Spoofed IP (?!) and Wireshark

[devrand0m]

First question ... I was looking at the firewall log on my wireless router.  There were number of entries that said that outbound connection was blocked due to invalid source IP.  My router's dhcp range is 172.27.0.1 to 172.27.0.253 (254 is the router).  The invalid IP is 172.16.40.48.  How can this IP address even exist on my network?  Even if someone manually assigned that IP to his/her computer, how can that even get routed to gateway?  Also I only have around a dozen devices attached to this router and each devices is accounted for.  How can I figure out what the invalid IP device is?

 

Second question, kind of related.  I was trying to figure out what was happening with my network so I fired up Wireshark hoping there would be some clue with regard to the spoofed IP above.  Connected my laptop directly to the wireless router's ethernet port.  Started Wireshark with the ethernet adapter in promiscuous mode.  Tons of packets...however, after a while, I noticed one thing.  To and from my computer, I could see all outbound and inbound packets.  However, with other devices on the net, I could only see them when they were sending to broadcast address (255.255.255.255 or 172.27.0.255).  I thought in promiscuous mode, I was supposed to be able see all packets, not just mine+broadcast.  In addition to the IP problem above, I have an old XP box on my net that keeps trying to send out packets with invalid state to an unknown IP (actually an IP in China) which the firewall keeps blocking, and I'd like to examine the packets.

 

Thanks.

[numb3rs]

It depends on your NIC with what you will see with Wireshark from what I understand. I seen something like this a while back. It was a newer Microsoft Virtual Adapter from the creative update sending wireless display packets. My firewall was able to determine what device was hogging the bandwidth. It was right when a botnet went viral and I freaked out. Good luck hunting.

[digininja]

Question one: I can put whatever IP I want in a device, it doesn't have to use DHCP. An IP of 172.16.40.48 with a netmask of 255.0.0.0 and default gateway of 172.27.0.254 may work fine on your network depending on the set up.

 

Question two: you plugged into a switch, not a hub. You being in promiscuous mode means you see everything you are sent but the switch will only send you traffic meant for you which means your IP and broadcast traffic. What you are expecting is what you'd get off a hub or a span port.

[digip]

Sounds like the router's firewall did its job. Arbitrary internal LAN IP ranges not configured for your subnet, would be a quick red flag, but could be something as simple as someone plugged in a device like one of the hak5 USB tools, or a pineapple is bridged to your network? Are you testing anything like that on the network? Playing with any other tools like that or devices on the network?

If not, time to inspect everything. If this is a home network, power all your devices down and disconnect them from the wifi and wired side, then clear the firewall log. Then from your machine, run an nmap scan

nmap -n -sn 172.0.0.0/8

This will do an arp discovery of all devices on the network, their IP and MAC address. However, this should fail for all IP ranges other than what is on your subnet, ie: 172.27.x.x

edit: digininja has a good point, on possibly being a mis-configured device with someone trying to manually set an IP for a machine, but if it's a home network, and not an office network, you should know who has what on the network. 

Also, I had thought about my original assessment to scan the 172.0.0.0/8 subnet, this should actually not work at all since you aren't on the same subnet, and you'd also end up hitting the internet, which would also fail for the arp and never get past NAT. If you configure your NIC to be on the 172.16.0.0/16 subnet and then try a scan, you should also be blocked by your router's firewall, and trigger the same kind of messages, so even if a device on the network tried to get on from a non-routable subnet, would more than likely fail unless they physically bridged the two networks/dual honed it or plugged directly into the main router/switch to share their other side of the network.

Edited September 27, 2017 by digip

[devrand0m]

digininja, how would I get a hub or span port into a home wifi network?  My AT&T Uverser modem is basically a fancy name for DSL modem that also does wifi and has ethernet ports for direct connections.  I do have a Throwing Star LAN tap from the Hak5 store.  Can I somehow use that to snoop the entire network's packets with Wireshark?

