The Joy of Network Scanning for IoT

As I continue to hack on drones, robocars, autonomous vacuum cleaners, and connected light bulbs, I constantly find myself revisiting the same network scanning cookbook. Inevitably, I am required to SSH, netcat, POST, or do something else entirely to some IoT device, but I never can quite remember the steps to do so, leaving me to constantly reinvent the process. This blog post is quick attempt to turn this exercise in data plumbing into a joyful recipe for all to follow.

First step is always to run

ifconfig

from the terminal. This will display a list of all of the ports from which your computer can access the outside world and their associated IP addresses. Typically, you will use your WiFi card, en0 on a Macbook, but you can also connect to IoT devices via USB or ethernet for debugging. If you are connecting to the network over WiFi, save the inet address from en0. In my case, my router assigned me 10.0.0.10.

Next, let’s install a tool called nmap. This is a command line network mapping tool that is absolutely loaded with features and extremely helpful for configuring IoT devices. The nmap website recommends several installation methods, but Homebrew is easiest. If you don’t have Homebrew installed, take a look at the instructions here. Otherwise, type

brew install nmap

into the terminal. You may need to install the Xcode CLI if you haven’t already because nmap compiles on your machine. To get a taste of what nmap does, type

nmap –help

and witness the unfurling of pages of complex documentation. For our purposes, we just need to identify IoT devices on our network. Type

sudo nmap -sn 10.0.0.10/24

where the IP address is the one from which you accessed the network. The /24 is telling nmap to scan all 256 IP addresses across the 10.0.0 prefix, 10.0.0.0-10.0.0.25. The same thing can also be accomplished with an asterisk, as in 10.0.0.*. On my network, nmap returned the list below.

Daniels-MacBook-Pro-3:~ dMcK$ sudo nmap -sn 10.0.0.10/24
Starting Nmap 6.47 ( http://nmap.org ) at 2017-04-17 22:06 PDT
Nmap scan report for 10.0.0.1
Host is up (0.067s latency).
MAC Address: 58:23:8C:6C:6A:79 (Technicolor CH USA)
Nmap scan report for 10.0.0.2
Host is up (0.065s latency).
MAC Address: 58:23:8C:6C:6A:7B (Technicolor CH USA)
Nmap scan report for 10.0.0.5
Host is up (0.16s latency).
MAC Address: B8:27:EB:31:B3:F9 (Raspberry Pi Foundation)
Nmap scan report for 10.0.0.7
Host is up (0.16s latency).
MAC Address: 54:60:09:37:25:DA (Unknown)
Nmap scan report for 10.0.0.14
Host is up (0.092s latency).
MAC Address: 1A:A6:F7:C5:40:3E (Unknown)
Nmap scan report for 10.0.0.17
Host is up (0.065s latency).
MAC Address: 00:CD:FE:B1:31:B5 (Unknown)
Nmap scan report for 10.0.0.26
Host is up (1.3s latency).
MAC Address: 1A:A6:F7:28:E8:A2 (Unknown)
Nmap scan report for 10.0.0.27
Host is up (0.10s latency).
MAC Address: 00:17:88:25:50:D1 (Philips Lighting BV)
Nmap scan report for 10.0.0.10
Host is up.
Nmap done: 256 IP addresses (9 hosts up) scanned in 13.00 seconds

You can see how I easily can pick out some of my interesting devices and I now know their IP addresses. From here, I am free to ssh in (see the cute RetroPi ssh message below), make a request, or otherwise interact with any of the devices over the network. If you have a very large list of devices on the network, you can use a pipe (|) followed by grep and the search term of interest to display only those devices. For example,

sudo nmap -sn 10.0.0.* | grep Raspberry

displays only the RasPi computers on the network.

The -sn option returns a quick scan. nmap rips through the IP addresses and records which ones respond. This generates a quick list of devices on the network but does not provide any more additional details. Running -sU as an option provides specific details, including ports, of the UDP connections and -sT returns the same for TCP.

You can have even more fun with the -A flag, which will return all kinds of information about the device. Running this against my RetroPi, I learn that the device is running Linux 3.X kernel and Debian Samba 4.2.10, is named RetroPi, a is a general purpose device. Applying the same to the Phillipps Hue bridge lets me know that I can make HTTP requests over TCP on port 80, which is exactly how we controlled the lights in my previous blog post.

Try this command with all of your IoT toys and see what you get back! Take note, however, that the -A scan takes a few minutes per device, so it may be a while before nmap returns details for everything on your network.

Also interesting is to ping public websites. Try

sudo nmap -A ddmckinnon.com

and you’ll learn that I host on Bluehost, run WordPress on Linux servers, and that it takes around 17 hops to get from your house to the Bluehost server sitting in a data center somewhere. You can see my serpentine route below.

With this little tutorial, we’ve just begun to scratch the surface of nmap and IoT. Up next, I’ll explore how to use this tool beyond the safe confines of your own local network and how to connect with devices out there in the wild world of the internet.