Security Basics mailing list archives

RE: 192.168.x.x oddities

From: "Jimmy Brokaw" <hedgie () hedgie com>
Date: Tue, 15 Jun 2004 21:31:56 -0400 (EDT)

I got a lot of helpful replies, both on and off list, which prompted me to
do a little deeper digging.  I'll try to answer everyone's questions
collectively, rather than answering twenty seperate e-mails.

Excluding my computers, broadcast addresses, and network addresses, the
"rouge" addresses left were:

192.168.18.254
192.168.19.1
192.168.19.254
192.168.100.1

After doing traceroutes, I got the following:

192.168.18.254 - packet reaches gateway, then an unidentified computer
registered to my ISP, then is blocked thereafter.  All hops are public
IPs.
192.168.19.1 - packet reaches gateway, then the same unid'd computer as
before, then 172.18.240.1 -- another RFC 1918 address, then reaches
192.168.19.1.
192.168.19.254 - Same as .1, except it stops at 172.18.240.1 (Does this
mean both addresses are the same machine?)
192.168.100.1 - Goes through my router and stops.  I quickly deduced this
was my cable modem, and a quick port scan confirmed this.

So, my list of "rouge" addresses is down to three:
192.168.18.254
192.168.19.1
192.168.19.254

192.168.18.254 has no open ports to help identify it.  Most ports are
closed, some (netbios, subseven, and a few others) are filtered.  No idea
what this machine is.

192.168.19.1 has a lot of open ports, including ftp, telnet, smtp, time,
sunrpc, X11 (6000), and quite a few more.  NMap failed to id the OS,
although the open ports gives a little clue.  I'm sure I could find more
out with banner grabs, but I'm not positive how the ISP would look at
that.

192.168.19.254 has telnet, 2001, and 6001 open.  Again, no OS fingerprint.

To answer the question of several people, no, these are not computers
connected via wifi.  If my security, authentication, and logging weren't
enough to demonstrate it, the traceroutes should.  And besides, they stay
if I disable the wifi. :)  And yes, the cable company issues me a public
IP address

Right now my NetGear router is using 192.168.0.* as the private address
range, with a subnet mask of 255.255.255.0.  Again, I'm not an expert by
any means.  I'm assuming that if I change that mask to 255.255.0.0, I'll
lose the ability to see these machines - is this correct?

I was also thinking of leaving the common 192.168.*.* range for other RFC
1918 address blocks, but the 172.18.240.1 address that appeared in my
previous traceroute makes me think that there are other RFC 1918 addresses
out there.

I understand my router *ought* to not route RFC 1918 traffic out to the
Net, but there doesn't appear to be any options to restrict it (unless I
program static routes for them all).  It also seems the ISP *ought* to
filter that traffic originating from cable modems.

At this point I'm very close to calling the ISP and telling them about the
problem.  Getting ahold of an intelligent person might prove difficult,
but I'm guessing that calling or e-mailing the TechName from the WHOIS
database might prove the best starting point (as opposed to Tech Support,
irk).  What I'd really like to grasp before doing that is:

(1)  Is there any legitimate reason why I ought to be able to reach out to
RFC 1918 IP addresses from my network?  Someone mentioned TFTP for cable
modem updates, but I don't see why that can't be done with public IP
addresses.  I also seriously doubt these machines fall in that category.
(2)  Are there real security concerns with this configuration? 
Intuitively it sounds "wrong," and a few people echoed that.  But I don't
know of any explicit reason for it to be so, other than the fact that
future sysadmins may "assume" that those computers are on a private
network when in fact all customers have access to them.
(3)  Is this a "normal" configuration?  I got two responses referring to
ISPs that assign customers private IP addresses, but that isn't the case
here.  Additionally, a traceroute from my computer goes out to public IP
addresses and then *back* into the private IP ranges.


-- 
   \\\\\                       hedgie () hedgie com
  \\\\\\\__o   Bringing hedgehogs to the common folk since 1994.
__\\\\\\\'/________________________________________________________

Visit http://www.hedgie.com for information on my latest book,
"Waiting for War," published by Aventine Press!

---------------------------------------------------------------------------
Ethical Hacking at the InfoSec Institute. Mention this ad and get $545 off 
any course! All of our class sizes are guaranteed to be 10 students or less 
to facilitate one-on-one interaction with one of our expert instructors. 
Attend a course taught by an expert instructor with years of in-the-field 
pen testing experience in our state of the art hacking lab. Master the skills 
of an Ethical Hacker to better assess the security of your organization. 
Visit us at: 
http://www.infosecinstitute.com/courses/ethical_hacking_training.html
----------------------------------------------------------------------------

Current thread:

192.168.x.x oddities Jimmy Brokaw (Jun 15)
- Re: 192.168.x.x oddities JGrimshaw (Jun 16)
- RE: 192.168.x.x oddities Nathaniel Hall (Jun 16)
  - Re: 192.168.x.x oddities Ranjeet Shetye (Jun 18)
- Re: 192.168.x.x oddities steve (Jun 21)
- RE: 192.168.x.x oddities Burton M. Strauss III (Jun 21)
- <Possible follow-ups>
- RE: 192.168.x.x oddities Shawn Jackson (Jun 16)
  - RE: 192.168.x.x oddities Jimmy Brokaw (Jun 21)
    - Re: 192.168.x.x oddities steve (Jun 23)
    - RE: 192.168.x.x oddities David Gillett (Jun 24)
- RE: 192.168.x.x oddities Mike (Jun 17)
- RE: 192.168.x.x oddities Shawn Jackson (Jun 17)
- RE: 192.168.x.x oddities Keith T. Morgan (Jun 24)