The Little Lost Computer

One of my favorite Bash.org quotes goes something like this:

“I lost my computer.”

“Can you ping it?”

“No, I mean I lost my computer. It responds to ping, I just can’t find it in my room.”

I had the opposite experience today while at work. Sometimes I like to access my home machine over SSH to check local mail or grab a file I was working on, but when I tried to do that this morning, my computer wouldn’t respond. The other day my (crappy) ISP experienced a service outage in my area and I bet that when the service was restored my modem was served a different IP address from my segment’s DHCP server. Now, since I use a dynamic DNS service to map my IP address to a host name (so that I don’t have to remember it’s sometimes-changing IP address), the IP address in DNS for my machine was wrong.

There I was at work, wanting to connect to my home network, but the host name no longer resolved properly. I had lost my computer somewhere out on the Internet. I wanted to find it again, but how?

Well, I knew a few choice things about my network:

  • I run an SSH server on a certain port. For the sake of example, let’s say it’s the standard 22.
  • I run a Web server on a certain port. Again, let’s say that happens to be 80, the default.
  • My router does respond to WAN-side ICMP echo requests (“ping”s).
  • Every other port is being stealthed by my router.

So using this information, I can accurately describe what a network fingerprint of my computer might look like. Now, where could it be? This was a job for Nmap, the network mapping (and network security analysis) tool. That sounds really fancy but it’s actually not. In fact, it’s basically just good old ping on steroids.

Firstly, to find the IP address that was still in the DNS system, I needed to run

host my.old.hostname

My first guess was to simply check the logical address space around my old IP address. So assuming an old IP address of 66.65.51.145 (I don’t actually remember the old one anymore), I could simply check the surrounding IP addresses:

nmap -sS -p 22,80 66.65.51.0-255

This command runs a pretty standard SYN scan directed at ports 22 and 80 at all the IP addresses between 66.65.51.0 and 66.65.51.255. However, it first sends a single standard ping to the target IP address to see if it is up and will only commence the SYN scan if the target replies to the ping. What am I looking for? Well, I’m looking for a machine that answers with both scanned ports open, like this:

Interesting ports on some-machine (66.65.51.34):
PORT   STATE SERVICE
22/tcp open  ssh
80/tcp open  http

Indeed, this found a few machines, so I next tested the SSH server to see if it was even an appropriate match. SSH servers output a plain-text string identifying their version and optionally their OS before encrypted communications begin:

telnet 66.65.51.56 22
Trying 66.65.51.56...
Connected to cpe-66-65-51-56.nyc.res.rr.com.
Escape character is '^]'.
SSH-2.0-OpenSSH_3.9p1

Naturally, one of those few machines was me. :)