A strange IP address in my network!!
My private IP address scheme is in 192.168.1.x subnet, Here is my network diagram
But there is an IP address 192.168.0.1 which can be pinged from my modem as well as my computer the result of the ping isDSL-Modem (192.168.1.1)
|
|
Switch
|
My-PC (192.168.1.x)
and a voip phone (192.168.1.x)
I did a traceroute and the result is> ping 192.168.0.1
PING 192.168.0.1 (192.168.0.1): 56 data bytes
56 bytes from 192.168.0.1: icmp_seq=0 ttl=250 time=35.0 ms
56 bytes from 192.168.0.1: icmp_seq=1 ttl=250 time=35.0 ms
56 bytes from 192.168.0.1: icmp_seq=2 ttl=250 time=30.0 ms
--- 192.168.0.1 ping statistics ---
3 packets transmitted, 3 packets received, 0% packet loss
round-trip min/avg/max = 30.0/33.3/35.0 ms"
I did nmap with parameters (-sV -oO -v) and the output isC:\nmap-5.00>tracert 192.168.0.1
Tracing route to 192.168.0.1 over a maximum of 30 hops
1 1 ms <1 ms <1 ms 192.168.1.1
2 34 ms 39 ms 40 ms 116.71.208.1
3 32 ms 32 ms 33 ms 116.71.241.245
4 36 ms 36 ms 36 ms rwp44.pie.net.pk [221.120.253.41]
5 36 ms 36 ms 35 ms 221.120.253.10
6 35 ms 35 ms 35 ms 192.168.0.1
Trace complete.
Another nmap OS fringerprint scan showsC:\nmap-5.00>nmap.exe -sV -oO -v 192.168.0.1
Starting Nmap 5.00 at 2009-11-04 19:10 Pakistan Standard Tim
e
NSE: Loaded 3 scripts for scanning.
Initiating Ping Scan at 19:10
Scanning 192.168.0.1 [4 ports]
Completed Ping Scan at 19:10, 0.36s elapsed (1 total hosts)
Initiating Parallel DNS resolution of 1 host. at 19:10
Completed Parallel DNS resolution of 1 host. at 19:10, 0.04s elapsed
Initiating SYN Stealth Scan at 19:10
Scanning 192.168.0.1 [1000 ports]
Discovered open port 22/tcp on 192.168.0.1
Discovered open port 23/tcp on 192.168.0.1
Completed SYN Stealth Scan at 19:10, 6.40s elapsed (1000 total ports)
Initiating Service scan at 19:10
Scanning 2 services on 192.168.0.1
Completed Service scan at 19:10, 7.56s elapsed (2 services on 1 host)
NSE: Script scanning 192.168.0.1.
NSE: Script Scanning completed.
Host 192.168.0.1 is up (0.043s latency).
Interesting ports on 192.168.0.1:
Not shown: 996 closed ports
PORT STATE SERVICE VERSION
22/tcp open tcpwrapped
23/tcp open telnet?
1720/tcp filtered H.323/Q.931
5060/tcp filtered sip
1 service unrecognized despite returning data. If you know the service/version,
please submit the following fingerprint at
SF-Port23-TCP:V=5.00%I=7%D=11/4%Time=4AF18B47%P=i686-pc-windows-windows%r(
SF:NULL,37,"\r\nError:All\x20user\x20interfaces\x2 0are\x20used,\x20please\
SF:x20try\x20later!")%r(GenericLines,37,"\r\nError :All\x20user\x20interfac
SF:es\x20are\x20used,\x20please\x20try\x20later!") %r(GetRequest,37,"\r\nEr
SF:ror:All\x20user\x20interfaces\x20are\x20used,\x 20please\x20try\x20later
SF:!")%r(HTTPOptions,37,"\r\nError:All\x20user\x20 interfaces\x20are\x20use
SF:d,\x20please\x20try\x20later!")%r(RTSPRequest,3 7,"\r\nError:All\x20user
SF:\x20interfaces\x20are\x20used,\x20please\x20try \x20later!")%r(RPCCheck,
SF:223,"\xff\xfb\x01\xff\xfb\x01\xff\xfb\x01\xff\x fb\x03\xff\xfd\x18\xff\x
SF:fd\x1f\r\n\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\ *\*\*\*\*\*\*\*\*\*\*\*\
SF:*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\* \*\*\*\*\*\r\n\*\x20\x20
SF:\x20\x20\x20\x20\x20\x20\x20\x20\x20All\x20righ ts\x20reserved\x20\(2000
SF:-2007\)\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20 \x20\x20\x20\x20\*\r
SF:\n\*\x20\x20\x20\x20\x20\x20\x20Without\x20the\ x20owner's\x20prior\x20w
SF:ritten\x20consent,\x20\x20\x20\x20\x20\x20\x20\ x20\*\r\n\*\x20no\x20dec
SFmpiling\x20or\x20reverse-engineering\x20shall\x20be\x20allowed\.\x20\*
SF:\r\n\*\x20Notice:\x20\x20\x20\x20\x20\x20\x20\x 20\x20\x20\x20\x20\x20\x
SF:20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\ x20\x20\x20\x20\x20\x20\
SF:x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20 \x20\x20\x20\x20\x20\x20
SF:\*\r\n\*\x20\x20\x20\x20\x20\x20This\x20is\x20a \x20private\x20communica
SF:tion\x20system\.\x20\x20\x20\x20\x20\x20\x20\x2 0\x20\x20\x20\x20\*\r\n\
SF:*\x20\x20\x20Unauthorized\x20access\x20or\x20us e\x20may\x20lead\x20to\x
SF:20prosecution\.\x20\x20\x20\*\r\n\*\*\*\*\*\*\* \*\*\*\*\*\*\*\*\*\*\*\*
SF:\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\ *\*\*\*\*\*\*\*\*\*\*\*\
