2 replies to this topic

[securityxxxpert]

I was doing a audit of my own network and ran across the following with a ping sweep.

map scan report for DD-WRT (192.168.1.1)
Host is up (0.00076s latency).
MAC Address: 00:24:A5:AD:79:59 (Buffalo)
Nmap scan report for unknown0024A5AD7959 (192.168.1.65)
Host is up (0.00018s latency).
MAC Address: 00:24:A5:AD:79:59 (Buffalo)
Nmap scan report for bt (192.168.1.104)


Obviously the first host 192.168.1.1 is my router.
however the ip of 192.168.1.165 is a different ip but shows the same MAC address as my router.

When I did a port scan I got the following

Starting Nmap 5.35DC1 ( http://nmap.org ) at 2011-01-10 01:14 EST
Initiating ARP Ping Scan at 01:14
Scanning 2 hosts [1 port/host]
Completed ARP Ping Scan at 01:14, 0.00s elapsed (2 total hosts)
Initiating Parallel DNS resolution of 2 hosts. at 01:14
Completed Parallel DNS resolution of 2 hosts. at 01:14, 0.00s elapsed
DNS resolution of 2 IPs took 0.00s. Mode: Async [#: 1, OK: 2, NX: 0, DR: 0, SF: 0, TR: 2, CN: 0]
Initiating SYN Stealth Scan at 01:14
Scanning 2 hosts [65535 ports/host]
Discovered open port 443/tcp on 192.168.1.65
Discovered open port 443/tcp on 192.168.1.1
Discovered open port 53/tcp on 192.168.1.65
Discovered open port 53/tcp on 192.168.1.1
Discovered open port 1780/tcp on 192.168.1.1
Completed SYN Stealth Scan against 192.168.1.1 in 18.66s (1 host left)
Completed SYN Stealth Scan at 01:14, 18.66s elapsed (131070 total ports)
Initiating OS detection (try #1) against 2 hosts
Nmap scan report for DD-WRT (192.168.1.1)
Host is up (0.0012s latency).
Scanned at 2011-01-10 01:14:00 EST for 20s
Not shown: 65532 closed ports
PORT     STATE SERVICE
53/tcp   open  domain
443/tcp  open  https
1780/tcp open  unknown
MAC Address: 00:24:A5:AD:79:59 (Buffalo)
Device type: general purpose
Running: Linux 2.6.X
OS details: Linux 2.6.15 - 2.6.23 (embedded)
TCP/IP fingerprint:
OS:SCAN(V=5.35DC1%D=1/10%OT=53%CT=1%CU=44467%PV=Y%DS=1%DC=D%G=Y%M=0024A5%TM
OS:=4D2AA3BD%P=i686-pc-linux-gnu)SEQ(SP=C7%GCD=1%ISR=D1%TI=Z%CI=Z%II=I%TS=7
OS:)OPS(O1=M5B4ST11NW1%O2=M5B4ST11NW1%O3=M5B4NNT11NW1%O4=M5B4ST11NW1%O5=M5B
OS:4ST11NW1%O6=M5B4ST11)WIN(W1=16A0%W2=16A0%W3=16A0%W4=16A0%W5=16A0%W6=16A0
OS:)ECN(R=Y%DF=Y%T=40%W=16D0%O=M5B4NNSNW1%CC=N%Q=)T1(R=Y%DF=Y%T=40%S=O%A=S+
OS:%F=AS%RD=0%Q=)T2(R=N)T3(R=N)T4(R=Y%DF=Y%T=40%W=0%S=A%A=Z%F=R%O=%RD=0%Q=)
OS:T5(R=Y%DF=Y%T=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)T6(R=Y%DF=Y%T=40%W=0%S=A%A
OS:=Z%F=R%O=%RD=0%Q=)T7(R=N)U1(R=Y%DF=N%T=40%IPL=164%UN=0%RIPL=G%RID=G%RIPC
OS:K=G%RUCK=G%RUD=G)IE(R=Y%DFI=N%T=40%CD=S)

Uptime guess: 9.391 days (since Fri Dec 31 15:51:58 2010)
Network Distance: 1 hop
TCP Sequence Prediction: Difficulty=199 (Good luck!)
IP ID Sequence Generation: All zeros

Any idea's why they are two different LAN ip's, but have the same mac address? For the most part they have the same ports open as well.

**Turns out my new ATT Uverse Modem/Router is just that a router and modem combination, so I disabled the router part of the att rg modem, and I have my buffalo router setup as the main wifi/router. I still see those 2 ip's. When I went into my router configuration page I saw the wan ip of the router is 192.168.1.65**

Could someone explain this to me?

Edited by securityxxxpert, 10 January 2011 - 03:28 AM.

[tekio]

It says the host name is bt. Isn't that the default host name for backtrack? How secure is your WLAN? You might have a "hacker" on the network.

[d3xt3r]

It may be that someone is spoofing its MAC address.....