排查局域网内可疑DHCP服务器

问题

最近局域网内一旦设备通过dhcp分配IP，就获取到192.167.0.0/16的网段的IP，又没人承认，只好自己想办法，把他揪出来。

抓包

我用虚拟机上centOS系统，先配置静态IP，接入到我们网络。

1
2


# 安装tcpdump
yum install tcpdump nmap

先抓包，获取到dhcp服务器的MAC地址

1
2
3
4
5


# 在一个终端开启抓包
sudo tcpdump -i enp0s3  -s 1500 port 67 or port 68 -w dhcp.pcap

# 另一个终端中，发送dhcp请求
dhclient

抓我取出来抓包，放在wireshark中查看。

大致能看到，dhcp服务器的mac地址为f0:2f:74:8b:ad:0f，主板为ASUS的，大概是一台PC。

下面是通过命令看dhcp消息，没有看到mac地址，还是老老实实的按照上面的方式抓包，然后在wireshark中查看

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64



[builder@localhost tmp]$ sudo tcpdump -i enp0s3 -vvv -s 1500 port 67 or port 68
tcpdump: listening on enp0s3, link-type EN10MB (Ethernet), capture size 1500 bytes
19:03:40.628168 IP (tos 0x10, ttl 128, id 0, offset 0, flags [none], proto UDP (17), length 328)
    0.0.0.0.bootpc > 255.255.255.255.bootps: [udp sum ok] BOOTP/DHCP, Request from 08:00:27:3c:4f:a0 (oui Unknown), length 300, xid 0x2a95ff0f, Flags [none] (0x0000)
          Client-Ethernet-Address 08:00:27:3c:4f:a0 (oui Unknown)
          Vendor-rfc1048 Extensions
            Magic Cookie 0x63825363
            DHCP-Message Option 53, length 1: Discover
            Requested-IP Option 50, length 4: 192.167.76.110
            Parameter-Request Option 55, length 13:
              Subnet-Mask, BR, Time-Zone, Classless-Static-Route
              Domain-Name, Domain-Name-Server, Hostname, YD
              YS, NTP, MTU, Option 119
              Default-Gateway
            END Option 255, length 0
            PAD Option 0, length 0, occurs 35
19:03:40.630117 IP (tos 0x0, ttl 128, id 62025, offset 0, flags [none], proto UDP (17), length 328)
    172.16.7.70.bootps > 255.255.255.255.bootpc: [udp sum ok] BOOTP/DHCP, Reply, length 300, xid 0x2a95ff0f, Flags [none] (0x0000)
          Your-IP 192.167.76.110
          Client-Ethernet-Address 08:00:27:3c:4f:a0 (oui Unknown)
          Vendor-rfc1048 Extensions
            Magic Cookie 0x63825363
            DHCP-Message Option 53, length 1: Offer
            Server-ID Option 54, length 4: 192.167.90.100
            Lease-Time Option 51, length 4: 604800
            Subnet-Mask Option 1, length 4: 255.255.0.0
            Default-Gateway Option 3, length 4: 192.167.90.100
            TFTP Option 66, length 14: "192.167.90.100"
            END Option 255, length 0
            PAD Option 0, length 0, occurs 16
19:03:40.630687 IP (tos 0x10, ttl 128, id 0, offset 0, flags [none], proto UDP (17), length 328)
    0.0.0.0.bootpc > 255.255.255.255.bootps: [udp sum ok] BOOTP/DHCP, Request from 08:00:27:3c:4f:a0 (oui Unknown), length 300, xid 0x2a95ff0f, Flags [none] (0x0000)
          Client-Ethernet-Address 08:00:27:3c:4f:a0 (oui Unknown)
          Vendor-rfc1048 Extensions
            Magic Cookie 0x63825363
            DHCP-Message Option 53, length 1: Request
            Server-ID Option 54, length 4: 192.167.90.100
            Requested-IP Option 50, length 4: 192.167.76.110
            Parameter-Request Option 55, length 13:
              Subnet-Mask, BR, Time-Zone, Classless-Static-Route
              Domain-Name, Domain-Name-Server, Hostname, YD
              YS, NTP, MTU, Option 119
              Default-Gateway
            END Option 255, length 0
            PAD Option 0, length 0, occurs 29
19:03:40.632160 IP (tos 0x0, ttl 128, id 62026, offset 0, flags [none], proto UDP (17), length 328)
    172.16.7.70.bootps > 255.255.255.255.bootpc: [udp sum ok] BOOTP/DHCP, Reply, length 300, xid 0x2a95ff0f, Flags [none] (0x0000)
          Your-IP 192.167.76.110
          Client-Ethernet-Address 08:00:27:3c:4f:a0 (oui Unknown)
          Vendor-rfc1048 Extensions
            Magic Cookie 0x63825363
            DHCP-Message Option 53, length 1: ACK
            Server-ID Option 54, length 4: 192.167.90.100
            Lease-Time Option 51, length 4: 604800
            Subnet-Mask Option 1, length 4: 255.255.0.0
            Default-Gateway Option 3, length 4: 192.167.90.100
            TFTP Option 66, length 14: "192.167.90.100"
            END Option 255, length 0
            PAD Option 0, length 0, occurs 16
^C
4 packets captured
4 packets received by filter
0 packets dropped by kernel

