..:: MacHacking.net ::.. Article from MacHacking.net Knowledge Base: http://kb.machacking.net ********** Title: How to find other Mac's on the Internet Author: DimBulb Author Contact: marcmeadows100@hotmail.com ********** How to find other Mac's on the Internet Some port scanning software: PortSniffer 2 (GUI for OS 9 or X) http://software.theresistance.net/ Nmap (CLI) & NmapFE (GUI) for OS X http://faktory.org/m/software/nmap/ Strobe (CLI) for OS X http://macosx.forked.net/p/strobe-1.03.pkg.tgz (NicCentral provides a GUI front-end for Strobe: http://www.stepwise.com/Software/NicCentral/index.html I haven't tried it though...) HTTPScanner - identifies many Mac web servers (Darwin, OS X, OS 9) http://www.davtri.com/freeware.html Before you start scanning: Take a look at http://www.flumps.org/ip/ list of block registrations and pay particular attention to which IP ranges you DON'T WANT TO SCAN such as these: 6.x.x.x Army Information Systems Center - USAISC, Yuma Proving Ground, AZ (NET-YPG-NET) 7.x.x.x Defense Information Systems Agency, VA (NET-DISANET2) 11.x.x.x DoD Intel Information Systems, Defense Intelligence Agency, Washington DC (NET-DODIIS) 21.x.x.x US Defense Information Systems Agency (DDN-RVN), VA (NET-DDN-RVN) 22.x.x.x Defense Information Systems Agency, Washington DC (NET-DISNET) 26.x.x.x Defense Information Systems Agency, VA (NET-MILNET) 28.x.x.x ARPA DSI JPO, VA (NET-DSI-NORTH) 29.x.x.x Defense Information Systems Agency, Washington DC (NET-MILX25-TEMP) 30.x.x.x Defense Information Systems Agency, Washington DC (NET-ARPAX25-TEMP) 49.x.x.x Joint Tactical Command, Control, and Communications Agency, AZ (NET-JITCNET1) 50.x.x.x Joint Tactical Command, Control, and Communications Agency, AZ (NET-JITCNET2) 55.x.x.x Army National Guard Bureau, VA (NET-RCAS2) 56.x.x.x U.S. Postal Service, NC (NET-USPS1) (Also try this url for a great PDF list of "Do Not Scan" numbers, the text can be pulled out via Acrobat Pro. http://deepquest.code511.com/blog/images/uploads/txt/donot_v0.3.pdf.gz ) And don't bother scanning any of these, they are private ranges and won't route on the internet (you need PUBLIC IPs!): 192.168.x.x 172.016.x.x 10.x.x.x 127.x.x.x = loop-back, for instance, 127.0.0.1 is localhost - it's your own computer. Start with your own IP Browse to www.showmyip.com and copy your public IP address. PortSniffer Paste your IP into the starting address field, delete the last segment and replace it with ".1", now replace the last TWO segments of the ending address with ".255.255" (remember that IP segments represent a byte so they should never be greater than 255 in any segment). Enter 548 as the port number to scan for (this is the default port number for Apple File Sharing.) Set the timeout... On a very fast connection a timeout of .6 will acheive results quickly but may skip over machines that are unable to respond quickly enough, for slower connections try a timeout of 3 (also allows for a slower connection on the remote side or a slow response from a machine under heavy load such as a server.) Just let PortSniffer run, you can save the results list later. You can open multiple windows to scan several ranges at a time (in parallel!) (If you have trouble saving the lists, scan 127.0.0.1 port 80 which is your own machine's web browser port, then save - sometimes the software needs a successful scan to allow saving!) Want more power for your scans? Use NmapFE! Paste your IP into the Host(s) field, delete the last segment and enter .1-255 Now uncheck the "Fast Scan" box, check the "Range of ports" box and enter 548 (again, the Apple File Sharing port.) Click the "Scan" button. Nmap will tell you which IPs have port 548 closed, which are open and which are filtered (behind a router or firewall for instance.) It also gives you the hostname from a DNS lookup of the IP address. Now paste in the "Host(s)" field one IP that has port 548 open, uncheck the "Range of ports" box and check the "OS Detection" box. Click scan again. Impressive isn't it?! Nmap just scanned the IP for ALL POSSIBLE PORTS. Position your mouse cursor over the various boxes and fields in NmapFE and it will tell you what they are. Got a list of IPs and want to check if the systems are still up? STROBE will check them quickly! Save your IP list as a text file with just the IPs, one per line. The file must have Unix "newline" endings (not Mac "return"s.) If you have MHW it includes a utility to do this for you - it's called M2U or you can translate the line endings in the terminal like so: Code: tr "\r" "\n" < myipfile.txt > ipsforstrobe.txt Now that your file has unix line endings, tell Strobe to scan each IP for port 548, allow up to 9 seconds for the remote system to respond and output a list of those that do respond in a text file called responses.txt. In terminal type: Code: strobe -t 9 -p 548 -i ipsforstrobe.txt -o responses.txt Now that you have some IPs with port 548 open, what can you do with them? In OS X's Finder, pull down the Go menu on the menu bar and chose "Connect to server" (it's command-k on the keyboard.) If you are using OS 9 go to the Chooser under the Apple menu, click AppleShare then "Enter Server IP Address". Enter one of the IP addresses from your