A strange IP address in my network!!

[generaluser]

My private IP address scheme is in 192.168.1.x subnet, Here is my network diagram

Quote:

DSL-Modem (192.168.1.1)
|
|
Switch
|
My-PC (192.168.1.x)
and a voip phone (192.168.1.x)

But there is an IP address 192.168.0.1 which can be pinged from my modem as well as my computer the result of the ping is

Quote:

> ping 192.168.0.1
PING 192.168.0.1 (192.168.0.1): 56 data bytes
56 bytes from 192.168.0.1: icmp_seq=0 ttl=250 time=35.0 ms
56 bytes from 192.168.0.1: icmp_seq=1 ttl=250 time=35.0 ms
56 bytes from 192.168.0.1: icmp_seq=2 ttl=250 time=30.0 ms

--- 192.168.0.1 ping statistics ---
3 packets transmitted, 3 packets received, 0% packet loss
round-trip min/avg/max = 30.0/33.3/35.0 ms"

I did a traceroute and the result is

Quote:

C:\nmap-5.00>tracert 192.168.0.1

Tracing route to 192.168.0.1 over a maximum of 30 hops

1 1 ms <1 ms <1 ms 192.168.1.1
2 34 ms 39 ms 40 ms 116.71.208.1
3 32 ms 32 ms 33 ms 116.71.241.245
4 36 ms 36 ms 36 ms rwp44.pie.net.pk [221.120.253.41]
5 36 ms 36 ms 35 ms 221.120.253.10
6 35 ms 35 ms 35 ms 192.168.0.1

Trace complete.

I did nmap with parameters (-sV -oO -v) and the output is

Quote:

C:\nmap-5.00>nmap.exe -sV -oO -v 192.168.0.1

Starting Nmap 5.00 at 2009-11-04 19:10 Pakistan Standard Tim
e
NSE: Loaded 3 scripts for scanning.
Initiating Ping Scan at 19:10
Scanning 192.168.0.1 [4 ports]
Completed Ping Scan at 19:10, 0.36s elapsed (1 total hosts)
Initiating Parallel DNS resolution of 1 host. at 19:10
Completed Parallel DNS resolution of 1 host. at 19:10, 0.04s elapsed
Initiating SYN Stealth Scan at 19:10
Scanning 192.168.0.1 [1000 ports]
Discovered open port 22/tcp on 192.168.0.1
Discovered open port 23/tcp on 192.168.0.1
Completed SYN Stealth Scan at 19:10, 6.40s elapsed (1000 total ports)
Initiating Service scan at 19:10
Scanning 2 services on 192.168.0.1
Completed Service scan at 19:10, 7.56s elapsed (2 services on 1 host)
NSE: Script scanning 192.168.0.1.
NSE: Script Scanning completed.
Host 192.168.0.1 is up (0.043s latency).
Interesting ports on 192.168.0.1:
Not shown: 996 closed ports
PORT STATE SERVICE VERSION
22/tcp open tcpwrapped
23/tcp open telnet?
1720/tcp filtered H.323/Q.931
5060/tcp filtered sip
1 service unrecognized despite returning data. If you know the service/version,
please submit the following fingerprint at
SF-Port23-TCP:V=5.00%I=7%D=11/4%Time=4AF18B47%P=i686-pc-windows-windows%r(
SF:NULL,37,"\r\nError:All\x20user\x20interfaces\x2 0are\x20used,\x20please\
SF:x20try\x20later!")%r(GenericLines,37,"\r\nError :All\x20user\x20interfac
SF:es\x20are\x20used,\x20please\x20try\x20later!") %r(GetRequest,37,"\r\nEr
SF:ror:All\x20user\x20interfaces\x20are\x20used,\x 20please\x20try\x20later
SF:!")%r(HTTPOptions,37,"\r\nError:All\x20user\x20 interfaces\x20are\x20use
SF:d,\x20please\x20try\x20later!")%r(RTSPRequest,3 7,"\r\nError:All\x20user
SF:\x20interfaces\x20are\x20used,\x20please\x20try \x20later!")%r(RPCCheck,
SF:223,"\xff\xfb\x01\xff\xfb\x01\xff\xfb\x01\xff\x fb\x03\xff\xfd\x18\xff\x
SF:fd\x1f\r\n\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\ *\*\*\*\*\*\*\*\*\*\*\*\
SF:*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\* \*\*\*\*\*\r\n\*\x20\x20
SF:\x20\x20\x20\x20\x20\x20\x20\x20\x20All\x20righ ts\x20reserved\x20\(2000
SF:-2007\)\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20 \x20\x20\x20\x20\*\r
SF:\n\*\x20\x20\x20\x20\x20\x20\x20Without\x20the\ x20owner's\x20prior\x20w
SF:ritten\x20consent,\x20\x20\x20\x20\x20\x20\x20\ x20\*\r\n\*\x20no\x20dec
SFmpiling\x20or\x20reverse-engineering\x20shall\x20be\x20allowed\.\x20\*
SF:\r\n\*\x20Notice:\x20\x20\x20\x20\x20\x20\x20\x 20\x20\x20\x20\x20\x20\x
SF:20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\ x20\x20\x20\x20\x20\x20\
SF:x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20 \x20\x20\x20\x20\x20\x20
SF:\*\r\n\*\x20\x20\x20\x20\x20\x20This\x20is\x20a \x20private\x20communica
SF:tion\x20system\.\x20\x20\x20\x20\x20\x20\x20\x2 0\x20\x20\x20\x20\*\r\n\
SF:*\x20\x20\x20Unauthorized\x20access\x20or\x20us e\x20may\x20lead\x20to\x
SF:20prosecution\.\x20\x20\x20\*\r\n\*\*\*\*\*\*\* \*\*\*\*\*\*\*\*\*\*\*\*
SF:\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\ *\*\*\*\*\*\*\*\*\*\*\*\
SF:*\*\*\*\*\r\n\r\n\r\nLogin\x20authentication\r\ n\r\n\r\nUsername:")%r(D
SF:NSVersionBindReq,37,"\r\nError:All\x20user\x20i nterfaces\x20are\x20used
SF:,\x20please\x20try\x20later!")%r(DNSStatusReque st,37,"\r\nError:All\x20
SF:user\x20interfaces\x20are\x20used,\x20please\x2 0try\x20later!")%r(Help,
SF:37,"\r\nError:All\x20user\x20interfaces\x20are\ x20used,\x20please\x20tr
SF:y\x20later!")%r(SSLSessionReq,37,"\r\nError:All \x20user\x20interfaces\x
SF:20are\x20used,\x20please\x20try\x20later!");

Read data files from: C:\nmap-5.00
Service detection performed. Please report any incorrect results at
org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 16.25 seconds
Raw packets sent: 1174 (51.632KB) | Rcvd: 1162 (46.500KB)

Another nmap OS fringerprint scan shows

Quote:

Starting Nmap 5.00 (]Nmap - Free Security Scanner For Network Exploration & Security Audits.] ) at 2009-11-04 19:31 Pakistan Standard Ti
e
NSE: Loaded 0 scripts for scanning.
Initiating Ping Scan at 19:31
Scanning 192.168.0.1 [4 ports]
Completed Ping Scan at 19:31, 0.38s elapsed (1 total hosts)
Initiating Parallel DNS resolution of 1 host. at 19:31
Completed Parallel DNS resolution of 1 host. at 19:31, 0.04s elapsed
Initiating SYN Stealth Scan at 19:31
Scanning 192.168.0.1 [1000 ports]
Discovered open port 23/tcp on 192.168.0.1
Discovered open port 22/tcp on 192.168.0.1
Completed SYN Stealth Scan at 19:31, 7.45s elapsed (1000 total ports)
Initiating OS detection (try #1) against 192.168.0.1
Retrying OS detection (try #2) against 192.168.0.1
Host 192.168.0.1 is up (0.039s latency).
Interesting ports on 192.168.0.1:
Not shown: 996 closed ports
PORT STATE SERVICE
22/tcp open ssh
23/tcp open telnet
1720/tcp filtered H.323/Q.931
5060/tcp filtered sip
Device type: switch|WAP
Running (JUST GUESSING) : HP embedded (88%), D-Link embedded (86%), TRENDnet em
edded (86%), 3Com embedded (86%)
Aggressive OS guesses: HP 4000M ProCurve switch (J4121A) (88%), D-Link DWL-624+
or DWL-2000AP, or TRENDnet TEW-432BRP WAP (86%), 3Com 8810 switch (86%)
No exact OS matches for host (test conditions non-ideal).
TCP Sequence Prediction: Difficulty=18 (Good luck!)
IP ID Sequence Generation: Busy server or unknown class