回头来细看上面的报文，ip是由172.16.7.70分配的，剧终！

后面又了解了一个新工具tshark，也可以直观的显示报文。

  1
  2
  3
  4
  5
  6
  7
  8
  9
 10
 11
 12
 13
 14
 15
 16
 17
 18
 19
 20
 21
 22
 23
 24
 25
 26
 27
 28
 29
 30
 31
 32
 33
 34
 35
 36
 37
 38
 39
 40
 41
 42
 43
 44
 45
 46
 47
 48
 49
 50
 51
 52
 53
 54
 55
 56
 57
 58
 59
 60
 61
 62
 63
 64
 65
 66
 67
 68
 69
 70
 71
 72
 73
 74
 75
 76
 77
 78
 79
 80
 81
 82
 83
 84
 85
 86
 87
 88
 89
 90
 91
 92
 93
 94
 95
 96
 97
 98
 99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229


# 抓dhcp包
root@djlion:~# tshark -i enp0s3 -f "udp port 67 or udp port 68" -Y "bootp"
Running as user "root" and group "root". This could be dangerous.
Capturing on 'enp0s3'
 ** (tshark:1978) 09:14:37.702035 [Main MESSAGE] -- Capture started.
 ** (tshark:1978) 09:14:37.702092 [Main MESSAGE] -- File: "/tmp/wireshark_enp0s3VW94X2.pcapng"
    1 0.000000000      0.0.0.0 → 255.255.255.255 DHCP 342 DHCP Discover - Transaction ID 0x5fbf7a67
    2 0.513695719   172.16.7.1 → 172.16.7.54  DHCP 350 DHCP Offer    - Transaction ID 0x5fbf7a67
    3 0.514113267      0.0.0.0 → 255.255.255.255 DHCP 342 DHCP Request  - Transaction ID 0x5fbf7a67
    4 0.515654691   172.16.7.1 → 172.16.7.54  DHCP 350 DHCP ACK      - Transaction ID 0x5fbf7a67
^Ctshark:
4 packets captured
# 详细抓包
root@djlion:~# tshark -i enp0s3 -f "udp port 67 or udp port 68" -Y "bootp" -V
Running as user "root" and group "root". This could be dangerous.
Capturing on 'enp0s3'
 ** (tshark:2168) 09:17:22.082258 [Main MESSAGE] -- Capture started.
 ** (tshark:2168) 09:17:22.083533 [Main MESSAGE] -- File: "/tmp/wireshark_enp0s3V65VX2.pcapng"
Frame 1: 342 bytes on wire (2736 bits), 342 bytes captured (2736 bits) on interface enp0s3, id 0
    Section number: 1
    Interface id: 0 (enp0s3)
        Interface name: enp0s3
    Encapsulation type: Ethernet (1)
    Arrival Time: Nov 28, 2024 09:17:30.737303288 HKT
    [Time shift for this packet: 0.000000000 seconds]
    Epoch Time: 1732756650.737303288 seconds
    [Time delta from previous captured frame: 0.000000000 seconds]
    [Time delta from previous displayed frame: 0.000000000 seconds]
    [Time since reference or first frame: 0.000000000 seconds]
    Frame Number: 1
    Frame Length: 342 bytes (2736 bits)
    Capture Length: 342 bytes (2736 bits)
    [Frame is marked: False]
    [Frame is ignored: False]
    [Protocols in frame: eth:ethertype:ip:udp:dhcp]
Ethernet II, Src: PcsCompu_70:23:25 (08:00:27:70:23:25), Dst: Broadcast (ff:ff:ff:ff:ff:ff)
    Destination: Broadcast (ff:ff:ff:ff:ff:ff)
        Address: Broadcast (ff:ff:ff:ff:ff:ff)
        .... ..1. .... .... .... .... = LG bit: Locally administered address (this is NOT the factory default)
        .... ...1 .... .... .... .... = IG bit: Group address (multicast/broadcast)
    Source: PcsCompu_70:23:25 (08:00:27:70:23:25)
        Address: PcsCompu_70:23:25 (08:00:27:70:23:25)
        .... ..0. .... .... .... .... = LG bit: Globally unique address (factory default)
        .... ...0 .... .... .... .... = IG bit: Individual address (unicast)
    Type: IPv4 (0x0800)
