Re: Questions about 192.168

• Previous message: Paul Benedek: "RE: Continued probing with source IP 10.x.x.x"
• In reply to: Jim: "Questions about 192.168"
• Next in thread: David Gillett: "RE: Questions about 192.168"
• Reply: David Gillett: "RE: Questions about 192.168"
• Reply: Ethan : "RE: Questions about 192.168"
• Reply: Michael Lang: "Re: Questions about 192.168"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Date: Tue, 8 Jul 2003 13:20:33 -0400 (EDT)
To: security-basics@securityfocus.com

jim: Date: Mon, 7 Jul 2003 20:27:17 -0400
jim: From: Jim <jimhoward300@hotmail.com>
jim: To: security-basics@securityfocus.com
jim: Subject: Questions about 192.168
jim:
jim: Hi,
jim:
jim: I've been following some of the conversations about 192.168 networks,
jim: and tried some experimentation, and came up with a few questions:
jim:
jim: 1. I've tried the technique mentioned to ping the broadcast address,
jim: and then check arp -a (on Windows 2000 machines). This didn't seem to
jim: work. For example, I pinged 192.168.100.255. This should add all
jim: 192.168.100.x IPs into my arp cache, right? But my cable modem didn't
jim: show up in my arp cache after doing this. However, when I pinged my
jim: cable modem directly (192.168.100.1), it did show up in my arp cache. I
jim: tried this on a computer on the Internet (which I telneted to), with
jim: similar results. (Is it because Microsoft recognizes 192.168.100.255 as
jim: a valid IP?). When I do a traceroute to my cable modem (192.168.100.1),
jim: it is a direct hop.

Since 192.168 is a non-routeable IP (ie: wont reach the Internet), it's
no real surprise that nothing answered you from 100 subnet.

Unless you are running several computers, connected to a single
hub/switch, with IP addresses of 192.168.100.xxx, you will not reach
anything.

jim: 2. However, with the computer on the Internet I mentioned (which I am
jim: telneting to), there were the following IPs: 192.168.1.0, 192.168.1.1,
jim: 192.168.1.2, 192.168.1.3, and 192.168.1.255 - which I found through
jim: doing an nmap scan. (pinging 192.168.1.255 produced no results in the
jim: arp table) Three are apparently Cisco routers (192.168.1.0 and
jim: 192.168.1.255 are both ping-able). When doing nmap, it shows
jim: 192.168.1.255 as remote, the others as local. However, when I do a
jim: traceroute on these supposedly local ones, it shows a number of hops out
jim: over the Internet, implying that they are not connected locally. Does
jim: this make sense?

Something is misconfigured, and considered to be a security threat.

There should be no way that a traceroute from an internal IP address
should go through an external IP and back to an internal IP.

Is your NIC configure with both an internal and external IP?

jim: 3. I recently checked my firewall (Network ICE), and noticed an attack
jim: from this IP: 192.168.1.113. I tried to ping the attacking IP, but no
jim: response. The attack details were these:
jim: TCP OS Fingerprint, and then FTP Port Probe. Does this make any sense?
jim: How can someone use a supposedly local IP (192.168) to attack me?
jim: (Cable modem with 2 computers hooked up).

Spoofed source IP address.

jim: So can someone clarify these things? IE, why does it look like the only
jim: way to really detect 192.168 devices on your network is to scan for them
jim: - in other words, the pinging of the broadcast address doesn't work (or
jim: am I pinging the wrong broadcast address?). Why do 192.168 devices,
jim: which are supposed to be local, have a number of (internet) hops between
jim: them when you ping them? And can anyone explain how someone could
jim: attack me via my cable modem, with a source address of 192.168.1.113
jim: (which I was unable to ping or otherwise detect)? In general, why don't
jim: these 192.168 addresses show up in the routing table, netstat, etc.?
jim:
jim: Thanks,
jim:
jim: Jim

As mentioned above, the class "B" 192.168.xxx.yyy IPs and class
"A" 10.xxx.yyy.zzz IPs (as well as a class "C" set of IP addresses)
are not routeable.

HTH

Thanks

 Scott Birl http://concept.temple.edu/sysadmin/
 Senior Systems Administrator Computer Services Temple University
====*====*====*====*====*====*====*====+====*====*====*====*====*====*====*====*

---------------------------------------------------------------------------
Evaluating SSL VPNs' Consider NEOTERIS, chosen as leader by top analysts!
The Gartner Group just put Neoteris in the top of its Magic Quadrant,
while InStat has confirmed Neoteris as the leader in marketshare.
     
Find out why, and see how you can get plug-n-play secure remote access in
about an hour, with no client, server changes, or ongoing maintenance.
          
Visit us at: http://www.neoteris.com/promos/sf-6-9.htm
----------------------------------------------------------------------------

• Previous message: Paul Benedek: "RE: Continued probing with source IP 10.x.x.x"
• In reply to: Jim: "Questions about 192.168"
• Next in thread: David Gillett: "RE: Questions about 192.168"
• Reply: David Gillett: "RE: Questions about 192.168"
• Reply: Ethan : "RE: Questions about 192.168"
• Reply: Michael Lang: "Re: Questions about 192.168"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]