Nmap Development mailing list archives

Re: NMAP Host Scan picks up private IP's on another network

From: Michael Toecker <michael.toecker () gmail com>
Date: Fri, 16 Oct 2015 10:17:25 -0400

Looks like your ISP has assigned routes within their internal network to
some private address space, and are allowing access to those private
addresses so long as you're a Metrocast customer.

<Speculation>

You are on the 10.X.Y.0/?? subnet, so when you kick off your NMAP scan
for 10.113.63.192, it runs to your default gateway 10.1.1.1 to get the
packet routed.  The next hop in your 10.1.1.1 router for 10.113.63.192
is 10.210.192.1, which I'm guessing is your Metrocast router.

The next hop in your Metrocast router leads you along a merry path, with
each one passing the packet to another one that says it knows where
10.113.63.192 is.  Until you reached 206.53.95.141 that is, which is like
"Oh cool, I'm directly connected to a 10.X.Y.0/?? subnet that contains
10.113.63.192!  I can help you!".

Since it doesn't apparently leave Metrocast, this could be any number of
issues within the internal network of Metrocast.  My bet is that they are
selling private networks to customers, but are minimizing the complexity of
their internal routing to get to those addresses and not blocking those
addresses internally for their own customers.  This is considered a normal
practice, and I know has caused some problems for SCADA operators that
thought they were getting a "private" network, i.e. one that only they can
access.

So yes, this is normal.  You do have a problem though, you think your
firewall is blocking traffic that it's not actually blocking.  If it were
actually blocking traffic from specific IP addresses as you describe, you
wouldn't be getting a valid traceroute back.  Most likely, your firewall is
aware of the pseudo-state of the ICMP packet, and is sending anything it
deems a valid response back to the originating system.  This might also
work for TCP and certain UDP data that originates inside your network and
goes to external IPs as well.

For instance, if you scanned 10.113.63.192 and got back open ports, your
firewall isn't blocking traffic from external IPs when there is an entry in
the TCP state table that shows the connection initiated from within your
internal network. Blocking external IP address that internal users can
access is called egress policy, and it's generally a good idea to block
both ingress and egress to/from private IP ranges at your border.

Happy hunting.

Mike Toecker

On Fri, Oct 16, 2015 at 8:23 AM, Jeffrey G. Gomberg <gomberg () synair com>
wrote:

What ip block were you scanning? Please post the full nmap command line
string that you used?

On Oct 14, 2015, at 9:35 AM, Charlie Aquilino <
Charlie.Aquilino () avianllc com> wrote:

Hello,



I’m running a host scan via Zenmap and it is picking up 10.x.x.x IP
addresses on other private networks. Here’s a traceroute for one of those
IPs:

“C:\Users\admin-charlie>tracert 10.113.63.192



Tracing route to 10.113.63.192 over a maximum of 30 hops



  1     1 ms     1 ms     1 ms  10.1.1.1

  2    10 ms    15 ms    10 ms  10.210.192.1

  3    18 ms    11 ms    23 ms  static-216-36-30-138.cpe.metrocast.net
[216.36.30.138]

  4    38 ms    34 ms    41 ms  static-216-36-30-238.cpe.metrocast.net
[216.36.30.238]

  5    30 ms    27 ms    26 ms  static-206-53-95-141.cpe.metrocast.net
[206.53.95.141]

  6    43 ms    35 ms    33 ms  10.113.63.192



Trace complete.”



10.113.63.192 is not on our network. You can see that NMAP seems to leave
our network, go through some public IP’s of our ISP (MetroCast), and then
discovers machines behind the ISP’s public IP address. Why is this
happening? Is there anything I should be concerned about since our firewall
blocks everything not from a certain few IP addresses?



Thank you in advance for your help,

Charlie Aquilino

IT Manager

AVIAN LLC



_______________________________________________
Sent through the dev mailing list
https://nmap.org/mailman/listinfo/dev
Archived at http://seclists.org/nmap-dev/


_______________________________________________
Sent through the dev mailing list
https://nmap.org/mailman/listinfo/dev
Archived at http://seclists.org/nmap-dev/




-- 

Michael Toecker

_______________________________________________
Sent through the dev mailing list
https://nmap.org/mailman/listinfo/dev
Archived at http://seclists.org/nmap-dev/

Current thread:

NMAP Host Scan picks up private IP's on another network Charlie Aquilino (Oct 15)
- Re: NMAP Host Scan picks up private IP's on another network Jeffrey G. Gomberg (Oct 16)
  - Re: NMAP Host Scan picks up private IP's on another network Michael Toecker (Oct 16)