I was using ssh to remotely work on my home machine. I was out for few weeks and the IP address only changes every few months, so I thought I was safe.
In reality it took less time for the IP to change. So I needed a plan...
Since I didn't setup a dyndns, or had anyone who could to tell me the new IP, I had to hack it out!
Fortunately I found a a list of the IPs used by each ISP in Portugal.
I then proceeded to fingerprint the machines. I knew my machine had port 3000 open, so I needed to find machines with port 3000 open
sudo nmap -p3000 --open 5.43.0-63.1-254 5.158.0-63.1-254 5.249.0-127.1-254 37.28.192-255.1-254 46.189.128-255.1-254 77.54.0-255.1-254 78.137.192-255.1-254 83.174.0-63.1-254 87.103.0-127.1-254 89.114-115.0-255.1-254 93.108.0-255.1-254 94.60-63.0-255.1-254 95.136.0-127.1-254 148.63.0-255.1-254 148.69.0-255.1-254 148.71.0-255.1-254 149.90.0-255.1-254 161.230.0-255.1-254 178.166.0-127.1-254 188.37.0-255.1-254 212.18.160-191.1-254 213.30.0-127.1-254 -oN nmap_output.txt
I built this command that will analyse about ~1.000.000 IP addresses and figure out which have the port I want open, producing a list. This took about a day to complete.
It was then a matter of parsing the result. First I removed the RTT warning lines and got only the lines with IP addresses.
grep -v RTT nmap_output.txt | grep report > without_errors.txt
producing a list like this:
...
Nmap scan report for 11.11.11.11.rev.vodafone.pt (11.11.11.11)
Nmap scan report for 22.22.22.22.rev.vodafone.pt (22.22.22.22)
Nmap scan report for 33.33.33.33.rev.vodafone.pt (33.33.33.33)
...
I parsed this list to get just the IP addresses, using cut and a regex with sed.
Nmap scan report for 33.33.33.33.rev.vodafone.pt (33.33.33.33)
...
I parsed this list to get just the IP addresses, using cut and a regex with sed.
cat without_errors.txt | cut -d' ' -f6 | sed "s/(//" | sed "s/)//" > only_ips.txt
Producing a list like this
...
11.11.11.11
22.22.22.22
33.33.33.33
...
And now I finally had a list which I could try to login into:
for i in $(cat only_ips.txt);do ssh -o StrictHostKeyChecking=no -o BatchMode=yes -o ConnectTimeout=2 -p22 $i "echo $i";done 2> /dev/null
And TADAM! I found my new IP address.
You could also first refine your fingerprinted result by finding machines that have another port open that you know to be open.
nmap -iL only_ips.txt -p2000 --open