How to list which IP address is the managed switch in my company ?
People,
Can anyone here please assist me in what tool can I do to scan which IP address is the web management console or SSH port for the managed switch ?
I have to audit each IP address subnet for each site office:
Site-1: 192.168.1.0/24
Site-200: 192.168.200.0/24
Typically the switch vendor is HP Procurve or Cisco Catalyst.
Thanks in advance.
Can anyone here please assist me in what tool can I do to scan which IP address is the web management console or SSH port for the managed switch ?
I have to audit each IP address subnet for each site office:
Site-1: 192.168.1.0/24
Site-200: 192.168.200.0/24
Typically the switch vendor is HP Procurve or Cisco Catalyst.
Thanks in advance.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Angry IP scanner is prohibited in my environment due to the security risk it posses. So it is not an option :-|
Use Angry IP scanner. It will also try to determine the maker of a network interface it detects (will not always be right), as well as detect common ports that may be open.
ASKER
Do you mean this one ?
https://nmap.org/zenmap/
how to list the IP address that is responded by the managed switch only ?
https://nmap.org/zenmap/
how to list the IP address that is responded by the managed switch only ?
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
OK, if I use NMAP, what's the command to load in the NMAP GUI to detect all managed switch IP & MAC Address in 192.168.0.0/16 subnet ?
I have used this command:
The result is thousands lines of text in the NMAP window but sometimes I can found:
So how to export the result only for HP Procurve and Cisco System MAC address information only ?
I have used this command:
nmap -p 80,443 -v -O --osscan-guess 192.168.0.0/16The result is thousands lines of text in the NMAP window but sometimes I can found:
Nmap scan report for 192.168.1.252
Host is up (0.029s latency).
PORT STATE SERVICE
80/tcp closed http
443/tcp closed https
MAC Address: 00:41:D2:13:8C:66 (Cisco Systems)
Too many fingerprints match this host to give specific OS details
Network Distance: 1 hopSo how to export the result only for HP Procurve and Cisco System MAC address information only ?
os detection apparently won't work in your case. that is unlucky but likely something we can circumvent. note that os detection might work better with additional scan techniques enabled.
you are using nmap verbosely : you'd only get information regarding hosts that are up otherwise so a much less noisy output
nmap will by default send ping probes in order to determine hosts that are up. it seems sensible to ask nmap to only focus on open ports : some of your switches might not answer to pings and this would also help getting less noise in the output
--
is it good enough to list all cisco boxes that listen on port 443, 22, or whatever applies in your environment
i guess a simple sed ( if you are on a unix-like box ) can parse nmap's output
something like this
nmap ... | sed '
/scan report/ h # put in hold the line containing the ip
/open/ H # append to hold any open ports
/MAC.*Cisco/ { H ; x ; s/\n//g ; p } # if this is cisco, append the line to hold, grab hold contents, remove new lines and print
'
note that this method will only work for directly connected devices since you won't have the mac address otherwise
---
if you need to scan through router, the method would be similar
- use sed to grab whatever has a corresponding open management interface
- connect to that interface using ssh, netcat or whatever and test that it is a managed switch
the latter is not very precise : we'd need more info to be more helpful.
for example, if your switches all listen on 443, the login page should contain the word Cisco which would make it easy to differenciate from a regular web server.
please post relevant information and how far your existing attempts got you
you are using nmap verbosely : you'd only get information regarding hosts that are up otherwise so a much less noisy output
nmap will by default send ping probes in order to determine hosts that are up. it seems sensible to ask nmap to only focus on open ports : some of your switches might not answer to pings and this would also help getting less noise in the output
--
is it good enough to list all cisco boxes that listen on port 443, 22, or whatever applies in your environment
i guess a simple sed ( if you are on a unix-like box ) can parse nmap's output
something like this
nmap ... | sed '
/scan report/ h # put in hold the line containing the ip
/open/ H # append to hold any open ports
/MAC.*Cisco/ { H ; x ; s/\n//g ; p } # if this is cisco, append the line to hold, grab hold contents, remove new lines and print
'
note that this method will only work for directly connected devices since you won't have the mac address otherwise
---
if you need to scan through router, the method would be similar
- use sed to grab whatever has a corresponding open management interface
- connect to that interface using ssh, netcat or whatever and test that it is a managed switch
the latter is not very precise : we'd need more info to be more helpful.
for example, if your switches all listen on 443, the login page should contain the word Cisco which would make it easy to differenciate from a regular web server.
please post relevant information and how far your existing attempts got you
ASKER
Thanks Skull,
I'm on Windows box, and just a server admin so my networking skill is very limited.
This is the command I've been trying:
But still there are too much irrelevant data to read through.
I'm on Windows box, and just a server admin so my networking skill is very limited.