SF:*\*\*\*\*\r\n\r\n\r\nLogin\x20authentication\r\ n\r\n\r\nUsername:")%r(D
SF:NSVersionBindReq,37,"\r\nError:All\x20user\x20i nterfaces\x20are\x20used
SF:,\x20please\x20try\x20later!")%r(DNSStatusReque st,37,"\r\nError:All\x20
SF:user\x20interfaces\x20are\x20used,\x20please\x2 0try\x20later!")%r(Help,
SF:37,"\r\nError:All\x20user\x20interfaces\x20are\ x20used,\x20please\x20tr
SF:y\x20later!")%r(SSLSessionReq,37,"\r\nError:All \x20user\x20interfaces\x
SF:20are\x20used,\x20please\x20try\x20later!");
Read data files from: C:\nmap-5.00
Service detection performed. Please report any incorrect results at
org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 16.25 seconds
Raw packets sent: 1174 (51.632KB) | Rcvd: 1162 (46.500KB)
Starting Nmap 5.00 (]Nmap - Free Security Scanner For Network Exploration & Security Audits.] ) at 2009-11-04 19:31 Pakistan Standard Ti
e
NSE: Loaded 0 scripts for scanning.
Initiating Ping Scan at 19:31
Scanning 192.168.0.1 [4 ports]
Completed Ping Scan at 19:31, 0.38s elapsed (1 total hosts)
Initiating Parallel DNS resolution of 1 host. at 19:31
Completed Parallel DNS resolution of 1 host. at 19:31, 0.04s elapsed
Initiating SYN Stealth Scan at 19:31
Scanning 192.168.0.1 [1000 ports]
Discovered open port 23/tcp on 192.168.0.1
Discovered open port 22/tcp on 192.168.0.1
Completed SYN Stealth Scan at 19:31, 7.45s elapsed (1000 total ports)
Initiating OS detection (try #1) against 192.168.0.1
Retrying OS detection (try #2) against 192.168.0.1
Host 192.168.0.1 is up (0.039s latency).
Interesting ports on 192.168.0.1:
Not shown: 996 closed ports
PORT STATE SERVICE
22/tcp open ssh
23/tcp open telnet
1720/tcp filtered H.323/Q.931
5060/tcp filtered sip
Device type: switch|WAP
Running (JUST GUESSING) : HP embedded (88%), D-Link embedded (86%), TRENDnet em
edded (86%), 3Com embedded (86%)
Aggressive OS guesses: HP 4000M ProCurve switch (J4121A) (88%), D-Link DWL-624+
or DWL-2000AP, or TRENDnet TEW-432BRP WAP (86%), 3Com 8810 switch (86%)
No exact OS matches for host (test conditions non-ideal).
TCP Sequence Prediction: Difficulty=18 (Good luck!)
IP ID Sequence Generation: Busy server or unknown class
Telneting this machine gives the banner
Neotrace gives the following output
************************************************** *********
* All rights reserved (2000-2007) *
* Without the owner's prior written consent, *
* no decompiling or reverse-engineering shall be allowed. *
* Notice: *
* This is a private communication system. *
* Unauthorized access or use may lead to prosecution. *
************************************************** *********
Login authentication
Username:
I think that the ip addresses 192.168.x.x are private addresses and are non-routable (meaning you shouldn't be able to access these addresses if they are not from your internal network). As the traceroute shows that the machine is behind the PIE and it seems to be quite well setup.
Map
Node Data
Node Net Reg IP Address Location Node Name
1 - - 192.168.1.x
2 1 - 192.168.1.1 -
3 2 - 116.71.208.1 -
4 2 - 116.71.241.245 -
5 3 - 221.120.253.41 - rwp44.pie.net.pk
6 3 - 221.120.253.10 - rwp44.pie.net.pk
7 1 - 192.168.0.1 -
Packet Data
Node High Low Avg Total Lost
1 0 0 0 1 0
2 25 25 25 1 0
3 135 135 135 1 0
4 44 44 44 1 0
5 37 37 37 1 0
6 36 36 36 1 0
7 38 38 38 1 0
Network Data
Network id#:1
OrgName: Internet Assigned Numbers Authority
OrgID: IANA
Address: 4676 Admiralty Way, Suite 330
City: Marina del Rey
StateProv: CA
PostalCode: 90292-6695
Country: US
Network id#:2
OrgName: Asia Pacific Network Information Centre
OrgID: APNIC
Address: PO Box 2131
City: Milton
StateProv: QLD
PostalCode: 4064
Country: AU
Network id#:3
OrgName: Asia Pacific Network Information Centre
OrgID: APNIC
Address: PO Box 2131
City: Milton
StateProv: QLD
PostalCode: 4064
Country: AU
I am trying to investigate the machine on my own but have got no ideas how to proceed further What could this machine be any wild guesses? and one more thing you people should also try probing this machine and make sure not to confuse your own router with it :-)
IMO, when the traceroute indicated that the IP is not on your actual network, you should have stopped there.