Internet Protocol Version 4, Src: 0.0.0.0, Dst: 255.255.255.255
    0100 .... = Version: 4
    .... 0101 = Header Length: 20 bytes (5)
    Differentiated Services Field: 0x10 (DSCP: Unknown, ECN: Not-ECT)
        0001 00.. = Differentiated Services Codepoint: Unknown (4)
        .... ..00 = Explicit Congestion Notification: Not ECN-Capable Transport (0)
    Total Length: 328
    Identification: 0x0000 (0)
    000. .... = Flags: 0x0
        0... .... = Reserved bit: Not set
        .0.. .... = Don't fragment: Not set
        ..0. .... = More fragments: Not set
    ...0 0000 0000 0000 = Fragment Offset: 0
    Time to Live: 128
    Protocol: UDP (17)
    Header Checksum: 0x3996 [validation disabled]
    [Header checksum status: Unverified]
    Source Address: 0.0.0.0
    Destination Address: 255.255.255.255
User Datagram Protocol, Src Port: 68, Dst Port: 67
    Source Port: 68
    Destination Port: 67
    Length: 308
    Checksum: 0x1443 [unverified]
    [Checksum Status: Unverified]
    [Stream index: 0]
    [Timestamps]
        [Time since first frame: 0.000000000 seconds]
        [Time since previous frame: 0.000000000 seconds]
    UDP payload (300 bytes)
Dynamic Host Configuration Protocol (Request)
    Message type: Boot Request (1)
    Hardware type: Ethernet (0x01)
    Hardware address length: 6
    Hops: 0
    Transaction ID: 0x5bbacb21
    Seconds elapsed: 0
    Bootp flags: 0x0000 (Unicast)
        0... .... .... .... = Broadcast flag: Unicast
        .000 0000 0000 0000 = Reserved flags: 0x0000
    Client IP address: 0.0.0.0
    Your (client) IP address: 0.0.0.0
    Next server IP address: 0.0.0.0
    Relay agent IP address: 0.0.0.0
    Client MAC address: PcsCompu_70:23:25 (08:00:27:70:23:25)
    Client hardware address padding: 00000000000000000000
    Server host name not given
    Boot file name not given
    Magic cookie: DHCP
    Option: (53) DHCP Message Type (Request)
        Length: 1
        DHCP: Request (3)
    Option: (50) Requested IP Address (172.16.7.54)
        Length: 4
        Requested IP Address: 172.16.7.54
    Option: (12) Host Name
        Length: 6
        Host Name: djlion
    Option: (55) Parameter Request List
        Length: 13
        Parameter Request List Item: (1) Subnet Mask
        Parameter Request List Item: (28) Broadcast Address
        Parameter Request List Item: (2) Time Offset
        Parameter Request List Item: (3) Router
        Parameter Request List Item: (15) Domain Name
        Parameter Request List Item: (6) Domain Name Server
        Parameter Request List Item: (119) Domain Search
        Parameter Request List Item: (12) Host Name
        Parameter Request List Item: (44) NetBIOS over TCP/IP Name Server
        Parameter Request List Item: (47) NetBIOS over TCP/IP Scope
        Parameter Request List Item: (26) Interface MTU
        Parameter Request List Item: (121) Classless Static Route
        Parameter Request List Item: (42) Network Time Protocol Servers
    Option: (255) End
        Option End: 255
    Padding: 000000000000000000000000000000000000000000000000000000

