Page 1 of 2 12 LastLast
Results 1 to 10 of 15

Thread: A strange IP address in my network!!

  1. #1
    Just burned his ISO
    Join Date
    Jan 2010
    Posts
    12

    Default A strange IP address in my network!!

    My private IP address scheme is in 192.168.1.x subnet, Here is my network diagram

    DSL-Modem (192.168.1.1)
    |
    |
    Switch
    |
    My-PC (192.168.1.x)
    and a voip phone (192.168.1.x)
    But there is an IP address 192.168.0.1 which can be pinged from my modem as well as my computer the result of the ping is

    > ping 192.168.0.1
    PING 192.168.0.1 (192.168.0.1): 56 data bytes
    56 bytes from 192.168.0.1: icmp_seq=0 ttl=250 time=35.0 ms
    56 bytes from 192.168.0.1: icmp_seq=1 ttl=250 time=35.0 ms
    56 bytes from 192.168.0.1: icmp_seq=2 ttl=250 time=30.0 ms

    --- 192.168.0.1 ping statistics ---
    3 packets transmitted, 3 packets received, 0% packet loss
    round-trip min/avg/max = 30.0/33.3/35.0 ms"
    I did a traceroute and the result is

    C:\nmap-5.00>tracert 192.168.0.1

    Tracing route to 192.168.0.1 over a maximum of 30 hops

    1 1 ms <1 ms <1 ms 192.168.1.1
    2 34 ms 39 ms 40 ms 116.71.208.1
    3 32 ms 32 ms 33 ms 116.71.241.245
    4 36 ms 36 ms 36 ms rwp44.pie.net.pk [221.120.253.41]
    5 36 ms 36 ms 35 ms 221.120.253.10
    6 35 ms 35 ms 35 ms 192.168.0.1

    Trace complete.
    I did nmap with parameters (-sV -oO -v) and the output is
    C:\nmap-5.00>nmap.exe -sV -oO -v 192.168.0.1

    Starting Nmap 5.00 at 2009-11-04 19:10 Pakistan Standard Tim
    e
    NSE: Loaded 3 scripts for scanning.
    Initiating Ping Scan at 19:10
    Scanning 192.168.0.1 [4 ports]
    Completed Ping Scan at 19:10, 0.36s elapsed (1 total hosts)
    Initiating Parallel DNS resolution of 1 host. at 19:10
    Completed Parallel DNS resolution of 1 host. at 19:10, 0.04s elapsed
    Initiating SYN Stealth Scan at 19:10
    Scanning 192.168.0.1 [1000 ports]
    Discovered open port 22/tcp on 192.168.0.1
    Discovered open port 23/tcp on 192.168.0.1
    Completed SYN Stealth Scan at 19:10, 6.40s elapsed (1000 total ports)
    Initiating Service scan at 19:10
    Scanning 2 services on 192.168.0.1
    Completed Service scan at 19:10, 7.56s elapsed (2 services on 1 host)
    NSE: Script scanning 192.168.0.1.
    NSE: Script Scanning completed.
    Host 192.168.0.1 is up (0.043s latency).
    Interesting ports on 192.168.0.1:
    Not shown: 996 closed ports
    PORT STATE SERVICE VERSION
    22/tcp open tcpwrapped
    23/tcp open telnet?
    1720/tcp filtered H.323/Q.931
    5060/tcp filtered sip