Chances are, your ISP is doing some funky NAT work using the 192.168.x.x network, probably for communication with their DSL modems. This probably isn't good, but it certainly isn't on YOUR network.
A third party security audit is the IT equivalent of a colonoscopy. It's long, intrusive, very uncomfortable, and when it's done, you'll have seen things you really didn't want to see, and you'll never forget that you've had one.
I agree. From my house if I do a 192.168.x.x scan I can see some VOIP boxes my ISP has out in Utah. I'm in NY.Originally Posted by streaker69
But isn't this against the rules to make a non-routable IP address a routable one! and one more thing, although i don't want to proceed further but, if someone wanted to proceed further what else can he do other than brute forcing that IP? (which probably isn't the most sensable thing one would like to do legally as well as technically)IMO, when the traceroute indicated that the IP is not on your actual network, you should have stopped there.
Chances are, your ISP is doing some funky NAT work using the 192.168.x.x network, probably for communication with their DSL modems. This probably isn't good, but it certainly isn't on YOUR network.
No. You do not understand the rules of how routing and such work - definitely worth a look.Nothing. It's on a non routable network... you can't get to thoseand one more thing, although i don't want to proceed further but, if someone wanted to proceed further what else can he do other than brute forcing that IP? (which probably isn't the most sensable thing one would like to do legally as well as technically):P
But seriously, nothing. I don't agree with streaks (Port scanning is not a crime - though the Nmap scripting engine is beginning to borderline it IMO), but beyond that, nothing more will you do.
Honestly (and not being rude despite my normal disposition): If you have to ask, you are not skilled enough to do it anyway, so even if we were that sort of forum, I wouldn't help you.
Still not underestimating the power...
There is no such thing as bad information - There is truth in the data, so you sift it all, even the crap stuff.
Given that many people here live in such a wide variety of places I don't think that you can so quickly conclude that port scanning isn't a crime where this person lives.No. You do not understand the rules of how routing and such work - definitely worth a look.Nothing. It's on a non routable network... you can't get to those
But seriously, nothing. I don't agree with streaks (Port scanning is not a crime - though the Nmap scripting engine is beginning to borderline it IMO), but beyond that, nothing more will you do.
Honestly (and not being rude despite my normal disposition): If you have to ask, you are not skilled enough to do it anyway, so even if we were that sort of forum, I wouldn't help you.
Just a head up for the OP, it may or may not be a crime but it may also be against your ISP's TOS. You could have just broken those terms and given your ISP full rights to ban you.
Crime or not there was no reason whatsoever to run a port scan on that IP in order to show that it is an unusual situation.
Agreed.
I am not, however, familiar with a single country where the act of port scanning is enough to get you into trouble (by law). I do recall those kids getting "caught" by the FBI or NSA or whoever for hard-and-fast scanning, but I don't recall that being an actual law. Is there a particular country or line item I have missed?
Still not underestimating the power...
There is no such thing as bad information - There is truth in the data, so you sift it all, even the crap stuff.
Not that I am aware of, although I am no expert on the subject. Hopefully someone else would be able to provide more information.
Not that i was about to hack in to that machine or so.. but I was just curious as to how would someone proceed further if he wanted to dig deeper.No. You do not understand the rules of how routing and such work - definitely worth a look.Nothing. It's on a non routable network... you can't get to those
But seriously, nothing. I don't agree with streaks (Port scanning is not a crime - though the Nmap scripting engine is beginning to borderline it IMO), but beyond that, nothing more will you do.
Honestly (and not being rude despite my normal disposition): If you have to ask, you are not skilled enough to do it anyway, so even if we were that sort of forum, I wouldn't help you.
It was not that I didn't knew of what would one do but I just wanted to know what other people think about it. So if someone REALLY wants to dig deeper then there are ample guides on the internet and are much better than asking someone! The normal sequence can be nothing other than getting even more info on the target (supposing there was one!) by means of knowing more about their gateway and then maybe getting to know the vulnerabilities (by active or passive scanning and maybe social engineering hint:call isp to ask about it) and finally exploiting them or trying to bruteforce your way to the machine.
But all this stuff needs a dedicated person and someone who has plenty of time at his disposal (which surely excludes me out).
Thankyou everyone for their replies!
I don't believe I ever mentioned that port scanning was a crime, but it can be against the TOS/AUP of your ISP. Many of them have conducting recon clearly defined in their terms as being forbidden activity.
A third party security audit is the IT equivalent of a colonoscopy. It's long, intrusive, very uncomfortable, and when it's done, you'll have seen things you really didn't want to see, and you'll never forget that you've had one.
Posting Permissions