Frame 2: 350 bytes on wire (2800 bits), 350 bytes captured (2800 bits) on interface enp0s3, id 0
    Section number: 1
    Interface id: 0 (enp0s3)
        Interface name: enp0s3
    Encapsulation type: Ethernet (1)
    Arrival Time: Nov 28, 2024 09:17:30.739150262 HKT
    [Time shift for this packet: 0.000000000 seconds]
    Epoch Time: 1732756650.739150262 seconds
    [Time delta from previous captured frame: 0.001846974 seconds]
    [Time delta from previous displayed frame: 0.001846974 seconds]
    [Time since reference or first frame: 0.001846974 seconds]
    Frame Number: 2
    Frame Length: 350 bytes (2800 bits)
    Capture Length: 350 bytes (2800 bits)
    [Frame is marked: False]
    [Frame is ignored: False]
    [Protocols in frame: eth:ethertype:ip:udp:dhcp]
Ethernet II, Src: Hangzhou_63:e4:85 (58:6a:b1:63:e4:85), Dst: PcsCompu_70:23:25 (08:00:27:70:23:25)
    Destination: PcsCompu_70:23:25 (08:00:27:70:23:25)
        Address: PcsCompu_70:23:25 (08:00:27:70:23:25)
        .... ..0. .... .... .... .... = LG bit: Globally unique address (factory default)
        .... ...0 .... .... .... .... = IG bit: Individual address (unicast)
    Source: Hangzhou_63:e4:85 (58:6a:b1:63:e4:85)
        Address: Hangzhou_63:e4:85 (58:6a:b1:63:e4:85)
        .... ..0. .... .... .... .... = LG bit: Globally unique address (factory default)
        .... ...0 .... .... .... .... = IG bit: Individual address (unicast)
    Type: IPv4 (0x0800)
Internet Protocol Version 4, Src: 172.16.7.1, Dst: 172.16.7.54
    0100 .... = Version: 4
    .... 0101 = Header Length: 20 bytes (5)
    Differentiated Services Field: 0xe0 (DSCP: CS7, ECN: Not-ECT)
        1110 00.. = Differentiated Services Codepoint: Class Selector 7 (56)
        .... ..00 = Explicit Congestion Notification: Not ECN-Capable Transport (0)
    Total Length: 336
    Identification: 0x4fe2 (20450)
    000. .... = Flags: 0x0
        0... .... = Reserved bit: Not set
        .0.. .... = Don't fragment: Not set
        ..0. .... = More fragments: Not set
    ...0 0000 0000 0000 = Fragment Offset: 0
    Time to Live: 255
    Protocol: UDP (17)
    Header Checksum: 0x0383 [validation disabled]
    [Header checksum status: Unverified]
    Source Address: 172.16.7.1
    Destination Address: 172.16.7.54
User Datagram Protocol, Src Port: 67, Dst Port: 68
    Source Port: 67
    Destination Port: 68
    Length: 316
    Checksum: 0x743c [unverified]
    [Checksum Status: Unverified]
    [Stream index: 1]
    [Timestamps]
        [Time since first frame: 0.000000000 seconds]
        [Time since previous frame: 0.000000000 seconds]
    UDP payload (308 bytes)
Dynamic Host Configuration Protocol (ACK)
    Message type: Boot Reply (2)
    Hardware type: Ethernet (0x01)
    Hardware address length: 6
    Hops: 0
    Transaction ID: 0x5bbacb21
    Seconds elapsed: 0
    Bootp flags: 0x0000 (Unicast)
        0... .... .... .... = Broadcast flag: Unicast
        .000 0000 0000 0000 = Reserved flags: 0x0000
    Client IP address: 0.0.0.0
    Your (client) IP address: 172.16.7.54
    Next server IP address: 0.0.0.0
    Relay agent IP address: 0.0.0.0
    Client MAC address: PcsCompu_70:23:25 (08:00:27:70:23:25)
    Client hardware address padding: 00000000000000000000
    Server host name not given
    Boot file name not given
    Magic cookie: DHCP
    Option: (53) DHCP Message Type (ACK)
        Length: 1
        DHCP: ACK (5)
    Option: (54) DHCP Server Identifier (172.16.7.1)
        Length: 4
        DHCP Server Identifier: 172.16.7.1
    Option: (51) IP Address Lease Time
        Length: 4
        IP Address Lease Time: (86400s) 1 day
    Option: (58) Renewal Time Value
        Length: 4
        Renewal Time Value: (43200s) 12 hours
    Option: (59) Rebinding Time Value
        Length: 4
        Rebinding Time Value: (75600s) 21 hours
    Option: (1) Subnet Mask (255.255.255.0)
        Length: 4
        Subnet Mask: 255.255.255.0
    Option: (3) Router
        Length: 4
        Router: 172.16.7.1
    Option: (6) Domain Name Server
        Length: 8
        Domain Name Server: 172.16.188.5
        Domain Name Server: 223.6.6.6
    Option: (255) End
        Option End: 255
    Padding: 000000000000000000000000000000000000

