1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

This is weird

Discussion in 'Networks' started by zebulebu, Jun 9, 2007.

  1. zebulebu

    zebulebu Terabyte Poster

    3,748
    330
    187
    I am running a scan on the 192.168.0.0/16 subnet on my home LAN - just for giggles.

    I;ve pikced up loads of stuff outside my normal subnet range (192.168.1.0/24) and outside the default range for the cabloe modem (192.168.100.0/24).

    Now I know for a fact that my VMnet is set up with the 192.168.19.0/24 range (and it shows one live host on that range on the scan).

    However, I'm also getting results from the 192.168.10.0/24, 192.168.10.0/24, 192.168.12.0/24 and 192.168.13.0/24 subnets, and LOTS of results from the 192.168.66.0/24 and 192.168.67.0/24 subnets.

    I know for a fact that there is nothing nasty sitting in my network, yet am pretty puzzled as I don't perform any ARP spoofing or tarpitting that might cause unregistered IPs to start responding

    Any quick answers before I delve a bit deeper?

    Cheers
     
    Certifications: A few
    WIP: None - f*** 'em
  2. Spice_Weasel

    Spice_Weasel Kilobyte Poster

    254
    45
    45
    Strange. What routing table entries does your router have for those networks? It seems those networks could be external to your own, perhaps leaking from other cable subscribers.

    If your router considers those networks to be internal, then it is a real mystery were those responses are coming from!

    Spice_Weasel
     
    Certifications: CCNA, CCNP, CCIP, JNCIA-ER, JNCIS-ER,MCP
    WIP: CCIE
  3. zebulebu

    zebulebu Terabyte Poster

    3,748
    330
    187
    Update...

    Just ran an arp lookup after pinging a few of these spurious addresses, and there's nothing listed for them in the arp cache.

    I'm leaning towards it being as a result of a box I sat outside the firewall for about fifteen minutes earlier this afternoon to grab some traffic for a Wireshark presentation I'm doing - though its certainly odd that I should get addresses from private ranges - my cable ISP assigns addresses in the 10.0.0.0 subnet.

    My router also shows no entries in its routing table for these subnets.
     
    Certifications: A few
    WIP: None - f*** 'em
  4. zebulebu

    zebulebu Terabyte Poster

    3,748
    330
    187
    Update 2...

    Looks like its definitely the cable network leaking information. I suppose they're just machines on the same cable segment as me that aren't firewalled up :blink cos a trace route takes me through what i know is the IP of my UBR (10.85.0.1) via my router.

    Odd, though, that they should be displaying local IP addresses - a trace route takes me via my router - Telewest UBR - Telewest public IP - internal IP.

    I might nmap one of them in a bit and see if I can see whats up...
     
    Certifications: A few
    WIP: None - f*** 'em
  5. Spice_Weasel

    Spice_Weasel Kilobyte Poster

    254
    45
    45
    I'm curious as to how the Telewest router has gotten routes to them. Seems like Telewest should clean up that segment :)

    Spice_Weasel
     
    Certifications: CCNA, CCNP, CCIP, JNCIA-ER, JNCIS-ER,MCP
    WIP: CCIE
  6. hbroomhall

    hbroomhall Petabyte Poster Gold Member

    6,623
    115
    224
    I believe there was a time that on a given cable segment all Windows shares were visible to other machines!

    Perhaps this is a similar leakage?

    Harry.
     
    Certifications: ECDL A+ Network+ i-Net+
    WIP: Server+
  7. zebulebu

    zebulebu Terabyte Poster

    3,748
    330
    187
    Update 3:

    I've run NMap against a random selection of the hosts - all appear to be running the same services on the same ports:

    Code:
    135/tcp     filtered      msrpc
    137/tcp     filtered      netbios-ns
    138/tcp     filtered      netbios-dgm
    139/tcp     filtered      netbios-ssn
    445/tcp     filtered      microsoft-ds
    1434/tcp    filtered      ms-sql-m
    1720/tcp    filtered      H.323/Q.931

    Them's Windoze boxes.

    Now, with ALL of them running the same services, and with only certain subnets 'live' I suspect its part of a honeynet that Telewest/Virgin are running. Any other musings?
     
    Certifications: A few
    WIP: None - f*** 'em

Share This Page

Loading...