list. Hopefully you will be asked to enter a user name and password. Is the "Guest" option greyed-out? If not, select Guest and connect. Chances are you will be looking at the OS X usernames for that machine (or possibly folders or whole volumes that have been shared for guest access.) Search the forums for information on AFPBrute if you want to know more about cracking the passwords for those user accounts. Curious where a computer is located? Go here to see a map of it's approximate location. http://www.geobutton.com/IpLocator.htm What other ports could you scan? For port lists, browse to http://www.opendoor.com/doorstop/ports.html or in OS X's Terminal app type: open /etc/services Here are some particularly interesting ports for Mac's: 21 FTP & 25 POP - search the forums for info on BrutalGift 22 SSH - you'll need a username and password for SSH but it's a whole lot of fun. 80, 88, 1080, 8080 - if you find these ports open, try the IP in your browser (xxx.xxx.xxx.xxx:1080 for instance) and you might find that you are looking at a router configuration page. Search the forums for default router passwords if you want to play with these, also run HTTPScanner to search just for web pages within a c-block. 407 Timbuktu - guess at the user name, it will let you know when the name is right... then you have to guess the password. 497 Dantz Retrospect - if you have the program you can try "configuring" a client by address and enter an IP that has port 497 open - see the client name appear in the list? Older versions of the client didn't force users to put in a password (and there are still some out there) newer versions do although these passwords are frequently a weak-link in the security chain. (Try backup or retro or the name or initials of the company at that IP address.) You can use it to copy pretty much anything from the remote computer (like it's password hashes) or to PUT SOMETHING INTO the remote computer (like remote-control software or a keystroke recorder. Search the forums for more info on all these!) 5003 - FileMaker Pro, it's amazing how many databases have no password protection. They frequently list names of employees for the company at that IP address too and very often those are the names you would need to connect over other ports like 548 AFP (extremely helpful when Guest access isn't on and you didn't get any account names.) 5009 - AirPort base station, try running Apple's Airport Admin Utility software and enter this IP as "other". Default password is "public" 5500 Hotline - this could be a Hotline server. Use Pitbull to try connecting. 5900 - VNC, similar to Timbuktu. Download Chicken of the VNC for OS X to try connecting. http://sourceforge.net/projects/cotvnc/ 6700 Carracho - this is probably a Carracho server - head to http://www.carracho.com/ to get the software you'll need to connect. What other ways could you get IP addresses of Mac's? Google search for things like: intitle:"index of" .DS_Store intitle:"index of" Macintosh HD intitle:"index of" FBCIndex site:mac.com public files End of file "How to find other Mac's on the Internet" ---------------------------------- Start of file "How to get someone's IP Address" How to get someone's IP Address Via e-mail. Note: If you are using Hotmail you must set your account options to show the e-mail headers. Look in the e-mail header for the originating IP. For instance: Return-Path: Received: from [10.0.1.50] (12-233-168-201.client.attbi.com [12.233.168.201]) In this example the originating IP is a 10.x.x.x number (private subnet) but the routable IP to that subnet is listed as 12.233.168.201. If the e-mail originated from a webmail client or AOL it probably will not show the actual IP address of the user that wrote the e-mail. If you do not have an e-mail from them and you know their e-mail address, setup a bogus hotmail box and send them an e-mail requesting that they reply. Via their domain name(s) Note: Don't bother with this one unless you are sure they host their own web page or e-mail (otherwise, the address you get will probably be for a hosting service or ISP and not for the intended target.) There are lots of web-based network utilities to perform reverse DNS look-ups, try: http://network-tools.com/ Use the Network Utility that comes with OS X. For instance, assuming that the specific target is "ZZZ Company", run "Network Utility" and click the lookup tab and then under the pop-up for "Select the information to lookup:" select "Internet Address", enter the domain name for the target (such as www.zzzcompany.com) and click the "Lookup" button. Hopefully you will see: ;; ANSWER SECTION: www.zzzcompany.com. 15M IN A 192.168.1.40 Now repeat the search for mail.zzzcompany.com ;; ANSWER SECTION: mail.zzzcompany.com. 15M IN A 192.168.1.40 In this case the web and the e-mail servers are at the same address - this may mean that they are on the same system and therefore not hosted by an ISP (which would typically have seperate servers for mail and web.) It could also be that there are two different servers inside the LAN and that the router is port-mapping the services (port 80 for web/http and ports 25/110 for POP & SMTP to the different computers.) In OS X's terminal