^Ctshark:
2 packets captured

nmap 提供了一个专门的脚本来发现 DHCP 服务器

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16


root@T113-Tronlong:~# nmap --script broadcast-dhcp-discover
Starting Nmap 7.80 ( https://nmap.org ) at 2025-01-06 08:27 CST
Pre-scan script results:
| broadcast-dhcp-discover:
|   Response 1 of 1:
|     IP Offered: 172.16.7.194
|     DHCP Message Type: DHCPOFFER
|     Server Identifier: 172.16.7.1
|     IP Address Lease Time: 1d00h00m00s
|     Renewal Time Value: 12h00m00s
|     Rebinding Time Value: 21h00m00s
|     Subnet Mask: 255.255.255.0
|     Router: 172.16.7.1
|_    Domain Name Server: 172.16.188.5, 223.6.6.6
WARNING: No targets were specified, so 0 hosts scanned.
Nmap done: 0 IP addresses (0 hosts up) scanned in 2.10 seconds

此命令会在局域网中广播 DHCP 请求，并报告响应的 DHCP 服务器信息，包括 IP 地址、网关、DNS 服务器等。

分析

使用nmap扫描IP地址

1
2


# 注意不是root一定需要sudo，不然看不到mac地址
sudo nmap -sn 172.16.7.0/24 

  1
  2
  3
  4
  5
  6
  7
  8
  9
 10
 11
 12
 13
 14
 15
 16
 17
 18
 19
 20
 21
 22
 23
 24
 25
 26
 27
 28
 29
 30
 31
 32
 33
 34
 35
 36
 37
 38
 39
 40
 41
 42
 43
 44
 45
 46
 47
 48
 49
 50
 51
 52
 53
 54
 55
 56
 57
 58
 59
 60
 61
 62
 63
 64
 65
 66
 67
 68
 69
 70
 71
 72
 73
 74
 75
 76
 77
 78
 79
 80
 81
 82
 83
 84
 85
 86
 87
 88
 89
 90
 91
 92
 93
 94
 95
 96
 97
 98
 99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115


[builder@localhost ~]$ sudo nmap -sn 172.16.7.0/24
[sudo] password for builder:

Starting Nmap 6.40 ( http://nmap.org ) at 2023-10-26 09:52 CST
Nmap scan report for 172.16.7.1
Host is up (0.020s latency).
MAC Address: 0C:DA:41:6F:60:F5 (Hangzhou H3C Technologies Co., Limited)
Nmap scan report for 172.16.7.3
Host is up (0.00034s latency).
MAC Address: 90:E2:FC:B1:D1:E4 (Unknown)
Nmap scan report for 172.16.7.15
Host is up (-0.10s latency).
MAC Address: EC:15:3D:07:00:13 (Unknown)
Nmap scan report for 172.16.7.17
Host is up (-0.10s latency).
MAC Address: 08:00:27:2D:3F:71 (Cadmus Computer Systems)
Nmap scan report for 172.16.7.19
Host is up (0.00050s latency).
MAC Address: 00:1F:C1:1E:4A:6E (Hanlong Technology Co.)
Nmap scan report for 172.16.7.20
Host is up (0.00065s latency).
MAC Address: 00:1F:C1:1C:67:0B (Hanlong Technology Co.)
Nmap scan report for 172.16.7.21
Host is up (0.00081s latency).
MAC Address: AC:4E:91:48:6A:CD (Huawei Technologies Co.)
Nmap scan report for 172.16.7.23
Host is up (0.00042s latency).
MAC Address: A0:98:05:F9:01:4D (OpenVox Communication Co)
Nmap scan report for 172.16.7.27
Host is up (0.00028s latency).
MAC Address: 00:0B:82:8F:ED:96 (Grandstream Networks)
Nmap scan report for 172.16.7.30
Host is up (-0.10s latency).
MAC Address: 1C:1B:0D:16:EE:C0 (Unknown)
Nmap scan report for 172.16.7.35
Host is up (-0.100s latency).
MAC Address: A0:98:05:02:1F:9D (OpenVox Communication Co)
Nmap scan report for 172.16.7.38
Host is up (-0.100s latency).
MAC Address: EC:15:3D:07:00:20 (Unknown)
Nmap scan report for 172.16.7.40
Host is up (-0.10s latency).
MAC Address: FC:AA:14:CC:24:59 (Unknown)
Nmap scan report for 172.16.7.41
Host is up (-0.10s latency).
MAC Address: 22:CB:F4:61:48:31 (Unknown)
Nmap scan report for 172.16.7.42
Host is up (-0.100s latency).
MAC Address: 00:0C:29:45:04:D3 (VMware)
Nmap scan report for 172.16.7.43
Host is up (0.00060s latency).
MAC Address: FA:0F:38:DF:F8:71 (Unknown)
Nmap scan report for 172.16.7.46
Host is up (-0.10s latency).
MAC Address: 00:1F:16:16:FD:8A (Wistron)
Nmap scan report for 172.16.7.70
Host is up (-0.10s latency).
MAC Address: F0:2F:74:8B:AD:0F (Unknown)
Nmap scan report for 172.16.7.88
Host is up (-0.10s latency).
MAC Address: 2C:4D:54:59:50:6C (Unknown)
Nmap scan report for 172.16.7.91
Host is up (0.00045s latency).
MAC Address: 20:0A:0D:3F:F2:9F (Unknown)
Nmap scan report for 172.16.7.93
Host is up (-0.100s latency).
MAC Address: 00:E0:4C:1E:C7:9C (Realtek Semiconductor)
Nmap scan report for 172.16.7.94
Host is up (-0.100s latency).
MAC Address: EC:15:3D:07:00:1F (Unknown)
Nmap scan report for 172.16.7.99
Host is up (-0.099s latency).
MAC Address: 3C:78:43:3F:D1:D8 (Unknown)
Nmap scan report for 172.16.7.108
Host is up (-0.10s latency).
MAC Address: 00:0C:43:46:20:67 (Ralink Technology)
Nmap scan report for 172.16.7.132
Host is up (-0.100s latency).
MAC Address: 40:8D:5C:2E:F7:29 (Unknown)
Nmap scan report for 172.16.7.139
Host is up (-0.100s latency).
MAC Address: 08:00:27:72:98:87 (Cadmus Computer Systems)
Nmap scan report for 172.16.7.140
Host is up (-0.100s latency).
MAC Address: 08:00:27:67:F1:8C (Cadmus Computer Systems)
Nmap scan report for 172.16.7.177
Host is up (-0.100s latency).
MAC Address: 08:00:27:5C:0A:40 (Cadmus Computer Systems)
Nmap scan report for 172.16.7.182
Host is up (-0.10s latency).
MAC Address: FA:0F:EB:1E:0B:71 (Unknown)
Nmap scan report for 172.16.7.184
Host is up (-0.100s latency).
MAC Address: FA:0F:A7:27:EA:71 (Unknown)
Nmap scan report for 172.16.7.186
Host is up (-0.100s latency).
MAC Address: FA:0F:18:EA:1E:71 (Unknown)
Nmap scan report for 172.16.7.201
Host is up (-0.100s latency).
MAC Address: A0:98:05:F9:02:10 (OpenVox Communication Co)
Nmap scan report for 172.16.7.206
Host is up (-0.10s latency).
MAC Address: 00:A0:C9:00:00:B2 (Intel - Hf1-06)
Nmap scan report for 172.16.7.209
Host is up (0.00068s latency).
MAC Address: A0:98:05:F9:01:52 (OpenVox Communication Co)
Nmap scan report for 172.16.7.211
Host is up (-0.100s latency).
MAC Address: A0:98:05:F9:01:53 (OpenVox Communication Co)
Nmap scan report for 172.16.7.214
Host is up (-0.10s latency).
MAC Address: A0:F4:79:1B:60:6B (Unknown)
Nmap scan report for 172.16.7.84
Host is up.
Nmap done: 256 IP addresses (37 hosts up) scanned in 5.90 seconds

1
2
3


Nmap scan report for 172.16.7.70
Host is up (-0.10s latency).
MAC Address: F0:2F:74:8B:AD:0F (Unknown)

可以看到， 172.16.7.70就是我们要找的那个IP

需要在同一局域网，出了局域网无法显示mac地址。

使用arp-scan确定IP地址

一种替代方法是从源代码编译和安装 arp-scan。以下是一些步骤：

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27


# 安装编译工具和依赖项：
sudo yum install epel-release
sudo yum install autoconf automake libtool
sudo yum install gcc make libpcap-devel

