Jump to content

0.0.0.0 ?


michael_kent123

Recommended Posts

It means all interfaces

so if you IP is 10.1.1.1 on eth0, and 192.168.1.1 on wlan0

your service appears on 10.1.1.1 (eth0),192.168.1.1(wlan0) & 127.0.0.1(localhost)

Edited by midnitesnake
Link to comment
Share on other sites

0.0.0.0 is used in a few different ways; but first of all, it may be important to understand what 127.0.0.1 is.

127.0.0.1 is a loopback IP address to the computers own NIC. It's the address you use when you want to contact yourself. It is important to have this ability so that networkable components do not fail automatically when used on a stand alone computer. It is often known as localhost. Locally hosted TCP/UDP/HTTP/FTP or any other network or transport layer protocols (which use routed packets rather than frames) will use this address.

When on a LAN, 127.0.0.1 works in much the same way as connecting to your own, allocated Local IP address, say 192.168.1.254. The key difference though is that when connecting to 127.0.0.1, the traffic never touches the LAN, as it would connecting to 192.168.1.254.

0.0.0.0 can be seen initially as a default IP address. It is the IP that is used by a computer that has not yet been allocated an IP by a DHCP server, but is associated with a network. It is also the address that a computer uses is a DHCP allocation fails. In this case it is used as a fallback, or a promise of an IP in the future. Because 0.0.0.0 is an unroutable address, multiple computers can have the same IP and will receive broadcast and probe packets, but they do not yet have a place on the network.

The other way in which 0.0.0.0 is used is as a mask to mean "any IPv4 address". This is essentially a blanket "listen" request for all IPs. Think of it as an inbound version of 255.255.255.255.

Edited by ApacheTech Consultancy
Link to comment
Share on other sites

One thing that a lot of people don't realise is that 127.0.0.1 is only one address in a range of addresses that can be used as a loopback address. If you have XAMPP or anything you can call localhost to, try typing in 127.0.0.254, or any number from 1-254 in the last octet. It will yield the same result as 127.0.0.1. :D

Some exploits ...erm... exploit this fact by referring to 127.0.0.x with a random value from 2-254 to remain unseen by docile AVs and poorly tuned firewalls that only scan the default 127.0.0.1.

Link to comment
Share on other sites

  • 2 weeks later...

The 0.0.0.0 ip address is allocated when you don't have an IP address setup. This is not complete true since windows actually has a pre-setup IP in case the DHCP fails, it will allocate you a random generated IP address that would be used as "backup IP"

The IP address in windows would look some think like this

IP address 169.254.23.47
Subnet Mask 255.255.0.0
default gateway [blank]

anyways in the Networking Science an IP address like this 0.0.0.0

Translates to any valid IP address in the network.

As opposite difference between the loopback 127.0.0.1, the loopback will ping (or whatever you want to do with the loopback)

will use your local device IP, independently whether you have an IP or not.

for an instance: if you have the IP 192.168.1.2 the loopback 127.0.0.1 will ping the IP 192.168.1.2

If we were to use 0.0.0.0 instead, actually will look up for every IP in the network (depending of what are you doing)

so If you have a class C IP will lookup for every IP as the example follows:

192.168.1.0/24 network

Up devices = 192.168.1.1, 192.168.1.2, 192.168.1.2, etc

It will ping every address being in use.

Technically would be like a broadcast address. In the Class C network scheme would be the broadcast address 192.168.1.255

Hope this helps.

Best Regards

joey-world

Network Systems Administrator

Link to comment
Share on other sites

0.0.0.0 is also a listening address used in routing for all nics and ethernet ports. Think of it like an interconnect for all traffic.

Type: route print and you will see its part of your routing table, and if you run tools such as TCPview in windows, you can see what ports your system are listening on, and the IP is almost always going to be 0.0.0.0. If its anything other than this, its either an established connection already in progress, or another services in use. Its also a good way to find rouge route entries and DNS hijacks be monitoring non standard IP's setup like mentioned above for local host. Always be sure to lock down the hosts file, on both windows and linux, and periodically check your local systems routing table, in the event your route suddenly starts routing through some 3rd party. Netstat is another good one to use for monitoring connections and works on both windows and linux, I just like the GUI control of TCPview, and when run as administrator, can close connections and end processes if working on a persons system with malware, you can end the process and close the socket(windows only tool though).

Edited by digip
Link to comment
Share on other sites

  • 2 months later...

@digip I just run netstat -ant | less and noticed a few open ports. It looks like the system is waiting for a connection or possibly running a daemon on some ports - 53, 631, 52931. How can I figure out the name of the application that opened the port and more importantly close the port? I know TCPview can close connections on Windows. Whats the best way to monitor and admin network connections on Linux? The default Ubuntu apps seem kind of primitive, imo.

Link to comment
Share on other sites

@digip I just run netstat -ant | less and noticed a few open ports. It looks like the system is waiting for a connection or possibly running a daemon on some ports - 53, 631, 52931. How can I figure out the name of the application that opened the port and more importantly close the port? I know TCPview can close connections on Windows. Whats the best way to monitor and admin network connections on Linux? The default Ubuntu apps seem kind of primitive, imo.

Know what the ports are for first, since they are services. 53, leave open if you want DNS to work. 631 listening may be uBuntu specific, but check the iana known ports list since its under port 1024. Anything over that, could be anything, but there are other switches in netstat to show the programs and inodes things are tied to under linux to show which programs are using which ports as well as another command I can't think of but I think its lsof or such, that can also show ports and socket connections and the program in use with it.

http://www.iana.org/assignments/service-names-port-numbers/service-names-port-numbers.xml

To close sockets or ports, you would either close the program or end the service that uses it, or firewall shut/block traffic on those ports.

http://en.wikipedia.org/wiki/Lsof

Edited by digip
Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...