    1 service unrecognized despite returning data. If you know the service/version,
    please submit the following fingerprint at
    SF-Port23-TCP:V=5.00%I=7%D=11/4%Time=4AF18B47%P=i686-pc-windows-windows%r(
    SF:NULL,37,"\r\nError:All\x20user\x20interfaces\x2 0are\x20used,\x20please\
    SF:x20try\x20later!")%r(GenericLines,37,"\r\nError :All\x20user\x20interfac
    SF:es\x20are\x20used,\x20please\x20try\x20later!") %r(GetRequest,37,"\r\nEr
    SF:ror:All\x20user\x20interfaces\x20are\x20used,\x 20please\x20try\x20later
    SF:!")%r(HTTPOptions,37,"\r\nError:All\x20user\x20 interfaces\x20are\x20use
    SF:d,\x20please\x20try\x20later!")%r(RTSPRequest,3 7,"\r\nError:All\x20user
    SF:\x20interfaces\x20are\x20used,\x20please\x20try \x20later!")%r(RPCCheck,
    SF:223,"\xff\xfb\x01\xff\xfb\x01\xff\xfb\x01\xff\x fb\x03\xff\xfd\x18\xff\x
    SF:fd\x1f\r\n\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\ *\*\*\*\*\*\*\*\*\*\*\*\
    SF:*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\* \*\*\*\*\*\r\n\*\x20\x20
    SF:\x20\x20\x20\x20\x20\x20\x20\x20\x20All\x20righ ts\x20reserved\x20\(2000
    SF:-2007\)\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20 \x20\x20\x20\x20\*\r
    SF:\n\*\x20\x20\x20\x20\x20\x20\x20Without\x20the\ x20owner's\x20prior\x20w
    SF:ritten\x20consent,\x20\x20\x20\x20\x20\x20\x20\ x20\*\r\n\*\x20no\x20dec
    SFmpiling\x20or\x20reverse-engineering\x20shall\x20be\x20allowed\.\x20\*
    SF:\r\n\*\x20Notice:\x20\x20\x20\x20\x20\x20\x20\x 20\x20\x20\x20\x20\x20\x
    SF:20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\ x20\x20\x20\x20\x20\x20\
    SF:x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20 \x20\x20\x20\x20\x20\x20
    SF:\*\r\n\*\x20\x20\x20\x20\x20\x20This\x20is\x20a \x20private\x20communica
    SF:tion\x20system\.\x20\x20\x20\x20\x20\x20\x20\x2 0\x20\x20\x20\x20\*\r\n\
    SF:*\x20\x20\x20Unauthorized\x20access\x20or\x20us e\x20may\x20lead\x20to\x
    SF:20prosecution\.\x20\x20\x20\*\r\n\*\*\*\*\*\*\* \*\*\*\*\*\*\*\*\*\*\*\*
    SF:\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\ *\*\*\*\*\*\*\*\*\*\*\*\
    SF:*\*\*\*\*\r\n\r\n\r\nLogin\x20authentication\r\ n\r\n\r\nUsername:")%r(D
    SF:NSVersionBindReq,37,"\r\nError:All\x20user\x20i nterfaces\x20are\x20used
    SF:,\x20please\x20try\x20later!")%r(DNSStatusReque st,37,"\r\nError:All\x20
    SF:user\x20interfaces\x20are\x20used,\x20please\x2 0try\x20later!")%r(Help,
    SF:37,"\r\nError:All\x20user\x20interfaces\x20are\ x20used,\x20please\x20tr
    SF:y\x20later!")%r(SSLSessionReq,37,"\r\nError:All \x20user\x20interfaces\x
    SF:20are\x20used,\x20please\x20try\x20later!");

    Read data files from: C:\nmap-5.00
    Service detection performed. Please report any incorrect results at
    org/submit/ .
    Nmap done: 1 IP address (1 host up) scanned in 16.25 seconds
    Raw packets sent: 1174 (51.632KB) | Rcvd: 1162 (46.500KB)
    Another nmap OS fringerprint scan shows

    Starting Nmap 5.00 (]Nmap - Free Security Scanner For Network Exploration & Security Audits.] ) at 2009-11-04 19:31 Pakistan Standard Ti
    e
    NSE: Loaded 0 scripts for scanning.
    Initiating Ping Scan at 19:31
    Scanning 192.168.0.1 [4 ports]
    Completed Ping Scan at 19:31, 0.38s elapsed (1 total hosts)
    Initiating Parallel DNS resolution of 1 host. at 19:31
    Completed Parallel DNS resolution of 1 host. at 19:31, 0.04s elapsed
    Initiating SYN Stealth Scan at 19:31
    Scanning 192.168.0.1 [1000 ports]
    Discovered open port 23/tcp on 192.168.0.1
    Discovered open port 22/tcp on 192.168.0.1
    Completed SYN Stealth Scan at 19:31, 7.45s elapsed (1000 total ports)
    Initiating OS detection (try #1) against 192.168.0.1
    Retrying OS detection (try #2) against 192.168.0.1
    Host 192.168.0.1 is up (0.039s latency).
    Interesting ports on 192.168.0.1:
    Not shown: 996 closed ports
    PORT STATE SERVICE
    22/tcp open ssh
    23/tcp open telnet
    1720/tcp filtered H.323/Q.931
    5060/tcp filtered sip
    Device type: switch|WAP
    Running (JUST GUESSING) : HP embedded (88%), D-Link embedded (86%), TRENDnet em
    edded (86%), 3Com embedded (86%)
    Aggressive OS guesses: HP 4000M ProCurve switch (J4121A) (88%), D-Link DWL-624+
    or DWL-2000AP, or TRENDnet TEW-432BRP WAP (86%), 3Com 8810 switch (86%)
    No exact OS matches for host (test conditions non-ideal).

