Oct 5, 2018

How I remotely found out the IP of my home computer after my ISP changed it.

I asked nicely 1 million machines if they were my computer. That's the short answer. Now for the long one:

 I was using ssh to remotely work on my home machine. I was out for few weeks and the IP address only changes every few months, so I thought I was safe.

In reality it took less time for the IP to change. So I needed a plan...

Since I didn't setup a dyndns, or had anyone who could to tell me the new IP, I had to hack it out!

Fortunately I found a a list of the IPs used by each ISP in Portugal.


I then proceeded to fingerprint the machines.  I knew my machine had port 3000 open, so I needed to find machines with port 3000 open

sudo nmap -p3000 --open 5.43.0-63.1-254 5.158.0-63.1-254 5.249.0-127.1-254 37.28.192-255.1-254 46.189.128-255.1-254 77.54.0-255.1-254 78.137.192-255.1-254 83.174.0-63.1-254 87.103.0-127.1-254 89.114-115.0-255.1-254 93.108.0-255.1-254 94.60-63.0-255.1-254 95.136.0-127.1-254 148.63.0-255.1-254 148.69.0-255.1-254 148.71.0-255.1-254 149.90.0-255.1-254 161.230.0-255.1-254 178.166.0-127.1-254 188.37.0-255.1-254 212.18.160-191.1-254 213.30.0-127.1-254 -oN nmap_output.txt

I built this command that will analyse about ~1.000.000 IP addresses and figure out which have the port I want open, producing a list. This took about a day to complete.

It was then a matter of parsing the result. First I removed the RTT warning lines and got only the lines with IP addresses.

grep -v RTT nmap_output.txt | grep report > without_errors.txt

producing a list like this:

...
Nmap scan report for 11.11.11.11.rev.vodafone.pt (11.11.11.11)
Nmap scan report for 22.22.22.22.rev.vodafone.pt (22.22.22.22)
Nmap scan report for 33.33.33.33.rev.vodafone.pt (33.33.33.33)
...

I parsed this list to get just the IP addresses, using cut and a regex with sed.

cat without_errors.txt | cut -d' ' -f6 | sed "s/(//" | sed "s/)//" > only_ips.txt

Producing a list like this

...
11.11.11.11
22.22.22.22
33.33.33.33
...

And now I finally had a list which I could try to login into:

for i in $(cat only_ips.txt);do ssh -o StrictHostKeyChecking=no -o BatchMode=yes -o ConnectTimeout=2 -p22 $i "echo $i";done 2> /dev/null


And TADAM! I found my new IP address.

You could also first refine your fingerprinted result by finding machines that have another port open that you know to be open.

nmap -iL only_ips.txt -p2000 --open


I am sure there would be more efficient ways to do this, but I hope this can be useful to someone. :)
by in No comments:
Labels , , ,
Subscribe to: Posts (Atom)