Jump to content

- - - - -

Strange IP with same MAC

  • Please log in to reply
2 replies to this topic

#1 securityxxxpert


    Will I break 10 posts?

  • Members
  • 2 posts
  • Gender:Male

Posted 10 January 2011 - 01:15 AM

I was doing a audit of my own network and ran across the following with a ping sweep.

map scan report for DD-WRT (
Host is up (0.00076s latency).
MAC Address: 00:24:A5:AD:79:59 (Buffalo)
Nmap scan report for unknown0024A5AD7959 (
Host is up (0.00018s latency).
MAC Address: 00:24:A5:AD:79:59 (Buffalo)
Nmap scan report for bt (

Obviously the first host is my router.
however the ip of is a different ip but shows the same MAC address as my router.

When I did a port scan I got the following

Starting Nmap 5.35DC1 ( http://nmap.org ) at 2011-01-10 01:14 EST
Initiating ARP Ping Scan at 01:14
Scanning 2 hosts [1 port/host]
Completed ARP Ping Scan at 01:14, 0.00s elapsed (2 total hosts)
Initiating Parallel DNS resolution of 2 hosts. at 01:14
Completed Parallel DNS resolution of 2 hosts. at 01:14, 0.00s elapsed
DNS resolution of 2 IPs took 0.00s. Mode: Async [#: 1, OK: 2, NX: 0, DR: 0, SF: 0, TR: 2, CN: 0]
Initiating SYN Stealth Scan at 01:14
Scanning 2 hosts [65535 ports/host]
Discovered open port 443/tcp on
Discovered open port 443/tcp on
Discovered open port 53/tcp on
Discovered open port 53/tcp on
Discovered open port 1780/tcp on
Completed SYN Stealth Scan against in 18.66s (1 host left)
Completed SYN Stealth Scan at 01:14, 18.66s elapsed (131070 total ports)
Initiating OS detection (try #1) against 2 hosts
Nmap scan report for DD-WRT (
Host is up (0.0012s latency).
Scanned at 2011-01-10 01:14:00 EST for 20s
Not shown: 65532 closed ports
53/tcp   open  domain
443/tcp  open  https
1780/tcp open  unknown
MAC Address: 00:24:A5:AD:79:59 (Buffalo)
Device type: general purpose
Running: Linux 2.6.X
OS details: Linux 2.6.15 - 2.6.23 (embedded)
TCP/IP fingerprint:

Uptime guess: 9.391 days (since Fri Dec 31 15:51:58 2010)
Network Distance: 1 hop
TCP Sequence Prediction: Difficulty=199 (Good luck!)
IP ID Sequence Generation: All zeros

Any idea's why they are two different LAN ip's, but have the same mac address? For the most part they have the same ports open as well.

**Turns out my new ATT Uverse Modem/Router is just that a router and modem combination, so I disabled the router part of the att rg modem, and I have my buffalo router setup as the main wifi/router. I still see those 2 ip's. When I went into my router configuration page I saw the wan ip of the router is**

Could someone explain this to me?

Edited by securityxxxpert, 10 January 2011 - 03:28 AM.

#2 tekio


    5(R1P7 |<1DD13

  • Binrev Financier
  • 1,284 posts
  • Gender:Male
  • Location:The Blue Nowhere

Posted 13 January 2011 - 11:01 PM

It says the host name is bt. Isn't that the default host name for backtrack? How secure is your WLAN? You might have a "hacker" on the network.

#3 d3xt3r


    SCRiPT KiDDie

  • Members
  • 20 posts
  • Gender:Male

Posted 15 January 2011 - 08:35 AM

It may be that someone is spoofing its MAC address.....

BinRev is hosted by the great people at Lunarpages!