windows, the ARP table on the PC must have at least on IP address defined other than its own. Type "ARP -A" at the DOS command prompt to verify that there is at least one entry in the ARP table. If there is on other entry besides the local machine, ping another IP machine on your network to build the ARP table, This has to be a host other that the machine on which you ware working. Once there is at least one other entry in the ARP table, use the following commands to ARP and IP address in the the unit.
A the command prompt, type arp -s followed by the desired IP address and the the MAC address printed on the label of the device, then press ENTER. See example below:

arp -s 192.168.0.12 00-20-4A-02-64-0B

After entering the above screen and pressing enter, the command prompt will return. Next, open a Telnet connection to port 1. This connection will fail, but the device will change its IP address to the desired one designated in that step.

telnet 192.168.0.12 1

Once the command prompt returns stating that it could not open the telnet port, open a Telnet connection to port 9999 and set/program the device with all required parameters.

telnet 192.168.0.12 9999

Note: The temporary IP address is reverted after every power reset of the device. Be sure to log into the device ans store the parameters to make sure the changes are permanent.

Again why would this work?
 
Here's what's going on:

You are configuring a static ARP assignment on your PC. In your example, 192.168.0.12 00-20-4A-02-64-0B, any communication by that PC to 192.168.0.12 will be sent to the hardware address, 00-20-4A-02-64-0B. The terminal server receives this traffic because it is not discarding traffic sent to its hardware address when the destination port is TCP 1. As a backup access method, the server is programmed to change its IP to whatever destination IP is specified when the port 1 connection attempt is made.

Security concerns:

What does it take to exploit this?
Presence on the broadcast domain
The MAC of the terminal server
(possibly) Credentials of the device once you attempt to login on port 9999

You would not be able to exploit this if you were outside of the broadcast domain as the terminating router would have to ARP for the IP just like any other device. Without a static MAC assignment, you can't take advantage of a reset. That's best case scenario (changing to an IP in the same subnet). Depending on the IP you want to set the device to, your packets may be routed to an entirely different network.

Other exploits?
If the device handles a broadcast MAC as it would its own MAC, you wouldn't need the device's MAC to change the IP.
 
Thanks a lot for the explanation. So in short the terminal has to be pre-programmed to except the IP set as the destination on port1 as it's own. OK that clears up a lot.

Now suppose the terminal isn't that smart. knowing the MAC and having access to wireshark how can I determine it's IP?

I actually had a little success with a few terminals. I knew they were set somewhere in the 10.x.x.x ip range so I set my IP as 10.0.0.1 and a subnet mask of 255.0.0.0. I then looked at wireshark for a while and saw that a WHO IS packet was asking for a default gateway on 10.100.21.0 subnet and the TELL was 10.100.21.135 which was the IP of the terminal server I was trying to reach. I got 3 of them that way but then that method stopped working.
 
PC can display its ARP table which lists IP vs. MAC for frames that have seen on the LAN.

In windows, it's a command window: arp -a
 
Resetting the device would likely be the fastest way to get to an IP that you know.

I glanced through the manual and found that some models of the device support IPv6; you could let it autoconfigure and use that IP to log into the web admin to obtain the IPv4 address.

You could also write a script to ping every IP; even if the device does not respond to ICMP you should be able to observe an ARP reply. This would take a really long time and you'd want to start with the IP ranges first. If the device is any chatty, you have time to notice and get the IP from there as well.
 
So for the Perle devices I had no choice but to attach a serial cable to port 1 and use terminal software to connect to it during boot up to reset the IP.

For the black box there is a reset button that once it's pushed down for 15 seconds it wipes the device and then it starts sending out BOOTP packets which I can either set up a DHCP server for or it will accept a telnet request from port23 of any IP, so the arp-s will work in that instance.

I played a bit more with it and found out I could coax the IP form both boxes but I had to be in the same broadcast domain <-(I think that's the best way to put it).

So if the terminal box had an IP of 10.0.0.25 /24 and I had an IP of 10.0.0.30 /24 I could enter into the command prompt "arp -s 10.0.0.2 aa-aa-aa-aa-aa-aa" where aa-aa-aa ect. is the MAC address printed on the terminal server. Then I would ping 10.0.0.2 and in wireshark I could see 10.0.0.25 do a WHOIS for it's own gateway. I tried changing my IP to something outside of it's network like 10.0.1.30 /24 but it didn't work.

Now my question is, am I not seeing the same WHOIS packet when I change my IP outside of it's network because the TCP/IP stack is causing me to ignore those packets or is the terminal box ignoring my packets because it sees the source IP is outside of it's network?

If it is me that is ignoring his WHOIS packets then I need to possibly set up a LINUX box where I have more control over the NIC and what gets to me.
 
You must log in or register to reply here.

Similar threads

K
Weird Wake on LAN problem with GT-AXE16000
Replies
15
Views
1K
Kurai
K
J
Should connecting to routers be this difficult ? GT-AX6000 set as AP & ISP router (unwanted redirect).
Replies
13
Views
631
jzchen
J
d5aqoep
WOL stops working after 15 min. ARP entries cleared randomly.
Replies
10
Views
1K
d5aqoep
d5aqoep
D
Solved Bricked RBR50 SOLVED!
Replies
1
Views
330
MinkyMomo
M
T
Create a Cron Job to Run on a Schedule
Replies
9
Views
2K
T0mmy1977
T

Latest threads

Support SNBForums w/ Amazon

If you'd like to support SNBForums, just use this link and buy anything on Amazon. Thanks!

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!

Members online

Total: 649 (members: 23, guests: 626)
Top