0

I'm writing a class to integrate a POS card reader device to our software. In order for it to work I must know what IP it's using. We were given some sample code by the service provider and the way they do this is they open a website (http://www.ebizchargeemv.com/getip.php?mac={MAC address of device}) and it would return the IP address of the device.

The device I'm using is a POSLynx220 Mini. It has an ethernet port that connects to the internet to communicate with the service provider. I send TCP data to it and the device then controls a PIN pad that prompts a client to swipe his card. It's probably a mini computer that communicates with the service provider and uses the PIN pad as its input device.

Just being curious but how did they implement this? Are they implementing it using ARP? I'm planning on not using their website to determine the IP of the device. I've seen some code that uses ARP but using executing ARP in one of the PC didn't detect the POS device.

Addendum:

This is the code that I'm running in my PC:

Dim uri As Uri = New Uri("http://www.ebizchargeemv.com/getip.php?mac=000000000000000")
Dim data As Byte()
Using client As New WebClient
     data = client.DownloadData(uri)
End Using

I'm wondering how can a external website determine the IP address of an internal device connected to our LAN.

acermate433s
  • 118
  • 3
  • 1
    When you have an established TCP connection, you know the address of the remote endpoint. The MAC address isn't involved at all; they're just using that as some kind of identifier. – larsks Aug 02 '13 at 15:32
  • 1
    This thing is directly connected to the internet ? LOL That is a DOS attack waiting to happen. But your ISP should know the ip-address. If you're lucky it is a fixed address. If the device is behind a router ask the administrator of the LAN the device is in. Someone has given the ip to the device and knows. I agree with larks that the MAC is bogus. The device sends it as ID when it phones home to tell the service-provider what it's ip-address is. They could just as easily used the devices serial number or a random number. – Tonny Aug 02 '13 at 15:43
  • larsks, that's probably it. The device is probably calling home and sending its internal IP as part of its initialization. Me sending the MAC address to the site just queries their database to match it with the internal IP the device sent. – acermate433s Aug 02 '13 at 15:56
  • Tonny, the IP was provided by DHCP and the device is behind a router so it's not directly connected to the internet. I probably need to check with our network admin to see it opens any vulnerabilities. – acermate433s Aug 02 '13 at 15:58

1 Answers1

1

I'm wondering how can a external website determine the IP address of an internal device connected to our LAN.

It's just reporting back the information reported to it. Most likely, the device connects to that website making a normal outbound connection and reports its MAC address and local IP address. Any identifier could have been used instead of the MAC address, such as a serial number, and the scheme would still work.

David Schwartz
  • 31,449
  • 2
  • 55
  • 84