gzipped_tar's Journal: Wacky use of NMAP

http://books.slashdot.org/article.pl?sid=08/12/08/1443223

I would have posted my NMAP story there, but well, it's too long and off-topic.

The story goes like this. I was in a astronomical observatory for a short of time, carrying my Fedora Linux laptop with me. Most of the co-workers there use Windows though (the horror). One day I found myself in need of printing something and there's an HP LaserJet sitting there. I asked "Is this one connected to the LAN? What's the IP address?" Someone kindly dug the IP out of his Windows configuration and hmm, Fedora managed to download the relevant bits from its repository and set up a working printer given the IP address.

Some days later, I changed to another office. I was in need of a printer again, but this time almost everybody was out on a conference! I can't use the former one because that room was locked and I didn't have the key. There's another HP in the room thought, so I asked the same question "so what's the IP address of this one..." and the two remaining people (one guy and one gal) stared into my eyes, as if I was something of a defect on an astronomical image. They apparently never heard of things like "the IP address of the printer" while using it all the time. They allowed me to use their Windows computer for a while to find it out, but I couldn't. I tried everywhere I thought was possible but I couldn't find it.

Then I came up with an idea. I asked one guy to print a few pages. While he was doing this, I used Wireshark to sniff the LAN and see if I could find something out. Well, nope. Also, because everybody was out, the LAN was extremely quiet...

I knew I'd already bothered them too much so I went to the sysadmin and asked a list of printers. I explained the situation and he gave me one. The observatory's LAN was supposed to use static ARP and every machine has to be registered (MAC address, owner, type, usage, etc.) at the sysadmin's before gaining access to the LAN.

However, when I was back to my computer, I found the list was wrong. Considering their adopting of static ARP, I had no idea why this was happening. Anyway, the admin couldn't help more. I then came to my final resort, NMAP. With NMAP's port scan, I discovered a few hosts that looked like printers (port 80 wide open for web-based administration, a bunch of Windows SMB-related ports, suggestions in OS detection, etc.). Because most of them had the administration page open to the LAN, I was able to get the model numbers from the pages and see if they matched the one I was going to use, thus eliminated a few possibilities. I then sent the CUPS testing pages to all the rest IPs, one by one... I heard distant sounds of printer crunching and spewing... and finally came to the one in my office.

I never explained what I did to the admin, and he never came up with anything to me. I thought that was tacit agreement... or he just never found out.