Jump to content

192.168.* outside local network?


phx
 Share

Recommended Posts

Quick question, and excuse my newbiness, but why is there a device 8 hops outside my local network that has the IP 192.168.1.1? It seems to be routed through another state no less, although it is within my ISP. It's also getting flagged in XArp by the SubnetFilter, which is why I became curious about it to begin with. Thanks.

edit:

Interesting ports on 192.168.1.1:
Not shown: 996 closed ports
PORT    STATE SERVICE    VERSION
21/tcp  open  ftp?
22/tcp  open  ssh        SCS sshd 2.0.12 (protocol 2.0)
23/tcp  open  tcpwrapped
179/tcp open  tcpwrapped
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at http://www.insecure.org/cgi-bin/servicefp-submit.cgi :
SF-Port21-TCP:V=4.76%I=7%D=10/6%Time=48EA843D%P=x86_64-unknown-linux-gnu%r
SF:(NULL,37,"421\x20Session\x20limit\x20reached,\x20closing\x20control\x20
SF:connection\r\n")%r(RTSPRequest,37,"421\x20Session\x20limit\x20reached,\
SF:x20closing\x20control\x20connection\r\n")%r(DNSVersionBindReq,37,"421\x
SF:20Session\x20limit\x20reached,\x20closing\x20control\x20connection\r\n"
SF:)%r(NCP,37,"421\x20Session\x20limit\x20reached,\x20closing\x20control\x
SF:20connection\r\n");
Device type: router|switch|PBX|encryption accelerator|WAP|general purpose
Running (JUST GUESSING) : Juniper embedded (95%), SMC embedded (89%), Vodavi embedded (88%), Cisco embedded (87%), D-Link embedded (86%), TRENDnet embedded (86%), Apple Mac OS X 10.3.X|10.4.X (86%), Juniper JUNOS 8.X (86%)
Aggressive OS guesses: Juniper Networks ERX-700 router (95%), SMC SMC7724M/VSW switch (89%), Vodavi XTS-IP PBX (88%), Cisco VPN 3000 Concentrator VPN platform (software version 4.7.2.D) (87%), Cisco VPN 3000 Concentrator VPN platform (software version 4.1.7.O) (87%), Cisco VPN 3030 Concentrator VPN platform (87%), Cisco VPN 3030 Concentrator VPN platform (software 4.7.2.F) (87%), D-Link DWL-624+ or TRENDnet TEW-432BRP wireless broadband router (86%), Apple Mac OS X 10.3.9 (Panther) (Darwin 7.9.0, PowerPC) (86%), Apple Mac OS X 10.3.9 (Panther) - 10.4.7 (Tiger) (Darwin 7.9.0 - 8.7.8, PowerPC) (86%)
No exact OS matches for host (test conditions non-ideal).
Network Distance: 8 hops

Link to comment
Share on other sites

Quick question, and excuse my newbiness, but why is there a device 8 hops outside my local network that has the IP 192.168.1.1? It seems to be routed through another state no less, although it is within my ISP. It's also getting flagged in XArp by the SubnetFilter, which is why I became curious about it to begin with. Thanks.

IS your IP in this range: 192.168.1.1, either by way of your ISP or your local LAN/Router setup?

What ISP, and do you have a Business account or Residential account? I had read about a guy who was able to login to the LAN of his ISP because be had a Business account and he could see all the devices on his lan segment. The ISP said it was because he was a Business customer, and his IP was part of the networks subnet. Not somehting I think should be possible but an happen, but I would just change your IP class/range on your router and then see what happens. Set it to somehting like the 10.0.0.0/255 range.

Link to comment
Share on other sites

Some ISPs use addressing that would normally be reserved for use on a LAN for internal routing. this is to save on the number of real internet addresses used by the ISP.

Well done, you nmap'ed one of your ISPs routers if your routers address isn't also 192.168.1.1.

Link to comment
Share on other sites

the traceroute looks like this

HOP RTT    ADDRESS
1   0.36   [router]
2   54.35  74-[removed].frontiernet.net
3   54.00  74.[removed]
4   69.41  74.[removed]
...
8   99.00  74.[removed]
9   92.94  192.168.1.1

Link to comment
Share on other sites

Could be possible that you see it because of the business account settings making you part of that lan segment, but not sure why you can see all the other devices on that ip class since you did the nmap scan.

Dumb question, but do you have a router on this network segment/lan that you are testing this from? Is it a wireless router? (Is it yours?) And if so, what is its IP range set to. Is the device set up as a VPN point? This device isn't by any chance your own router, is it? Just speculating, but if its a wireless router, could someone have hacked it to reroute the DNS requests for a MITM attack on your access point.

My router was set to 192.168.1.1 by default out of the box when I bought it, and I had to manually chance its ip address and range for DHCP.

How do you know its outside this lans network? What does a Traceroute to the 192.168.1.1 device look like? Does it ever leave the 192.168.1/255 range to get to the end point? What is each hops IP address?

More info please. Im curious what is going on now, but my guess is its either because you are part of the lan segment(Via business account), or the router you connect through has been hijacked in some way.

edit: didn't see the other posts as I was typing, so some of my question can be ignored.

Link to comment
Share on other sites

The router's IP is 192.168.254.254, it's some DSL modem / router combo the ISP installed. I don't have login access to it, although I can get physical access, but resetting to factory defaults isn't a viable option because I don't have the PPPoE info to get it going again.

router make/model: Efficient 5930 DMT Router

Link to comment
Share on other sites

The router's IP is 192.168.254.254, it's some DSL modem / router combo the ISP installed. I don't have login access to it, although I can get physical access, but resetting to factory defaults isn't a viable option because I don't have the PPPoE info to get it going again.

router make/model: Efficient 5930 DMT Router

Have you tried the default passwords?

http://www.phenoelit-us.org/dpl/dpl.html

Most seem to be a combo of admin/Admin or login/password

Link to comment
Share on other sites

The question was "Why does a router on the Internet have an IP address intended for use on a LAN?".

Some ISPs use addressing that would normally be reserved for use on a LAN for internal routing. this is to save on the number of real internet addresses used by the ISP.

Not sure what you are doing now.

Link to comment
Share on other sites

Have you tried the default passwords?

http://www.phenoelit-us.org/dpl/dpl.html

Most seem to be a combo of admin/Admin or login/password

Yes, I've tried them. I read the manual and it makes you change it on first login. I also know that the ISP can login externally.

The only packets I'm seeing from 192.168.1.1 are arp requests every so often for machines on this network. Does this indicate anything?

Link to comment
Share on other sites

Yes, I've tried them. I read the manual and it makes you change it on first login. I also know that the ISP can login externally.

The only packets I'm seeing from 192.168.1.1 are arp requests every so often for machines on this network. Does this indicate anything?

That indicates you probably have a device with the address 192.168.1.1 on your LAN you don't know is plugged in.

Link to comment
Share on other sites

yep just decided the same thing

I think it's this stupid old linksys router i'm using in switch mode and it's sending its own packets for some reason

the 192.168.1.1 I scanned is not the same one I'm noticing

thread over I guess, thanks guys

Link to comment
Share on other sites

i suggest using a nice little program called network magic. it gives a nice graphical representation of your local area network, shows you ip address of local devices along with mac address and one click device management/ configuration. this can help you understand a little bit better the layout of your network.

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...