    TCP Sequence Prediction: Difficulty=18 (Good luck!)
    IP ID Sequence Generation: Busy server or unknown class

    Telneting this machine gives the banner




    ************************************************** *********
    * All rights reserved (2000-2007) *
    * Without the owner's prior written consent, *
    * no decompiling or reverse-engineering shall be allowed. *
    * Notice: *
    * This is a private communication system. *
    * Unauthorized access or use may lead to prosecution. *
    ************************************************** *********


    Login authentication


    Username:
    Neotrace gives the following output


    Map


    Node Data
    Node Net Reg IP Address Location Node Name
    1 - - 192.168.1.x
    2 1 - 192.168.1.1 -
    3 2 - 116.71.208.1 -
    4 2 - 116.71.241.245 -
    5 3 - 221.120.253.41 - rwp44.pie.net.pk
    6 3 - 221.120.253.10 - rwp44.pie.net.pk
    7 1 - 192.168.0.1 -
    Packet Data
    Node High Low Avg Total Lost
    1 0 0 0 1 0
    2 25 25 25 1 0
    3 135 135 135 1 0
    4 44 44 44 1 0
    5 37 37 37 1 0
    6 36 36 36 1 0
    7 38 38 38 1 0
    Network Data
    Network id#:1

    OrgName: Internet Assigned Numbers Authority
    OrgID: IANA
    Address: 4676 Admiralty Way, Suite 330
    City: Marina del Rey
    StateProv: CA
    PostalCode: 90292-6695
    Country: US


    Network id#:2

    OrgName: Asia Pacific Network Information Centre
    OrgID: APNIC
    Address: PO Box 2131
    City: Milton
    StateProv: QLD
    PostalCode: 4064
    Country: AU


    Network id#:3

    OrgName: Asia Pacific Network Information Centre
    OrgID: APNIC
    Address: PO Box 2131
    City: Milton
    StateProv: QLD
    PostalCode: 4064
    Country: AU
    I think that the ip addresses 192.168.x.x are private addresses and are non-routable (meaning you shouldn't be able to access these addresses if they are not from your internal network). As the traceroute shows that the machine is behind the PIE and it seems to be quite well setup.

    I am trying to investigate the machine on my own but have got no ideas how to proceed further What could this machine be any wild guesses? and one more thing you people should also try probing this machine and make sure not to confuse your own router with it :-)

  2. #2
    Senior Member streaker69's Avatar
    Join Date
    Jan 2010
    Location
    Virginville, BlueBall, Bird In Hand, Intercourse, Paradise, PA
    Posts
    3,535

    Default

    IMO, when the traceroute indicated that the IP is not on your actual network, you should have stopped there.

    Chances are, your ISP is doing some funky NAT work using the 192.168.x.x network, probably for communication with their DSL modems. This probably isn't good, but it certainly isn't on YOUR network.
    A third party security audit is the IT equivalent of a colonoscopy. It's long, intrusive, very uncomfortable, and when it's done, you'll have seen things you really didn't want to see, and you'll never forget that you've had one.

  3. #3
    Junior Member
    Join Date
    Jan 2010
    Posts
    66

    Default

    Quote Originally Posted by streaker69 View Post
    IMO, when the traceroute indicated that the IP is not on your actual network, you should have stopped there.

    Chances are, your ISP is doing some funky NAT work using the 192.168.x.x network, probably for communication with their DSL modems. This probably isn't good, but it certainly isn't on YOUR network.
    I agree. From my house if I do a 192.168.x.x scan I can see some VOIP boxes my ISP has out in Utah. I'm in NY.

  4. #4
    Just burned his ISO
    Join Date
    Jan 2010
    Posts
    12

    Default

    IMO, when the traceroute indicated that the IP is not on your actual network, you should have stopped there.

    Chances are, your ISP is doing some funky NAT work using the 192.168.x.x network, probably for communication with their DSL modems. This probably isn't good, but it certainly isn't on YOUR network.
    But isn't this against the rules to make a non-routable IP address a routable one! and one more thing, although i don't want to proceed further but, if someone wanted to proceed further what else can he do other than brute forcing that IP? (which probably isn't the most sensable thing one would like to do legally as well as technically)

  5. #5
    Very good friend of the forum Gitsnik's Avatar
    Join Date
    Jan 2010
    Location
    The Crystal Wind
    Posts
    851

    Default

    Quote Originally Posted by generaluser View Post
    But isn't this against the rules to make a non-routable IP address a routable one!
    No. You do not understand the rules of how routing and such work - definitely worth a look.
    and one more thing, although i don't want to proceed further but, if someone wanted to proceed further what else can he do other than brute forcing that IP? (which probably isn't the most sensable thing one would like to do legally as well as technically)
    Nothing. It's on a non routable network... you can't get to those :P

    But seriously, nothing. I don't agree with streaks (Port scanning is not a crime - though the Nmap scripting engine is beginning to borderline it IMO), but beyond that, nothing more will you do.