Telneting this machine gives the banner

Quote:

************************************************** *********
* All rights reserved (2000-2007) *
* Without the owner's prior written consent, *
* no decompiling or reverse-engineering shall be allowed. *
* Notice: *
* This is a private communication system. *
* Unauthorized access or use may lead to prosecution. *
************************************************** *********


Login authentication


Username:

Neotrace gives the following output

Quote:

Map


Node Data
Node Net Reg IP Address Location Node Name
1 - - 192.168.1.x
2 1 - 192.168.1.1 -
3 2 - 116.71.208.1 -
4 2 - 116.71.241.245 -
5 3 - 221.120.253.41 - rwp44.pie.net.pk
6 3 - 221.120.253.10 - rwp44.pie.net.pk
7 1 - 192.168.0.1 -
Packet Data
Node High Low Avg Total Lost
1 0 0 0 1 0
2 25 25 25 1 0
3 135 135 135 1 0
4 44 44 44 1 0
5 37 37 37 1 0
6 36 36 36 1 0
7 38 38 38 1 0
Network Data
Network id#:1

OrgName: Internet Assigned Numbers Authority
OrgID: IANA
Address: 4676 Admiralty Way, Suite 330
City: Marina del Rey
StateProv: CA
PostalCode: 90292-6695
Country: US


Network id#:2

OrgName: Asia Pacific Network Information Centre
OrgID: APNIC
Address: PO Box 2131
City: Milton
StateProv: QLD
PostalCode: 4064
Country: AU


Network id#:3

OrgName: Asia Pacific Network Information Centre
OrgID: APNIC
Address: PO Box 2131
City: Milton
StateProv: QLD
PostalCode: 4064
Country: AU

I think that the ip addresses 192.168.x.x are private addresses and are non-routable (meaning you shouldn't be able to access these addresses if they are not from your internal network). As the traceroute shows that the machine is behind the PIE and it seems to be quite well setup.

I am trying to investigate the machine on my own but have got no ideas how to proceed further What could this machine be any wild guesses? and one more thing you people should also try probing this machine and make sure not to confuse your own router with it :-)

[streaker69]

IMO, when the traceroute indicated that the IP is not on your actual network, you should have stopped there.

Chances are, your ISP is doing some funky NAT work using the 192.168.x.x network, probably for communication with their DSL modems. This probably isn't good, but it certainly isn't on YOUR network.

[beakmyn]

Quote:

Originally Posted by streaker69

IMO, when the traceroute indicated that the IP is not on your actual network, you should have stopped there.

Chances are, your ISP is doing some funky NAT work using the 192.168.x.x network, probably for communication with their DSL modems. This probably isn't good, but it certainly isn't on YOUR network.

I agree. From my house if I do a 192.168.x.x scan I can see some VOIP boxes my ISP has out in Utah. I'm in NY.

[generaluser]

Quote:

IMO, when the traceroute indicated that the IP is not on your actual network, you should have stopped there.

Chances are, your ISP is doing some funky NAT work using the 192.168.x.x network, probably for communication with their DSL modems. This probably isn't good, but it certainly isn't on YOUR network.

But isn't this against the rules to make a non-routable IP address a routable one! and one more thing, although i don't want to proceed further but, if someone wanted to proceed further what else can he do other than brute forcing that IP? (which probably isn't the most sensable thing one would like to do legally as well as technically)

[Gitsnik]

Quote:

Originally Posted by generaluser

But isn't this against the rules to make a non-routable IP address a routable one!

