phx Posted October 6, 2008 Share Posted October 6, 2008 Quick question, and excuse my newbiness, but why is there a device 8 hops outside my local network that has the IP 192.168.1.1? It seems to be routed through another state no less, although it is within my ISP. It's also getting flagged in XArp by the SubnetFilter, which is why I became curious about it to begin with. Thanks. edit: Interesting ports on 192.168.1.1: Not shown: 996 closed ports PORT STATE SERVICE VERSION 21/tcp open ftp? 22/tcp open ssh SCS sshd 2.0.12 (protocol 2.0) 23/tcp open tcpwrapped 179/tcp open tcpwrapped 1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at http://www.insecure.org/cgi-bin/servicefp-submit.cgi : SF-Port21-TCP:V=4.76%I=7%D=10/6%Time=48EA843D%P=x86_64-unknown-linux-gnu%r SF:(NULL,37,"421\x20Session\x20limit\x20reached,\x20closing\x20control\x20 SF:connection\r\n")%r(RTSPRequest,37,"421\x20Session\x20limit\x20reached,\ SF:x20closing\x20control\x20connection\r\n")%r(DNSVersionBindReq,37,"421\x SF:20Session\x20limit\x20reached,\x20closing\x20control\x20connection\r\n" SF:)%r(NCP,37,"421\x20Session\x20limit\x20reached,\x20closing\x20control\x SF:20connection\r\n"); Device type: router|switch|PBX|encryption accelerator|WAP|general purpose Running (JUST GUESSING) : Juniper embedded (95%), SMC embedded (89%), Vodavi embedded (88%), Cisco embedded (87%), D-Link embedded (86%), TRENDnet embedded (86%), Apple Mac OS X 10.3.X|10.4.X (86%), Juniper JUNOS 8.X (86%) Aggressive OS guesses: Juniper Networks ERX-700 router (95%), SMC SMC7724M/VSW switch (89%), Vodavi XTS-IP PBX (88%), Cisco VPN 3000 Concentrator VPN platform (software version 4.7.2.D) (87%), Cisco VPN 3000 Concentrator VPN platform (software version 4.1.7.O) (87%), Cisco VPN 3030 Concentrator VPN platform (87%), Cisco VPN 3030 Concentrator VPN platform (software 4.7.2.F) (87%), D-Link DWL-624+ or TRENDnet TEW-432BRP wireless broadband router (86%), Apple Mac OS X 10.3.9 (Panther) (Darwin 7.9.0, PowerPC) (86%), Apple Mac OS X 10.3.9 (Panther) - 10.4.7 (Tiger) (Darwin 7.9.0 - 8.7.8, PowerPC) (86%) No exact OS matches for host (test conditions non-ideal). Network Distance: 8 hops Quote Link to comment Share on other sites More sharing options...
digip Posted October 6, 2008 Share Posted October 6, 2008 Quick question, and excuse my newbiness, but why is there a device 8 hops outside my local network that has the IP 192.168.1.1? It seems to be routed through another state no less, although it is within my ISP. It's also getting flagged in XArp by the SubnetFilter, which is why I became curious about it to begin with. Thanks. IS your IP in this range: 192.168.1.1, either by way of your ISP or your local LAN/Router setup? What ISP, and do you have a Business account or Residential account? I had read about a guy who was able to login to the LAN of his ISP because be had a Business account and he could see all the devices on his lan segment. The ISP said it was because he was a Business customer, and his IP was part of the networks subnet. Not somehting I think should be possible but an happen, but I would just change your IP class/range on your router and then see what happens. Set it to somehting like the 10.0.0.0/255 range. Quote Link to comment Share on other sites More sharing options...
phx Posted October 6, 2008 Author Share Posted October 6, 2008 What ISP, and do you have a Business account or Residential account? frontiernet, it's supposedly a business account, but I know nothing about it other than that Quote Link to comment Share on other sites More sharing options...
phx Posted October 6, 2008 Author Share Posted October 6, 2008 IS your IP in this range: 192.168.1.1, either by way of your ISP or your local LAN/Router setup? the local subnet is 192.168.254. Quote Link to comment Share on other sites More sharing options...
Sparda Posted October 6, 2008 Share Posted October 6, 2008 Some ISPs use addressing that would normally be reserved for use on a LAN for internal routing. this is to save on the number of real internet addresses used by the ISP. Well done, you nmap'ed one of your ISPs routers if your routers address isn't also 192.168.1.1. Quote Link to comment Share on other sites More sharing options...
phx Posted October 6, 2008 Author Share Posted October 6, 2008 the traceroute looks like this HOP RTT ADDRESS 1 0.36 [router] 2 54.35 74-[removed].frontiernet.net 3 54.00 74.[removed] 4 69.41 74.[removed] ... 8 99.00 74.[removed] 9 92.94 192.168.1.1 Quote Link to comment Share on other sites More sharing options...
