How to find the IP address of a router

Solution 1:

There is a way to find out if you modify the TTL values. You can do this using a tool such as hping, or simply traceroute (tracert in Windows).

I am connected to an access point, and I can do a traceroute to an outside IP address then see what the second "hop" is:

C:\>tracert google.com

Tracing route to google.com [173.194.41.131]
over a maximum of 30 hops:

  1     2 ms     2 ms     2 ms  10.21.176.2
  2     4 ms     3 ms     2 ms  10.21.161.150
  3     7 ms     4 ms     6 ms  ^C (<-- I pressed control c to stop it)
C:\>

Here you can see that 10.21.176.2 is my gateway (Access point) and you can then determine which of these IP addresses in the range of your second hop (in my case 10.21.161.*, assuming it's a normal C class network) will reply straight away, this can be either scripted or done manually:

C:\>tracert -d 10.21.161.149

Tracing route to 10.21.161.149 over a maximum of 30 hops

  1     3 ms     2 ms     3 ms  10.21.176.2
  2     2 ms     1 ms     1 ms  10.21.161.149

Trace complete.

We can keep on decreasing or increasing the last octet, again this is better if you'd script it (or run an hping with your ttl value set to 1):

C:\>tracert -d 10.21.161.142

Tracing route to 10.21.161.142 over a maximum of 30 hops

  1     2 ms     1 ms     3 ms  10.21.176.2
  2     2 ms     1 ms     1 ms  10.21.161.142

Trace complete.

C:\>tracert -d 10.21.161.141

Tracing route to 10.21.161.141 over a maximum of 30 hops

  1     1 ms    <1 ms    <1 ms  10.21.161.141

Trace complete.

Since 10.21.161.141 is only one hop away, and it's not on my network (I am on 10.21.176.0/24), it is the outside interface of my gateway. In my case, the access point.

Note: This won't work however if the access point blocks outgoing ICMP "TTL expired" messages, but normally they aren't configured that way.