Security Basics mailing list archives
RE: 192.168.x.x oddities
From: "Mike" <mike () superiorholidayadventures ca>
Date: Wed, 16 Jun 2004 08:41:46 -0400
I run a small network at home, using a wireless router to connect to a cable modem. My internal IPs all fall in the 192.168.0.x range, which
is
the only address-space the router is configured to support. I've got authentication and logging, so before anyone says "I bet it's a
neighbor
using your connection," I've verified nobody else is logging in.
Ok, pretty common setup.
My understanding is that the entire 192.168.x.x range is for internal networks only (RFC 1918), and unrouteable on the Internet. When I run
the
following command, however, I can see several computers:
Yes, the 192.168.x.x range is for internal networks and is not routable on the Internet.
[computer]$ nmap 192.168.*.* -sP I get what looks like four computers (in addition to mine), plus some
x.0
and x.255 addresses responding to the pings. I picked one at random,
and
it appears to belong to my ISP. Doing a traceroute, I found the
packet
reached its destination at a public (routeable) address, indicating to
me
the machine has two addresses on the same interface. RFC 1918 states:
Are you saying that you see four computers, erm.. correction - ip addresses? Yours, the router, x.0, and x.255? If so, then you are the only computer on your network. x.0 and x.255 are network broadcast addresses (nmap should have told you this) and are not actual reachable nodes. Or are you saying that you see four ip addresses as well as these x.0 and x.255? After you do your nmap scan, can you check your ARP cache (arp -a)? This will tell you if there are indeed unique computers on your network. You may want to write down your router's MAC address and the MAC of the NIC in your computer. You should be able to get your router's MAC from the web interface and the MAC of your computer by using 'ifconfig | grep -i hwaddr'.
Am I therefore correct in my assumption that the ISP is routing my
pings
onto their internal network? Is this a normal response? It seems
like
there ought to be security concerns here, but I can't nail them down, except the assumption that traffic destined for 192.168.x.x addresses
may
not be filtered as well (or at all), since it may be assumed it
originated
from within the internal network.
You're not supposed to, but I've seen it done with 10.x addresses before. A simple 'traceroute -n www.google.com' will show you the addresses that your ISP is using. Mike Fetherston --------------------------------------------------------------------------- Ethical Hacking at the InfoSec Institute. Mention this ad and get $545 off any course! All of our class sizes are guaranteed to be 10 students or less to facilitate one-on-one interaction with one of our expert instructors. Attend a course taught by an expert instructor with years of in-the-field pen testing experience in our state of the art hacking lab. Master the skills of an Ethical Hacker to better assess the security of your organization. Visit us at: http://www.infosecinstitute.com/courses/ethical_hacking_training.html ----------------------------------------------------------------------------
Current thread:
- 192.168.x.x oddities Jimmy Brokaw (Jun 15)
- Re: 192.168.x.x oddities JGrimshaw (Jun 16)
- RE: 192.168.x.x oddities Nathaniel Hall (Jun 16)
- Re: 192.168.x.x oddities Ranjeet Shetye (Jun 18)
- Re: 192.168.x.x oddities steve (Jun 21)
- RE: 192.168.x.x oddities Burton M. Strauss III (Jun 21)
- <Possible follow-ups>
- RE: 192.168.x.x oddities Shawn Jackson (Jun 16)
- RE: 192.168.x.x oddities Jimmy Brokaw (Jun 21)
- Re: 192.168.x.x oddities steve (Jun 23)
- RE: 192.168.x.x oddities David Gillett (Jun 24)
- RE: 192.168.x.x oddities Jimmy Brokaw (Jun 21)
- RE: 192.168.x.x oddities Mike (Jun 17)
- RE: 192.168.x.x oddities Shawn Jackson (Jun 17)
- RE: 192.168.x.x oddities Keith T. Morgan (Jun 24)