No. You do not understand the rules of how routing and such work - definitely worth a look.

Quote:

and one more thing, although i don't want to proceed further but, if someone wanted to proceed further what else can he do other than brute forcing that IP? (which probably isn't the most sensable thing one would like to do legally as well as technically)

Nothing. It's on a non routable network... you can't get to those :P

But seriously, nothing. I don't agree with streaks (Port scanning is not a crime - though the Nmap scripting engine is beginning to borderline it IMO), but beyond that, nothing more will you do.

Honestly (and not being rude despite my normal disposition): If you have to ask, you are not skilled enough to do it anyway, so even if we were that sort of forum, I wouldn't help you.

[hhmatt81]

Quote:

Originally Posted by Gitsnik

No. You do not understand the rules of how routing and such work - definitely worth a look.Nothing. It's on a non routable network... you can't get to those :P

But seriously, nothing. I don't agree with streaks (Port scanning is not a crime - though the Nmap scripting engine is beginning to borderline it IMO), but beyond that, nothing more will you do.

Honestly (and not being rude despite my normal disposition): If you have to ask, you are not skilled enough to do it anyway, so even if we were that sort of forum, I wouldn't help you.

Given that many people here live in such a wide variety of places I don't think that you can so quickly conclude that port scanning isn't a crime where this person lives.

Just a head up for the OP, it may or may not be a crime but it may also be against your ISP's TOS. You could have just broken those terms and given your ISP full rights to ban you.

Crime or not there was no reason whatsoever to run a port scan on that IP in order to show that it is an unusual situation.

[Gitsnik]

Quote:

Originally Posted by hhmatt81

Crime or not there was no reason whatsoever to run a port scan on that IP in order to show that it is an unusual situation.

Agreed.

I am not, however, familiar with a single country where the act of port scanning is enough to get you into trouble (by law). I do recall those kids getting "caught" by the FBI or NSA or whoever for hard-and-fast scanning, but I don't recall that being an actual law. Is there a particular country or line item I have missed?

[hhmatt81]

Quote:

Originally Posted by Gitsnik

Is there a particular country or line item I have missed?

Not that I am aware of, although I am no expert on the subject. Hopefully someone else would be able to provide more information.

[generaluser]

Quote:

Originally Posted by Gitsnik

No. You do not understand the rules of how routing and such work - definitely worth a look.Nothing. It's on a non routable network... you can't get to those :P

But seriously, nothing. I don't agree with streaks (Port scanning is not a crime - though the Nmap scripting engine is beginning to borderline it IMO), but beyond that, nothing more will you do.

Honestly (and not being rude despite my normal disposition): If you have to ask, you are not skilled enough to do it anyway, so even if we were that sort of forum, I wouldn't help you.

Not that i was about to hack in to that machine or so.. but I was just curious as to how would someone proceed further if he wanted to dig deeper.
It was not that I didn't knew of what would one do but I just wanted to know what other people think about it. So if someone REALLY wants to dig deeper then there are ample guides on the internet and are much better than asking someone! The normal sequence can be nothing other than getting even more info on the target (supposing there was one!) by means of knowing more about their gateway and then maybe getting to know the vulnerabilities (by active or passive scanning and maybe social engineering hint:call isp to ask about it) and finally exploiting them or trying to bruteforce your way to the machine.

But all this stuff needs a dedicated person and someone who has plenty of time at his disposal (which surely excludes me out ).

Thankyou everyone for their replies!

[streaker69]

Quote:

Originally Posted by Gitsnik

But seriously, nothing. I don't agree with streaks (Port scanning is not a crime - though the Nmap scripting engine is beginning to borderline it IMO), but beyond that, nothing more will you do.

I don't believe I ever mentioned that port scanning was a crime, but it can be against the TOS/AUP of your ISP. Many of them have conducting recon clearly defined in their terms as being forbidden activity.