Sparda Posted October 6, 2008 Share Posted October 6, 2008 and what is your routers IP address? Quote Link to comment Share on other sites More sharing options...
digip Posted October 6, 2008 Share Posted October 6, 2008 Could be possible that you see it because of the business account settings making you part of that lan segment, but not sure why you can see all the other devices on that ip class since you did the nmap scan. Dumb question, but do you have a router on this network segment/lan that you are testing this from? Is it a wireless router? (Is it yours?) And if so, what is its IP range set to. Is the device set up as a VPN point? This device isn't by any chance your own router, is it? Just speculating, but if its a wireless router, could someone have hacked it to reroute the DNS requests for a MITM attack on your access point. My router was set to 192.168.1.1 by default out of the box when I bought it, and I had to manually chance its ip address and range for DHCP. How do you know its outside this lans network? What does a Traceroute to the 192.168.1.1 device look like? Does it ever leave the 192.168.1/255 range to get to the end point? What is each hops IP address? More info please. Im curious what is going on now, but my guess is its either because you are part of the lan segment(Via business account), or the router you connect through has been hijacked in some way. edit: didn't see the other posts as I was typing, so some of my question can be ignored. Quote Link to comment Share on other sites More sharing options...
phx Posted October 6, 2008 Author Share Posted October 6, 2008 The router's IP is 192.168.254.254, it's some DSL modem / router combo the ISP installed. I don't have login access to it, although I can get physical access, but resetting to factory defaults isn't a viable option because I don't have the PPPoE info to get it going again. router make/model: Efficient 5930 DMT Router Quote Link to comment Share on other sites More sharing options...
digip Posted October 6, 2008 Share Posted October 6, 2008 The router's IP is 192.168.254.254, it's some DSL modem / router combo the ISP installed. I don't have login access to it, although I can get physical access, but resetting to factory defaults isn't a viable option because I don't have the PPPoE info to get it going again. router make/model: Efficient 5930 DMT Router Have you tried the default passwords? http://www.phenoelit-us.org/dpl/dpl.html Most seem to be a combo of admin/Admin or login/password Quote Link to comment Share on other sites More sharing options...
Sparda Posted October 6, 2008 Share Posted October 6, 2008 The question was "Why does a router on the Internet have an IP address intended for use on a LAN?". Some ISPs use addressing that would normally be reserved for use on a LAN for internal routing. this is to save on the number of real internet addresses used by the ISP. Not sure what you are doing now. Quote Link to comment Share on other sites More sharing options...
phx Posted October 6, 2008 Author Share Posted October 6, 2008 Have you tried the default passwords? http://www.phenoelit-us.org/dpl/dpl.html Most seem to be a combo of admin/Admin or login/password Yes, I've tried them. I read the manual and it makes you change it on first login. I also know that the ISP can login externally. The only packets I'm seeing from 192.168.1.1 are arp requests every so often for machines on this network. Does this indicate anything? Quote Link to comment Share on other sites More sharing options...
Sparda Posted October 6, 2008 Share Posted October 6, 2008 Yes, I've tried them. I read the manual and it makes you change it on first login. I also know that the ISP can login externally. The only packets I'm seeing from 192.168.1.1 are arp requests every so often for machines on this network. Does this indicate anything? That indicates you probably have a device with the address 192.168.1.1 on your LAN you don't know is plugged in. Quote Link to comment Share on other sites More sharing options...
phx Posted October 6, 2008 Author Share Posted October 6, 2008 yep just decided the same thing I think it's this stupid old linksys router i'm using in switch mode and it's sending its own packets for some reason the 192.168.1.1 I scanned is not the same one I'm noticing thread over I guess, thanks guys Quote Link to comment Share on other sites More sharing options...
natural_orange Posted October 13, 2008 Share Posted October 13, 2008 That seems pretty weird. I know for instance that my cable internet provider uses 10.100.x.x address to provide a connections from the cable modem to there back end cable stuff. Though its invisible to me and it just looks like I'm at a 69.x.x.x address. Quote Link to comment Share on other sites More sharing options...
vector Posted October 17, 2008 Share Posted October 17, 2008 i suggest using a nice little program called network magic. it gives a nice graphical representation of your local area network, shows you ip address of local devices along with mac address and one click device management/ configuration. this can help you understand a little bit better the layout of your network. Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.