    Honestly (and not being rude despite my normal disposition): If you have to ask, you are not skilled enough to do it anyway, so even if we were that sort of forum, I wouldn't help you.
    Still not underestimating the power...

    There is no such thing as bad information - There is truth in the data, so you sift it all, even the crap stuff.

  6. #6
    Very good friend of the forum hhmatt's Avatar
    Join Date
    Jan 2010
    Posts
    660

    Default

    Quote Originally Posted by Gitsnik View Post
    No. You do not understand the rules of how routing and such work - definitely worth a look.Nothing. It's on a non routable network... you can't get to those :P

    But seriously, nothing. I don't agree with streaks (Port scanning is not a crime - though the Nmap scripting engine is beginning to borderline it IMO), but beyond that, nothing more will you do.

    Honestly (and not being rude despite my normal disposition): If you have to ask, you are not skilled enough to do it anyway, so even if we were that sort of forum, I wouldn't help you.
    Given that many people here live in such a wide variety of places I don't think that you can so quickly conclude that port scanning isn't a crime where this person lives.

    Just a head up for the OP, it may or may not be a crime but it may also be against your ISP's TOS. You could have just broken those terms and given your ISP full rights to ban you.

    Crime or not there was no reason whatsoever to run a port scan on that IP in order to show that it is an unusual situation.

  7. #7
    Very good friend of the forum Gitsnik's Avatar
    Join Date
    Jan 2010
    Location
    The Crystal Wind
    Posts
    851

    Default

    Quote Originally Posted by hhmatt81 View Post
    Crime or not there was no reason whatsoever to run a port scan on that IP in order to show that it is an unusual situation.
    Agreed.

    I am not, however, familiar with a single country where the act of port scanning is enough to get you into trouble (by law). I do recall those kids getting "caught" by the FBI or NSA or whoever for hard-and-fast scanning, but I don't recall that being an actual law. Is there a particular country or line item I have missed?
    Still not underestimating the power...

    There is no such thing as bad information - There is truth in the data, so you sift it all, even the crap stuff.

  8. #8
    Very good friend of the forum hhmatt's Avatar
    Join Date
    Jan 2010
    Posts
    660

    Default

    Quote Originally Posted by Gitsnik View Post
    Is there a particular country or line item I have missed?
    Not that I am aware of, although I am no expert on the subject. Hopefully someone else would be able to provide more information.

  9. #9
    Just burned his ISO
    Join Date
    Jan 2010
    Posts
    12

    Default

    Quote Originally Posted by Gitsnik View Post
    No. You do not understand the rules of how routing and such work - definitely worth a look.Nothing. It's on a non routable network... you can't get to those :P

    But seriously, nothing. I don't agree with streaks (Port scanning is not a crime - though the Nmap scripting engine is beginning to borderline it IMO), but beyond that, nothing more will you do.

    Honestly (and not being rude despite my normal disposition): If you have to ask, you are not skilled enough to do it anyway, so even if we were that sort of forum, I wouldn't help you.
    Not that i was about to hack in to that machine or so.. but I was just curious as to how would someone proceed further if he wanted to dig deeper.
    It was not that I didn't knew of what would one do but I just wanted to know what other people think about it. So if someone REALLY wants to dig deeper then there are ample guides on the internet and are much better than asking someone! The normal sequence can be nothing other than getting even more info on the target (supposing there was one!) by means of knowing more about their gateway and then maybe getting to know the vulnerabilities (by active or passive scanning and maybe social engineering hint:call isp to ask about it) and finally exploiting them or trying to bruteforce your way to the machine.

    But all this stuff needs a dedicated person and someone who has plenty of time at his disposal (which surely excludes me out ).

    Thankyou everyone for their replies!

  10. #10
    Senior Member streaker69's Avatar
    Join Date
    Jan 2010
    Location
    Virginville, BlueBall, Bird In Hand, Intercourse, Paradise, PA
    Posts
    3,535

    Default

    Quote Originally Posted by Gitsnik View Post
    But seriously, nothing. I don't agree with streaks (Port scanning is not a crime - though the Nmap scripting engine is beginning to borderline it IMO), but beyond that, nothing more will you do.
    I don't believe I ever mentioned that port scanning was a crime, but it can be against the TOS/AUP of your ISP. Many of them have conducting recon clearly defined in their terms as being forbidden activity.
    A third party security audit is the IT equivalent of a colonoscopy. It's long, intrusive, very uncomfortable, and when it's done, you'll have seen things you really didn't want to see, and you'll never forget that you've had one.

Page 1 of 2 12 LastLast

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •