Re: 192.168.x.x oddities

["steve" <securityfocus () delahunty com>]

Also related, if you are port scanning computers on your ISP's network you
may be violating your acceptable use agreement with them.  But of course it
helps with your research.

Answer to below is YES.  You obviously need to reach the ISP's gateway and
so forth, to access the Internet yes?
(1)  Is there any legitimate reason why I ought to be able to reach out to
RFC 1918 IP addresses from my network?  Someone mentioned TFTP for cable
modem updates, but I don't see why that can't be done with public IP
addresses.  I also seriously doubt these machines fall in that category.

Answer to the below is NO.  You could change your internal network to
10.x.x.x instead of 192.x.x.x if that makes you feel more secure.  If your
ISP could ping your internal computers, then you might worry (unless you are
running a webserver and have not prohibited ICMP ping to that server).
(2)  Are there real security concerns with this configuration?
Intuitively it sounds "wrong," and a few people echoed that.  But I don't
know of any explicit reason for it to be so, other than the fact that
future sysadmins may "assume" that those computers are on a private
network when in fact all customers have access to them.

Answer to the below is YES.  Not all ISPs provide public IPs to their
clients.  They likely have a private and public IP bound to your cable
modem.
(3)  Is this a "normal" configuration?  I got two responses referring to
ISPs that assign customers private IP addresses, but that isn't the case
here.  Additionally, a traceroute from my computer goes out to public IP
addresses and then *back* into the private IP ranges.


----- Original Message ----- 
From: "Jimmy Brokaw" <hedgie () hedgie com>
To: <security-basics () securityfocus com>
Sent: Tuesday, June 15, 2004 9:31 PM
Subject: RE: 192.168.x.x oddities


I got a lot of helpful replies, both on and off list, which prompted me to
do a little deeper digging.  I'll try to answer everyone's questions
collectively, rather than answering twenty seperate e-mails.

Excluding my computers, broadcast addresses, and network addresses, the
"rouge" addresses left were:

192.168.18.254
192.168.19.1
192.168.19.254
192.168.100.1

After doing traceroutes, I got the following:

192.168.18.254 - packet reaches gateway, then an unidentified computer
registered to my ISP, then is blocked thereafter.  All hops are public
IPs.
192.168.19.1 - packet reaches gateway, then the same unid'd computer as
before, then 172.18.240.1 -- another RFC 1918 address, then reaches
192.168.19.1.
192.168.19.254 - Same as .1, except it stops at 172.18.240.1 (Does this
mean both addresses are the same machine?)
192.168.100.1 - Goes through my router and stops.  I quickly deduced this
was my cable modem, and a quick port scan confirmed this.

So, my list of "rouge" addresses is down to three:
192.168.18.254
192.168.19.1
192.168.19.254

192.168.18.254 has no open ports to help identify it.  Most ports are
closed, some (netbios, subseven, and a few others) are filtered.  No idea
what this machine is.

192.168.19.1 has a lot of open ports, including ftp, telnet, smtp, time,
sunrpc, X11 (6000), and quite a few more.  NMap failed to id the OS,
although the open ports gives a little clue.  I'm sure I could find more
out with banner grabs, but I'm not positive how the ISP would look at
that.

192.168.19.254 has telnet, 2001, and 6001 open.  Again, no OS fingerprint.

To answer the question of several people, no, these are not computers
connected via wifi.  If my security, authentication, and logging weren't
enough to demonstrate it, the traceroutes should.  And besides, they stay
if I disable the wifi. :)  And yes, the cable company issues me a public
IP address

Right now my NetGear router is using 192.168.0.* as the private address
range, with a subnet mask of 255.255.255.0.  Again, I'm not an expert by
any means.  I'm assuming that if I change that mask to 255.255.0.0, I'll
lose the ability to see these machines - is this correct?

I was also thinking of leaving the common 192.168.*.* range for other RFC
1918 address blocks, but the 172.18.240.1 address that appeared in my
previous traceroute makes me think that there are other RFC 1918 addresses
out there.

I understand my router *ought* to not route RFC 1918 traffic out to the
Net, but there doesn't appear to be any options to restrict it (unless I
program static routes for them all).  It also seems the ISP *ought* to
filter that traffic originating from cable modems.

At this point I'm very close to calling the ISP and telling them about the
problem.  Getting ahold of an intelligent person might prove difficult,
but I'm guessing that calling or e-mailing the TechName from the WHOIS
database might prove the best starting point (as opposed to Tech Support,
irk).  What I'd really like to grasp before doing that is:

(1)  Is there any legitimate reason why I ought to be able to reach out to
RFC 1918 IP addresses from my network?  Someone mentioned TFTP for cable
modem updates, but I don't see why that can't be done with public IP
addresses.  I also seriously doubt these machines fall in that category.
(2)  Are there real security concerns with this configuration?
Intuitively it sounds "wrong," and a few people echoed that.  But I don't
know of any explicit reason for it to be so, other than the fact that
future sysadmins may "assume" that those computers are on a private
network when in fact all customers have access to them.
(3)  Is this a "normal" configuration?  I got two responses referring to
ISPs that assign customers private IP addresses, but that isn't the case
here.  Additionally, a traceroute from my computer goes out to public IP
addresses and then *back* into the private IP ranges.


-- 
   \\\\\                       hedgie () hedgie com
  \\\\\\\__o   Bringing hedgehogs to the common folk since 1994.
__\\\\\\\'/________________________________________________________

Visit http://www.hedgie.com for information on my latest book,
"Waiting for War," published by Aventine Press!

---------------------------------------------------------------------------
Ethical Hacking at the InfoSec Institute. Mention this ad and get $545 off
any course! All of our class sizes are guaranteed to be 10 students or less
to facilitate one-on-one interaction with one of our expert instructors.
Attend a course taught by an expert instructor with years of in-the-field
pen testing experience in our state of the art hacking lab. Master the
skills
of an Ethical Hacker to better assess the security of your organization.
Visit us at:
http://www.infosecinstitute.com/courses/ethical_hacking_training.html
----------------------------------------------------------------------------



---------------------------------------------------------------------------
Ethical Hacking at the InfoSec Institute. Mention this ad and get $545 off 
any course! All of our class sizes are guaranteed to be 10 students or less 
to facilitate one-on-one interaction with one of our expert instructors. 
Attend a course taught by an expert instructor with years of in-the-field 
pen testing experience in our state of the art hacking lab. Master the skills 
of an Ethical Hacker to better assess the security of your organization. 
Visit us at: 
http://www.infosecinstitute.com/courses/ethical_hacking_training.html
----------------------------------------------------------------------------