Sign in to follow this  
Followers 0
securityxxxpert

Strange IP with same MAC

3 posts in this topic

I was doing a audit of my own network and ran across the following with a ping sweep.

map scan report for DD-WRT (192.168.1.1)

Host is up (0.00076s latency).

MAC Address: 00:24:A5:AD:79:59 (Buffalo)

Nmap scan report for unknown0024A5AD7959 (192.168.1.65)

Host is up (0.00018s latency).

MAC Address: 00:24:A5:AD:79:59 (Buffalo)

Nmap scan report for bt (192.168.1.104)

Obviously the first host 192.168.1.1 is my router.

however the ip of 192.168.1.165 is a different ip but shows the same MAC address as my router.

When I did a port scan I got the following

Starting Nmap 5.35DC1 ( http://nmap.org ) at 2011-01-10 01:14 EST
Initiating ARP Ping Scan at 01:14
Scanning 2 hosts [1 port/host]
Completed ARP Ping Scan at 01:14, 0.00s elapsed (2 total hosts)
Initiating Parallel DNS resolution of 2 hosts. at 01:14
Completed Parallel DNS resolution of 2 hosts. at 01:14, 0.00s elapsed
DNS resolution of 2 IPs took 0.00s. Mode: Async [#: 1, OK: 2, NX: 0, DR: 0, SF: 0, TR: 2, CN: 0]
Initiating SYN Stealth Scan at 01:14
Scanning 2 hosts [65535 ports/host]
Discovered open port 443/tcp on 192.168.1.65
Discovered open port 443/tcp on 192.168.1.1
Discovered open port 53/tcp on 192.168.1.65
Discovered open port 53/tcp on 192.168.1.1
Discovered open port 1780/tcp on 192.168.1.1
Completed SYN Stealth Scan against 192.168.1.1 in 18.66s (1 host left)
Completed SYN Stealth Scan at 01:14, 18.66s elapsed (131070 total ports)
Initiating OS detection (try #1) against 2 hosts
Nmap scan report for DD-WRT (192.168.1.1)
Host is up (0.0012s latency).
Scanned at 2011-01-10 01:14:00 EST for 20s
Not shown: 65532 closed ports
PORT STATE SERVICE
53/tcp open domain
443/tcp open https
1780/tcp open unknown
MAC Address: 00:24:A5:AD:79:59 (Buffalo)
Device type: general purpose
Running: Linux 2.6.X
OS details: Linux 2.6.15 - 2.6.23 (embedded)
TCP/IP fingerprint:
OS:SCAN(V=5.35DC1%D=1/10%OT=53%CT=1%CU=44467%PV=Y%DS=1%DC=D%G=Y%M=0024A5%TM
OS:=4D2AA3BD%P=i686-pc-linux-gnu)SEQ(SP=C7%GCD=1%ISR=D1%TI=Z%CI=Z%II=I%TS=7
OS:)OPS(O1=M5B4ST11NW1%O2=M5B4ST11NW1%O3=M5B4NNT11NW1%O4=M5B4ST11NW1%O5=M5B
OS:4ST11NW1%O6=M5B4ST11)WIN(W1=16A0%W2=16A0%W3=16A0%W4=16A0%W5=16A0%W6=16A0
OS:)ECN(R=Y%DF=Y%T=40%W=16D0%O=M5B4NNSNW1%CC=N%Q=)T1(R=Y%DF=Y%T=40%S=O%A=S+
OS:%F=AS%RD=0%Q=)T2(R=N)T3(R=N)T4(R=Y%DF=Y%T=40%W=0%S=A%A=Z%F=R%O=%RD=0%Q=)
OS:T5(R=Y%DF=Y%T=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)T6(R=Y%DF=Y%T=40%W=0%S=A%A
OS:=Z%F=R%O=%RD=0%Q=)T7(R=N)U1(R=Y%DF=N%T=40%IPL=164%UN=0%RIPL=G%RID=G%RIPC
OS:K=G%RUCK=G%RUD=G)IE(R=Y%DFI=N%T=40%CD=S)

Uptime guess: 9.391 days (since Fri Dec 31 15:51:58 2010)
Network Distance: 1 hop
TCP Sequence Prediction: Difficulty=199 (Good luck!)
IP ID Sequence Generation: All zeros

Any idea's why they are two different LAN ip's, but have the same mac address? For the most part they have the same ports open as well.

**Turns out my new ATT Uverse Modem/Router is just that a router and modem combination, so I disabled the router part of the att rg modem, and I have my buffalo router setup as the main wifi/router. I still see those 2 ip's. When I went into my router configuration page I saw the wan ip of the router is 192.168.1.65**

Could someone explain this to me?

Edited by securityxxxpert
0

Share this post


Link to post
Share on other sites

It says the host name is bt. Isn't that the default host name for backtrack? How secure is your WLAN? You might have a "hacker" on the network.

0

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!


Register a new account

Sign in

Already have an account? Sign in here.


Sign In Now
Sign in to follow this  
Followers 0