This is the command I've been trying:
nmap -sV -p 22,80,443 -O -v --fuzzy --osscan-guess 192.168.2.0/24But still there are too much irrelevant data to read through.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Skull,
Yes, I've managed to reduce down the amount of noise by using command that you suggest:
Mostly the switch is HP Procurve brand in the remote office about one or two maximum, it is normally accessible through Web Browser.
Here's what I can copy paste from the Windows NMAP GUI:
Yes, I've managed to reduce down the amount of noise by using command that you suggest:
nmap -sV -p 22,80,443 -O -Pn --open --version-intensity 0 192.168.9.0/24Mostly the switch is HP Procurve brand in the remote office about one or two maximum, it is normally accessible through Web Browser.
Here's what I can copy paste from the Windows NMAP GUI:
Starting Nmap 7.40 ( https://nmap.org ) at 2017-01-05 12:33 AUS Eastern Daylight Time
Nmap scan report for 192.168.9.12
Host is up (0.032s latency).
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 5.9 (protocol 2.0)
80/tcp open http GoAhead WebServer
443/tcp open ssl/http GoAhead WebServer
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: WAP|general purpose|media device|storage-misc|bridge|broadband router|remote management
Running (JUST GUESSING): Linux 2.6.X (97%), RGB Spectrum embedded (96%), Perle embedded (94%), Linksys embedded (94%), Supermicro embedded (94%), Netgear embedded (94%)
OS CPE: cpe:/o:linux:linux_kernel:2.6.22 cpe:/o:linux:linux_kernel:2.6 cpe:/o:linux:linux_kernel:2.6.12 cpe:/h:linksys:wrv54g cpe:/o:linux:linux_kernel:2.6.24 cpe:/h:supermicro:aoc-simso+ cpe:/h:netgear:eva8000
Aggressive OS guesses: DD-WRT v24 (Linux 2.6.22) (97%), Linux 2.6.10 - 2.6.13 (embedded) (97%), Linux 2.6.9 - 2.6.33 (97%), Linux 2.6.22 - 2.6.23 (96%), RGB Spectrum MediaWall 1500 video processor (96%), Linux 2.6.13 - 2.6.32 (95%), Linux 2.6.17 - 2.6.20 (95%), Linux 2.6.12 (95%), Linux 2.6.22 (94%), Perle IOLAN DS1 Ethernet-to-serial bridge (94%)
No exact OS matches for host (test conditions non-ideal).
Network Distance: 7 hops
Nmap scan report for 192.168.9.152
Host is up (0.027s latency).
Not shown: 1 closed port
Some closed ports may be reported as filtered due to --defeat-rst-ratelimit
PORT STATE SERVICE VERSION
80/tcp open http thttpd
443/tcp open ssl/http thttpd
Aggressive OS guesses: Comtrend CT536 wireless ADSL router (98%), Source Technologies ST-9650 printer (95%), Toshiba Magnia SG10 server appliance (Linux 2.4.18) (95%), Gemtek P360 WAP or Siemens Gigaset SE515dsl wireless broadband router (95%), HP Designjet T1100ps or Z3100ps printer (94%), OpenWrt (Linux 2.4.30 - 2.4.34) (94%), Linux 2.6.9-55.0.2.EL (Red Hat Enterprise Linux) (94%), Linux 2.6.16 - 2.6.21 (92%), Linux 2.6.9 - 2.6.18 (92%), Dell iDRAC 6 remote access controller (Linux 2.6) (92%)
No exact OS matches for host (test conditions non-ideal).
Network Distance: 7 hops
Nmap scan report for 192.168.9.153
Host is up (0.029s latency).
Not shown: 1 closed port
Some closed ports may be reported as filtered due to --defeat-rst-ratelimit
PORT STATE SERVICE VERSION
80/tcp open http thttpd
443/tcp open ssl/http thttpd
Aggressive OS guesses: Comtrend CT536 wireless ADSL router (97%), Source Technologies ST-9650 printer (95%), Toshiba Magnia SG10 server appliance (Linux 2.4.18) (95%), Gemtek P360 WAP or Siemens Gigaset SE515dsl wireless broadband router (95%), HP Designjet T1100ps or Z3100ps printer (94%), OpenWrt (Linux 2.4.30 - 2.4.34) (94%), Linux 2.6.9-55.0.2.EL (Red Hat Enterprise Linux) (94%), Linux 2.6.16 - 2.6.21 (92%), Linux 2.6.9 - 2.6.18 (92%), Dell iDRAC 6 remote access controller (Linux 2.6) (92%)
No exact OS matches for host (test conditions non-ideal).
Network Distance: 7 hops
Nmap scan report for 192.168.9.154
Host is up (0.029s latency).
