Finding your Raspberry Pi using nmap

There have been a number of times when having got my Raspberry Pi all set up and ready to take time-lapse photographs, or just when I think I have finished configuring it as a music player, the moment I tuck it away on a window sill or somewhere behind the hi-fi I discover I need to connect to it from my laptop to modify something, only to find I don’t know or can’t remember the IP address.

I could login to the router (or what ever box was acting as my DHCP server) and list all the current DHCP leases, but I generally find that it is quicker just to scan the network and see what is connected using ‘nmap’.

Note – While using ‘nmap’ to scan your own home network is unlikely to upset anyone, scanning someone else’s network with out their explicit permission is generally considered unfriendly and could get you into trouble.

Installing NMAP

If this handy tool isn’t installed then you will have to install it using ‘apt’ which requires you to be running as a super user.

$ su
Password:
#

OR

$ sudo -i
Password:
#

Then you need to update the current package list and install any updates before installing ‘nmap’ using ‘apt’. (Updating your system before installing a new package can help avoid problems with dependencies on out of date packages breaking the install later).

# apt-get update;apt-get upgrade
Hit http://security.debian.org jessie/updates InRelease
  :
  :
  :
Fetched 367 B in 2s (148 B/s)
Reading package lists... Done
Reading package lists... Done
Building dependency tree
Reading state information... Done
Calculating upgrade... Done
0 upgraded, 0 newly installed, 0 to remove and 0 not upgraded.
# apt-get install nmap
Reading package lists… Done
Building dependency tree
Reading state information… Done
The following extra packages will be installed:
  liblinear1 liblua5.2-0
Suggested packages:
  liblinear-tools liblinear-dev
Recommended packages:
  ndiff
The following NEW packages will be installed:
  liblinear1 liblua5.2-0 nmap
0 upgraded, 3 newly installed, 0 to remove and 0 not upgraded.
Need to get 4,084 kB of archives.
After this operation, 18.2 MB of additional disk space will be used.
Do you want to continue? [Y/n]   :
  :
  :
  :
Setting up nmap (6.47-3+b1) …
Processing triggers for libc-bin (2.19-18+deb8u1) …
# history -c;exit

Using NMAP to find you Raspberry Pi

You could do a ping scan but you Raspberry Pi may be set up to block ICMP ping requests, and it can take a while to scan a whole subnet. So I just use ‘nmap’ to perform a reverse DNS lookup for every address in the subnet – obviously you need to make sure you use the right network address (see below).

$ nmap 192.168.0.0/24 -sL

Starting Nmap 6.47 ( http://nmap.org ) at 2016-01-14 14:26 GMT
Nmap scan report for 192.168.0.0
Nmap scan report for router (192.168.0.1)
Nmap scan report for 192.168.0.2
  :
  :
  :
Nmap scan report for 192.168.0.182
Nmap scan report for pi.local.net (192.168.0.183)
Nmap scan report for 192.168.0.184
  :
  :
  :
Nmap scan report for 192.168.0.241
Nmap scan report for printer (192.168.0.242)
Nmap scan report for 192.168.0.243
Nmap scan report for wireless (192.168.0.244)
Nmap scan report for 192.168.0.245
Nmap scan report for 192.168.0.246
Nmap scan report for 192.168.0.247
Nmap scan report for server (192.168.0.248)
Nmap scan report for 192.168.0.249
  :
  :
  :
Nmap scan report for 192.168.0.255
Nmap done: 256 IP addresses (0 hosts up) scanned in 6.76 seconds
$

There is a lot of unwanted output so it helps if you know the name of your machine so you can filter out the unwanted text.

$ nmap 192.168.0.0/24 -sL | grep pi
Nmap scan report for pi.local.net (192.168.0.183)
$

The longer command below may take a while to enter unless you are using cut and paste but it has the advantage of using the ‘hostname’ command to get the IP address of your machine so it will automatically do the reverse lookups using the correct range of addresses (assuming you have a class C subnet). I then use ‘grep’ to remove any results that don’t match the first octet of the local subnet, so the output includes all machines on my local subnet that are known to the DNS server.

$ nmap -sL $(hostname -I | cut -f1 -d ' ')/24 \
> | grep \($(hostname -I | cut -f1 -d '.') | cut -d ' ' -f 5-
router (192.168.0.1)
pi.local.net (192.168.0.183)
printer (192.168.0.242)
server (192.168.0.248)
$

You can also use ‘nmap’ to try to obtain a bit more information about any machine on your network, in this case not a lot as this particular Raspberry Pi is configured as a secure ftp server.

However, you can still see which ftp server it is running and the version number, which is information that an attacker could use to identify any vunerabilities in the system. You can also see that all the unused ports are being filtered which indicates that there is a firewall rule in place to deny access to any port not explicitly allowed.

$ nmap 192.168.0.183 -p- -sV -sC -T4
Starting Nmap 6.47 ( http://nmap.org ) at 2016-01-14 14:56 GMT

Nmap scan report for 192.168.0.183
Host is up (0.00052s latency).
Not shown: 65534 filtered ports
PORT   STATE SERVICE VERSION
21/tcp open  ftp     vsftpd 2.0.8 or later
MAC Address: B8:27:EB:8C:B2:6F (Raspberry Pi Foundation)

Service detection performed.
Nmap done: 1 IP address (1 host up) scanned in 462.70 seconds
$

Note – The command above will try to scan every single port, and can be expected to take a while to finish.


Raspberry Pi is a trademark of the Raspberry Pi Foundation

Advertisements
This entry was posted in Debian, Linux, Networking, Raspbian, Ubuntu and tagged , , , , , . Bookmark the permalink.

Leave a Reply

Please log in using one of these methods to post your comment:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s