# 下载 arp-scan 源代码：
wget https://github.com/royhills/arp-scan/archive/1.9.tar.gz

# 解压源代码：
tar -xzvf 1.9.tar.gz

# 进入解压后的目录：
cd arp-scan-1.9

autoreconf --install
./configure

# 编译
make 

# 和安装 arp-scan
sudo make install

# 扫描
sudo arp-scan --localnet
# 或
sudo arp-scan -l

完成上述步骤后，arp-scan 将会被编译和安装在你的 CentOS 系统上。你可以通过执行 arp-scan 命令来使用它。

请注意，使用源代码编译和安装软件包可能需要更多的手动设置和依赖项管理。确保你已经安装了编译工具和依赖项，以及了解如何从源代码构建和安装软件包。

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41


[builder@localhost arp-scan-1.9]$ sudo arp-scan -l
Interface: enp0s3, datalink type: EN10MB (Ethernet)
Starting arp-scan 1.9 with 256 hosts (http://www.nta-monitor.com/tools/arp-scan/)
172.16.7.1      0c:da:41:6f:60:f5       Hangzhou H3C Technologies Co., Limited
172.16.7.15     ec:15:3d:07:00:13       (Unknown)
172.16.7.17     08:00:27:2d:3f:71       CADMUS COMPUTER SYSTEMS
172.16.7.19     00:1f:c1:1e:4a:6e       Hanlong Technology Co.,LTD
172.16.7.20     00:1f:c1:1c:67:0b       Hanlong Technology Co.,LTD
172.16.7.21     ac:4e:91:48:6a:cd       HUAWEI TECHNOLOGIES CO.,LTD
172.16.7.23     a0:98:05:f9:01:4d       OpenVox Communication Co Ltd
172.16.7.27     00:0b:82:8f:ed:96       Grandstream Networks, Inc.
172.16.7.30     1c:1b:0d:16:ee:c0       (Unknown)
172.16.7.35     a0:98:05:02:1f:9d       OpenVox Communication Co Ltd
172.16.7.38     ec:15:3d:07:00:20       (Unknown)
172.16.7.40     fc:aa:14:cc:24:59       (Unknown)
172.16.7.41     22:cb:f4:61:48:31       (Unknown)
172.16.7.42     00:0c:29:45:04:d3       VMware, Inc.
172.16.7.43     fa:0f:38:df:f8:71       (Unknown)
172.16.7.46     00:1f:16:16:fd:8a       Wistron Corporation
172.16.7.70     f0:2f:74:8b:ad:0f       (Unknown)
172.16.7.88     2c:4d:54:59:50:6c       (Unknown)
172.16.7.91     20:0a:0d:3f:f2:9f       (Unknown)
172.16.7.93     00:e0:4c:1e:c7:9c       REALTEK SEMICONDUCTOR CORP.
172.16.7.94     ec:15:3d:07:00:1f       (Unknown)
172.16.7.99     3c:78:43:3f:d1:d8       (Unknown)
172.16.7.108    00:0c:43:46:20:67       Ralink Technology, Corp.
172.16.7.132    40:8d:5c:2e:f7:29       (Unknown)
172.16.7.139    08:00:27:72:98:87       CADMUS COMPUTER SYSTEMS
172.16.7.140    08:00:27:67:f1:8c       CADMUS COMPUTER SYSTEMS
172.16.7.177    08:00:27:5c:0a:40       CADMUS COMPUTER SYSTEMS
172.16.7.182    fa:0f:eb:1e:0b:71       (Unknown)
172.16.7.184    fa:0f:a7:27:ea:71       (Unknown)
172.16.7.186    fa:0f:18:ea:1e:71       (Unknown)
172.16.7.201    a0:98:05:f9:02:10       OpenVox Communication Co Ltd
172.16.7.206    00:a0:c9:00:00:b2       INTEL CORPORATION - HF1-06
172.16.7.209    a0:98:05:f9:01:52       OpenVox Communication Co Ltd
172.16.7.211    a0:98:05:f9:01:53       OpenVox Communication Co Ltd
172.16.7.214    a0:f4:79:1b:60:6b       (Unknown)

35 packets received by filter, 0 packets dropped by kernel
Ending arp-scan 1.9: 256 hosts scanned in 2.007 seconds (127.55 hosts/sec). 35 responded

