This is an oddball tech note: how to detect Sun ILOM interfaces on the network using nmap. I needed to connect to one of the Sun boxes that dropped off the network, but couldn’t remember the ILOM address and it was never put in DNS. There is a way to use nmap to scan your ILO subnet and narrow down the list of IPs that could be Sun ILOM.

Current-version Sun ILOM can use a variety of ports. We’re looking for any open SP network ports:

5120	TCP	Oracle ILOM Remote Console: CD
5121	TCP	Oracle ILOM Remote Console: Keyboard and Mouse
5123	TCP	Oracle ILOM Remote Console: Diskette
5555	TCP	Oracle ILOM Remote Console: Encryption
5556	TCP	Oracle ILOM Remote Console: Authentication
6481	TCP	Oracle ILOM Remote Console: Servicetag Daemon
7578	TCP	Oracle ILOM Remote Console: Video
7579	TCP	Oracle ILOM Remote Console: Serial

You can run the following loop to go through every IP on the specified subnet and save a list of IPs with any open ports from the list above. There’s no guarantee that it will definitely be Sun ILOM, so you would have to see if any of these IPs have more than one open matching port.

subnet=10.192.0 ; for i in `seq 1 254`;
do if [ `nmap ${subnet}.${i} 2>/dev/null | grep -Ec "^(5120|5121|5123|5555|5556|6481|7578|7579)\/tcp"` -gt 0 ] ; then echo "${subnet}.${i}" >> /tmp/nmap_ilo.txt; fi &
done

The older Sun T5000-series servers would have port 22 open (maybe also 80 and 443, but don’t count on it). Their ILOM will show up in the nmap scan as “Linux 2.4.18 – 2.4.35 (likely embedded)”, so you can use that to narrow down your field of search:

subnet=10.192.0 ; for i in `seq 1 254`;
do if [ `nmap -O ${subnet}.${i} 2>/dev/null | egrep -c "^22\/tcp|^OS details: Linux 2\.4\.18 \- 2\.4\.35 \(likely embedded\)"` -eq 2 ] ; then echo "${subnet}.${i}" >> /tmp/nmap_ilom.txt; fi &
done

The old Sun ALOM would likely only have port 22 (SSH) open, so finding them is a big trickier. NMap’s OS detection functionality will likely identify ALOM as VxWorks, so you can use that to narrow down your search:

subnet=10.192.0 ; for i in `seq 1 254`;
do if [ `nmap -O ${subnet}.${i} 2>/dev/null | egrep -c "^22\/tcp|^OS details: VxWorks"` -eq 2 ] ; then echo "${subnet}.${i}" >> /tmp/nmap_alom.txt; fi &
done

Fore the really old Sun stuff still using telnet, you’re looking for ports 23 and 42:

subnet=10.192.0 ; for i in `seq 1 254`;
do if [ `nmap ${subnet}.${i} 2>/dev/null | grep -Ec "^(23|42)\/tcp"` -gt 0 ] ; then echo "${subnet}.${i}" >> /tmp/nmap_ilo.txt; fi &
done

You can then use dig to check your finding against DNS, just to see if anything looks familiar:

for i in `sort -t . -k 1,1n -k 2,2n -k 3,3n -k 4,4n /tmp/nmap_alom.txt` ; do echo -ne "${i}\t `timeout 2 dig +short -x ${i} | head -1 2>/dev/null`\n" ; done

And some login notes for ILOM. The URL is https://<ip_address>/iPages/i_login.asp and the default login is root:changeme

The SSH login process is as follows:

ssh root@<ilom-ip>
password: <ilom_root_password> (default: changeme)
start /SP/console
Hit "enter" once to get system prompt
Login as root:<system_root_password>
To exit console: #.
exit