External IP isn't actual IP?

[0phoi5]

Hey guys,

Sorry if this seems like an obvious question, but when I open whatsmyip.org, or Google, or iplocation.net, I am given an IP address that I am then scanning with nmap (just using -sn at the moment, no full scanning)

I was expecting to see my router and the connected MACs (my laptop, phone, etc.), however I actually get an address. Something along the lines of virginmedia.blabla instead of my internet router. If I run nmap -sn against this IP, it shows only 1 host and nothing else, and it doesn't look like the host is my internet router.

This makes me believe that the IP address these sites are giving me is actually 1 step away from my router, and not my actual IP address.

How would I get my proper IP address, with which I could scan it with nmap?

Please note that I am aware that I can scan my own system using 192.168.0.0/24, but I am not looking to do this. I was trying to scan my network using it's external IP and a laptop not connected to my LAN. I'm preparing for the CEH exam and scanning 192.168 doesn't give me the experience that I want.

Thanks.

Edited November 23, 2016 by haze1434
Amended website addresses to be correct.

[Dec100]

Why are you expecting to see details of devices connected to the inside of your router (laptop, phone, etc.) via the router’s external IP? Are you port forwarding services through to them or something? By default, the router should not allow you to see devices on the inside of your LAN via the outside interface (due to NAT, firewall, etc.).

If you are port forwarding, then you will still only see 1 host when scanning 1 IP, but you would see more services open.

Virgin may be using another step, but I don’t see anything in the above to suggest that. The external IP is probably just resolving to Virgin as they own it (and the ptr records).

Also, make sure you have permission to scan Virgin’s IP or they might get annoyed. Business accounts are usually allowed to do vulnerability scanning (get it in writing) but they might take issue with home users doing it.

Does your router have extra ports and VLAN support? If so, for learning purposes, you could create yourself a “dummy external Internet” on a separate internal VLAN and test from there without touching Virgin’s stuff (which sounds ruder than I meant it - !).

[0phoi5]

I see. Good idea!

To confirm, how would one then go about finding the devices that are using that IP address to connect to the internet?

I have an old S3 android phone and have found a few vulnerabilities for it, which I was hoping to test by finding it over the internet. Is there any way for me to find this phone, connected to my home WLAN, using my external IP address? Or would I only be able to find it when connected directly to the same network and scanning 192.168?

[Dec100]

The short answer is that it depends on how you are set-up.

In very general terms:

1) You could compromise the router (e.g. old buggy firmware or exposed admin logon) and use it as a step to pivot onto the internal network.

2) If you are using port forwarding - say to expose your internal email server on port 25 - you could compromise any bugs on that to get onto the email server to pivot on the LAN from.

3) I don't know what your set-up is, but with the right kit and ISP deal you could set-up static NAT and corresponding firewall rules to separately expose any device on your LAN over any ports you like. In very simplified terms, that's how most companies will be set-up. As a home user, normal port forwarding is probably more realistic, but consider the "dummy Internet" VLAN I mentioned.

4) You could compromise the Android or internal device via social engineering and malware. Then make it initiate a connection out to you. Most home routers block nothing outgoing.

Why the fixation with scanning from external? Be careful not to leave holes open in your router for others to exploit.

[0phoi5]

28 minutes ago, Dec100 said:

Why the fixation with scanning from external? Be careful not to leave holes open in your router for others to exploit.

Thank you, good details.

I'm currently going through courses in preparation for CEH certification, but they all only show examples of scanning and hacking using 192.168 internally. Whilst this is probably a much easier and safer way to show techniques for the CEH course, I feel it doesn't quite show the exact process a real hacker would go through as they wouldn't just be sitting in your network scanning 192.168, they would generally be external to your network trying to find a way in. I wanted to learn more about this, as the courses don't cover it.

*edit* I've already compromised and scanned most of my stuff internally using 192.168 IPs, but it just doesn't feel 'realistic'. Unless the hacker is sitting nearby with a Wi-Fi connection to my WLAN, he wouldn't be hacking in this way.

Edited November 23, 2016 by haze1434

[Dec100]

Yeah, the CEH will take you through discovery and mapping of the externally exposed parts of a company's network. You are on the right track - it will be things like WHOIS, DNS checks, Google searches, IP/port scans, software version checks, default set-up checks - then looking through all the information to find a vulnerability to exploit to reach internal systems. 

The problem you have is that home users are usually set-up differently to companies. Home users (and companies for that matter) are usually compromised these days via social engineering rather than through the front door. For example, tricking the Android user to visit a malicious website that exploits the vulnerable version, or tricking them into opening a malicious email attachment. Then they connect out to the attacker. The exception is the recent spate of hacking badly configured (or badly designed) home routers, but you don't really want to purposely make your own router vulnerable or someone else will hack it too. 