1
2


[builder@localhost arp-scan-1.9]$ sudo arp-scan -l | grep "f0:"
172.16.7.70     f0:2f:74:8b:ad:0f       (Unknown)

使用netdiscover扫描

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42


sudo netdiscover -i eth0 -r 172.16.7.0/24
 Currently scanning: Finished!   |   Screen View: Unique Hosts

 80 Captured ARP Req/Rep packets, from 39 hosts.   Total size: 4800
 _____________________________________________________________________________
   IP            At MAC Address     Count     Len  MAC Vendor / Hostname
 -----------------------------------------------------------------------------
 172.16.7.40     fc:aa:14:cc:24:59      9     540  GIGA-BYTE TECHNOLOGY CO.,LTD.
 172.16.7.12     fa:0f:25:21:88:53      5     300  Unknown vendor
 172.16.7.78     f8:a0:3d:6a:3a:88      9     540  Dinstar Technologies Co., Ltd.
 172.16.7.189    a0:98:05:02:19:89      9     540  OpenVox Communication Co Ltd
 172.16.7.1      58:6a:b1:63:e4:85      4     240  Hangzhou H3C Technologies Co., Limited
 172.16.7.3      a0:98:05:17:04:3f      1      60  OpenVox Communication Co Ltd
 172.16.7.4      1c:1b:0d:16:ee:c0      1      60  GIGA-BYTE TECHNOLOGY CO.,LTD.
 172.16.7.5      00:1f:c1:1c:67:0b      5     300  Hanlong Technology Co.,LTD
 172.16.7.9      2a:fa:a6:84:1c:91      1      60  Unknown vendor
 172.16.7.21     ac:4e:91:48:6a:cd      1      60  HUAWEI TECHNOLOGIES CO.,LTD
 172.16.7.22     00:1f:c1:1e:4a:6e      1      60  Hanlong Technology Co.,LTD
 172.16.7.27     00:0b:82:8f:ed:96      1      60  Grandstream Networks, Inc.
 172.16.7.28     a0:98:05:f9:01:4d      1      60  OpenVox Communication Co Ltd
 172.16.7.32     a2:cf:dd:94:1d:a7      1      60  Unknown vendor
 172.16.7.34     00:a8:59:eb:44:e6      1      60  Unknown vendor
 172.16.7.35     08:00:27:2d:3f:71      1      60  PCS Systemtechnik GmbH
 172.16.7.42     46:e6:1d:3a:1f:23      1      60  Unknown vendor
 172.16.7.46     fa:0f:f6:7c:cb:70      1      60  Unknown vendor
 172.16.7.77     90:e2:fc:b1:d1:e4      1      60  IEEE Registration Authority
 172.16.7.81     00:1f:c1:1e:6e:63      4     240  Hanlong Technology Co.,LTD
 172.16.7.88     2c:4d:54:59:50:6c      1      60  ASUSTek COMPUTER INC.
 172.16.7.122    08:00:27:e0:63:66      1      60  PCS Systemtechnik GmbH
 172.16.7.130    a0:98:05:f9:02:14      1      60  OpenVox Communication Co Ltd
 172.16.7.132    00:00:00:00:00:30      1      60  XEROX CORPORATION
 172.16.7.135    a0:98:05:f9:02:08      1      60  OpenVox Communication Co Ltd
 172.16.7.136    c0:74:ad:a1:f1:f8      4     240  Grandstream Networks, Inc.
 172.16.7.139    fa:0f:12:34:56:81      1      60  Unknown vendor
 172.16.7.140    32:a3:c0:af:0e:81      1      60  Unknown vendor
 172.16.7.178    00:a0:c9:00:00:b4      1      60  Intel Corporation
 172.16.7.178    a0:98:05:02:d0:b2      1      60  OpenVox Communication Co Ltd
 172.16.7.180    ce:2a:db:04:fe:8c      1      60  Unknown vendor
 172.16.7.181    80:7b:85:11:93:04      1      60  IEEE Registration Authority
 172.16.7.182    fa:0f:eb:1e:0b:71      1      60  Unknown vendor
 172.16.7.186    fa:0f:25:21:88:89      1      60  Unknown vendor
 172.16.7.198    70:70:fc:03:71:bf      1      60  GOLD&WATER INDUSTRIAL LIMITED

注意

定位问题，能用root干就用root用户干吧，其他用户可能有权限问题，得不到想要的结果。