Not shown: 1 closed port
Some closed ports may be reported as filtered due to --defeat-rst-ratelimit
PORT STATE SERVICE VERSION
80/tcp open http thttpd
443/tcp open ssl/http thttpd
Aggressive OS guesses: Comtrend CT536 wireless ADSL router (98%), Source Technologies ST-9650 printer (95%), Toshiba Magnia SG10 server appliance (Linux 2.4.18) (95%), Gemtek P360 WAP or Siemens Gigaset SE515dsl wireless broadband router (95%), HP Designjet T1100ps or Z3100ps printer (94%), OpenWrt (Linux 2.4.30 - 2.4.34) (94%), Linux 2.6.9-55.0.2.EL (Red Hat Enterprise Linux) (94%), Linux 2.6.16 - 2.6.21 (92%), Linux 2.6.9 - 2.6.18 (92%), Dell iDRAC 6 remote access controller (Linux 2.6) (92%)
No exact OS matches for host (test conditions non-ideal).
Network Distance: 7 hops
Nmap scan report for 192.168.9.210
Host is up (0.028s latency).
PORT STATE SERVICE VERSION
22/tcp open ssh?
80/tcp open http?
443/tcp open ssl/http HP Integrated Lights-Out web interface 1.30
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service :
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Aggressive OS guesses: HP iLO 4 remote management interface (97%), HP iLO 3 or iLO 4 remote management interface (96%), HP iLO 3 remote management interface (95%), HP iLO 3 remote management interface or Hay Systems HSL 2.75G Femtocell (95%), Green Hills Probe hardware debugger (94%), APC NetBotz 200 rack monitor (93%), Wyse ThinOS PCoIP device (93%), APC AP9619 Network Management Card (AOS 3.3.1 - 3.6.1) (93%), Blackboard transaction system serial-to-IP converter (93%), APC Network Management Card (AOS 3.3.4 - 3.5.5) (93%)
No exact OS matches for host (test conditions non-ideal).
Network Distance: 7 hops
Service Info: CPE: cpe:/h:hp:integrated_lights-out:1.30
Nmap scan report for 192.168.9.222
Host is up (0.026s latency).
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 5.1 (protocol 2.0)
80/tcp open http lighttpd
443/tcp open ssl/http lighttpd
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Aggressive OS guesses: Linux 2.6.13 - 2.6.32 (98%), Linux 2.6.24 - 2.6.28 (97%), Linux 2.6.18 - 2.6.32 (96%), Linux 2.6.22 - 2.6.23 (96%), Aastra RFP L32 IP DECT WAP (94%), Vyatta 4.1.4 (Linux 2.6.24) (94%), Linux 2.6.24 (94%), Linux 2.6.15 - 2.6.28 (94%), Linux 2.6.18 (94%), Linux 2.6.18 - 2.6.24 (94%)
No exact OS matches for host (test conditions non-ideal).
Network Distance: 7 hops
Nmap scan report for 192.168.9.245
Host is up (0.027s latency).
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 6.1 (protocol 2.0)
80/tcp open http Apache httpd
443/tcp open ssl/http Apache httpd
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Aggressive OS guesses: Linux 2.6.32 (96%), Linux 3.2 - 4.6 (95%), Linux 2.6.32 - 2.6.35 (94%), AVM FRITZ!Box (FritzOS 6.03) (93%), Linux 2.6.32 - 3.10 (93%), ASUS RT-N56U WAP (Linux 3.4) (93%), Linux 3.16 (93%), Linux 2.6.24 - 2.6.36 (93%), Ubiquiti AirOS 5.6.2 (Linux 2.6.32) (92%), Linux 2.6.9 - 2.6.18 (92%)
No exact OS matches for host (test conditions non-ideal).
Network Distance: 7 hops
Nmap scan report for 192.168.9.246
Host is up (0.037s latency).
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 6.1 (protocol 2.0)
80/tcp open http Apache httpd
443/tcp open ssl/http Apache httpd
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Aggressive OS guesses: Linux 2.6.32 (97%), Linux 3.2 - 4.6 (95%), Linux 2.6.32 - 2.6.35 (94%), Linux 2.6.32 - 3.10 (93%), ASUS RT-N56U WAP (Linux 3.4) (93%), Linux 3.16 (93%), Linux 2.6.24 - 2.6.36 (93%), AVM FRITZ!Box (FritzOS 6.03) (93%), Ubiquiti AirOS 5.6.2 (Linux 2.6.32) (93%), Linux 2.6.9 - 2.6.18 (92%)
No exact OS matches for host (test conditions non-ideal).
Network Distance: 7 hops
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 256 IP addresses (256 hosts up) scanned in 71.44 secondsASKER
Thanks !
nmap has GUI frontends if you can't figure out the command line