[devrand0m]

digip, this is at home.  Just me, my wife, and her son.  My wife and her son are basically just digital users; I do all the network set-up, adding new equipment, etc.

If I set my computer to 172.16.0.0/16 manually, would the firewall prevent me from seeing 172.16.40.48?  What I mean is that the router seems to be stopping packets from 172.16.40.48 going into internet, but would it stop two machines, both on 172.16.0.0/16 from being able to see each other (like pinging each other)?

 

Either way, it's so weird since except for my two laptops, everything else is configured for dhcp.

[digip]

15 minutes ago, devrand0m said:

digininja, how would I get a hub or span port into a home wifi network?  My AT&T Uverser modem is basically a fancy name for DSL modem that also does wifi and has ethernet ports for direct connections.  I do have a Throwing Star LAN tap from the Hak5 store.  Can I somehow use that to snoop the entire network's packets with Wireshark?

You can use the @ symbol in front of a name, will ping people for replies on a post.

As for spanning a port, he's talking about port mirroring(I assume) which is a feature of certain equipment, built into certain routers and switches, such as higher end cisco switches. It allows you to patch and copy a specific port out to a listening node, which lets you go down the line one by one to listen in on each connected device. On wifi, only thing I can say is MITM, or sniff from the router directly which in your case, probably not possible with the all-in-one devices provided by the ISP. It could be, that the firewalls blocked the local network from the ISP side, and may be a subnet local to the other side of the modem from the ISP side, which even then, NAT should be in play. I know when I first got comcast, if I set my IP range up differently than the default 192.168.1.x subnet, and was on the 10.x.x.x network, I was able to see their internal network. This was something mis configured on their end, and shouldn't have allowed me to see their network. I was at the time, not behind NAT though, and directly connected to the modem from my workstation. This is when I first went and bought a 4 port switch with NAT to put up a firewall at the edge of my network, we're talking 1990's here, but I suspect the same could be done today, if you manage to figure out an IP range on the ISP side, and connect without NAT over a cable modem, you might be able to scan the internals of the ISP if on the same subnet settings. They can surely do the same and see into your network when you connect directly to them, which is why you should always have a NAT'd firewall at the edge of your home network.

digip, this is at home.  Just me, my wife, and her son.  My wife and her son are basically just digital users; I do all the network set-up, adding new equipment, etc.

If I set my computer to 172.16.0.0/16 manually, would the firewall prevent me from seeing 172.16.40.48?  What I mean is that the router seems to be stopping packets from 172.16.40.48 going into internet, but would it stop two machines, both on 172.16.0.0/16 from being able to see each other (like pinging each other)?

 

Either way, it's so weird since except for my two laptops, everything else is configured for dhcp.

You can set your NIC to anything. Unless something else is on the same set subnet, you can't see each other, without being bridged between the two networks. However, plugging directly into your network, or even a PC like the bash bunny, I imagine it would show up as a new network to the internal LAN, if scanned for, which is why I was asking if anyone was playing with these kinds of tools, since they can have their own set network/subnet.

 

Edited September 27, 2017 by digip

[devrand0m]

What if ...

I turned off the radio on my router, attached a Pineapple by ethernet to the router, and set-up Pineapple with same encryption (WPA2) and access point name.  Shouldn't I be able to see ALL the network packets off of the Pineapple?  (basically, MITM my home network).  Shouldn't I be able to look at the 172.16.40.48 packet then since the Pineapple would not block the packet (until  it got to the router firewall)?

PS I haven't taken the Pineapple out of the box yet.  Just got it ... I guess it's time to play...

Edited September 27, 2017 by devrand0m

[digininja]

You could buy a cheap router that will take openwrt. Plug the wan side into your existing router and run WiFi and wired off openwrt instead.

You'd then have a Linux box you could ssh to and use tools like tcpdump to watch traffic as you would be in the middle of everything.