For your studying, don't worry too much about testing on an internal LAN. The principals and tools are still all the same.

[digip]

go to ipchicken.com, or just type "ip" into google. They will give you your external IP. You can't scan your external IP from inside your network though. You'll get false positives. only way to do it, is scan from external address to the known IP of your home IP, or use a third party site that does basic port scans from the net, like tcp utils.

 

Replace the 127.0.0.1 with your known IP - http://www.tcpiputils.com/browse/ip-address/127.0.0.1

 

Quote

To confirm, how would one then go about finding the devices that are using that IP address to connect to the internet?

This depends on the security of the router/gateway. If port fowardign or DMZ's are setup, it's possible to scan those devices and possibly the rest of the network. Also, weaknesses in the perimeter could potentially allow walking the firewall and seeing into the network. This is why scanning from in your LAN, is not ideal since it's not actually being blocked by NAT properly from an inside IP.

Edited November 23, 2016 by digip

[0phoi5]

Thanks

[0phoi5]

Hi guys,

Sorry, I have further questions regarding my original post.

Please see the diagram below. When I request my external IP address from anywhere, such as nslookup or going to ipchicken etc., from which point in this diagram does the IP get calculated? Which device gives it's IP? Because it's certainly not 'Your Computer' or 'Modem', so I assume it's something after this?

Thank you.

[digip]

Whatever machine makes the request, is what give's it's IP. The gateway, forwards all data across the appropriate routes. AS for external IP  with respect to a home rotuer/switch network, each machine shares the same external IP via the router which handles all he appropriate mappings to who made the requests, based on each machines physical ID, the MAC address of the interface connected at each port of the router.

In the case of a home router, your router has multiple subnets it speaks to based on its physical connections. The home LAN, the MODEM and the ISP WAN. Your local LAN, and it's external WAN subnets are all you ever really need to worry about, while the modems 192.168.100.X subnet is never really seen in the hops and only used to get you connected with the ISP over the physical line. In the case of plugging directly into a workstation from the modem, your workstation's NIC would have the IP of the assigned external WAN subnet you reside on for your node, so in this case, it would be the device that responds. With a router in place, it is the router that responds to the requests at the external IP using it's external interface, and forwards back to the requesting node on the LAN's subnet.

All basic networking rules apply pretty much the same as they would on a local LAN with a DHCP server/router/gateway and switches, whether done by the router or another gateway/termserver, while the modem is just a physical connection between you and the ISP at layers 1 and 2. Mapping MAC addresses to assigned IP's are stored in your router/gateway and handles all the proper sorting of requests from each machine trying to reach the outside world. Without a DMZ or port forward to a specific node on the inside network, requests SHOULD be dropped by the Gateway/firewall in place that talks to the ISP. This is why you should never really sit directly on the modem without a router or firewall in front of it, as you would then be connected directly to the internet and can be scanned/attacked directly at your external IP.

Your cable modem can be thought of as a transparent bridge, even though it has an IP, usually locally as 192.168.100.1 and will more than like have another IP you will never see assigned by the ISP, which talks to the CMTS at the ISP based on it's physical connection, which in itself acts in much the same way. A DHCP server at the ISP takes a request from your network's router or workstation and assigns it to the outside facing interface of your router or workstation when it wants to get onto the network, which is all forwarded by the modem between you and the ISP. It's recorded with the devices MAC address and put in a table with its corresponding IP assigned to it on the ISP's side so it knows where to send data to when you speak to the outside world. 

You want to see which hop was the last before reaching you, do a trace route to your external IP from outside the network, and you will see the route your data traveled over each hop back to the machine that made the request. This can also change based on your location as well as redundant routing setup and it's neighboring routers and their routes, but the hops show from you to the end point and each router's IP assigned to its interface facing you along the way.

@ Anyone else feel free to correct me or add if I missed anything.

Some things that might help:

http://www.webopedia.com/quick_ref/OSI_Layers.asp

https://en.wikipedia.org/wiki/Cable_modem_termination_system

https://en.wikipedia.org/wiki/Dynamic_Host_Configuration_Protocol

https://en.wikipedia.org/wiki/Hop_(networking)

http://www.metaswitch.com/resources/what-is-ip-routing

 

 

 

 

Edited December 23, 2016 by digip

[0phoi5]

On ‎23‎/‎12‎/‎2016 at 8:19 PM, digip said:

Things.

Really good answer and detail, thank you. Much appreciated :)

[anode]

Might not be the answer, but I'll use a

traceroute -m 5 yahoo.com

and see what comes back.  Lots of times I'll see that i'm a hop or two before I exit, telling me I have 'upper' subnets to explore.