application, type host www.zzzcompany.com and/or host mail.zzzcompany.com Other methods of identifying someone's IP address. iVisit Connect to the iVisit server and join a room or connect with any individual. If in a room, click a user from the “Guest List” window. Now click the small blue triangle at the bottom of that person’s window. You should see “Recording prohibited” followed by their IP address and whether they are using the Mac or Windows version of iVisit. On IRC type /whois or /dns Carracho Option-click the server name in the servers list - the IP is in the top line. Timbuktu This is a longshot but if you know that they use Timbuktu there is a chance that they have setup Timbuktu to use the locator service. You will need to know or guess their e-mail address . Just open Timbuktu and attempt to connect to their e-mail address to find out. If it finds them, use MacSniffer or do netstat -d in Terminal to see the IP address. BitTorrent Some BitTorrent web sites keep connection information such as a list of all the IPs seeding or downloading the file. If you know that they downloaded a torrent recently and from which site, their IP may be listed (although you won't know which one they are in the list for certain without further work.) The last three numbers may be obscured so scan the whole c-block looking for port 548 (assuming that they have sharing on...) for instance if an IP is 192.168.1.xxx then scan 192.168.1.1 through 192.168.1.255 (although of course 192.168.x.x is reserved for private subnets - you can’t actually scan these numbers over the internet.) Web usage If they have a website, or you know that they frequent a particular website then look for a web usage page or log of recent visitor's IP addresses. Here is an example page: http://escati.linkopp.net/counter2001/431720.shtml Also Try searching with google for site:thewebsiteyouknowtheyvisit.com intitle:"log" (or stat, usage, recent, addresses etc.) Forum posts Some forums display the IP address that the poster originated from (if they are using a proxy it won't be right!) If they are using a forum that does show their IP, all you need is to figure out their username. Here is an example page: http://www.wargamesdirectory.com/html/forum/topic.asp?ID=2268&Page=1&txtSearch= Once you know their username, google for the username to look for other forums where they may use the same name. Hotline The Pitbull Pro client actually show’s the server IP’s in the server list - just ignore the :xxxxx number at the end (which is the hotline server port number.) If the xxxxx number is not the default 5500 then it may indicate they have more than one computer on a private subnet and thus can’t use the default port for each one.) Mass-grabbing IP’s from Pitbull Pro: Use Grab (in OS X's Utilities folder) to grab a selection of the screen which is the IP addresses column in pitbull pro. (then scroll down one screenfull and repeat until all IP’s are recorded via screenshots. If desired you can filter the server list by typing “mac” in the search box.) Save as tiff. Open file in photoshop and adjust>image size>resolution to 200dpi. Open the resulting tiff files in Omnipage and OCR. Output is a single text file (from multiple screenshots of Pitbull) listing all the server IPs. Other programs & Dynamic DNS names If you can get a direct (your IP to their IP without going through a server) connection for chat, file-transfer or gaming with someone you can get their IP (with netstat -d or use MacSniffer if the chat program does not display it) but of course they can get your IP that way as well. If you know their dynamic DNS name just try to connect to it (in anything, even a browser) while monitoring connections with MacSniffer or netstat. While opening the connection, switch to OS X's Terminal app and type: netstat -d From another machine they use or connect to Check the Recent Servers or Servers folders of machines they use. Check the logs of machines they connect to - the system log in an OS X machine will show their originating IP. If they have Timbuktu or VNC installed look at the recent connections or logs for those as well. A server "favorite" will work provided it's address was a public one and the favorite / url file / shortcut / alias can also be opened in HexEdit to find the actual IP address (or run MacSniffer or netstat -d while you connect.) Send them an email with a line saying "free music downloads", the link will actually take them to ANYPLACE that records their IP address (or your own box wherein you have logs of access...) If you have physical access to their computer or can connect to their LAN (or their wireless LAN) just browse to www.showmyip.com or www.whatismyip.com to see their external (publicly routable) IP address. (If all the address on their LAN are public the one you get by joining their LAN will not be theirs but you will have the range xxx.xxx.xxx.??? to narrow it down.) (Note, in some cases this may NOT be the proper number for external entry to their systems! In other cases it may be their router address while they have a seperate range of public IP’s that are totally different numbers.) ********** Article from MacHacking.net Knowledge Base: http://kb.machacking.net